* [PATCH 6.18 000/315] 6.18.35-rc1 review
@ 2026-06-07 9:56 Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 001/315] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
` (316 more replies)
0 siblings, 317 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.18.35 release.
There are 315 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue, 09 Jun 2026 09:56:45 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.35-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.18.35-rc1
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable
Jassi Brar <jassisinghbrar@gmail.com>
mailbox: Fix NULL message support in mbox_send_message()
Wei-Cheng Chen <weichengc@nvidia.com>
xhci: tegra: Fix ghost USB device on dual-role port unplug
Robert Marko <robert.marko@sartura.hr>
net: phy: micrel: fix LAN8814 QSGMII soft reset
Qing Wang <wangqing7171@gmail.com>
mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
Guenter Roeck <linux@roeck-us.net>
hwmon: (pmbus) Add support for guarded PMBus lock
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix memory corruption with small endpoint
Johan Hovold <johan@kernel.org>
USB: serial: digi_acceleport: fix memory corruption with small endpoints
Johan Hovold <johan@kernel.org>
USB: serial: cypress_m8: fix memory corruption with small endpoint
Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
usb: dwc3: xilinx: fix error handling in zynqmp init error paths
Shaomin Chen <eeesssooo020@gmail.com>
xfrm: iptfs: reset runtime state when cloning SAs
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Add and use hybrid_get_cpu_type()
Paolo Abeni <pabeni@redhat.com>
mptcp: reset rcv wnd on disconnect
Paolo Abeni <pabeni@redhat.com>
mptcp: cleanup fallback dummy mapping generation
Dawei Feng <dawei.feng@seu.edu.cn>
octeontx2-pf: avoid double free of pool->stack on AQ init failure
Zeng Heng <zengheng4@huawei.com>
arm64: tlb: Flush walk cache when unsharing PMD tables
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: do not drop partial packets
Paolo Abeni <pabeni@redhat.com>
mptcp: borrow forward memory from subflow
Paolo Abeni <pabeni@redhat.com>
mptcp: handle first subflow closing consistently
David Carlier <devnexen@gmail.com>
net: devmem: reject dma-buf bind with non-page-aligned size or SG length
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: drop nanoseconds width specifier
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: hci_qca: Convert timeout from jiffies to ms
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Bluetooth: hci_qca: Migrate to serdev specific shutdown function
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
serdev: Provide a bustype shutdown function
David Howells <dhowells@redhat.com>
rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
David Howells <dhowells@redhat.com>
rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
Tom Lendacky <thomas.lendacky@amd.com>
x86/mm: Disable broadcast TLB flush when PCID is disabled
Lukas Wunner <lukas@wunner.de>
platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
David E. Box <david.e.box@linux.intel.com>
platform/x86/intel/vsec: Make driver_data info const
David E. Box <david.e.box@linux.intel.com>
platform/x86/intel/vsec: Refactor base_addr handling
Jacques Nilo <jnilo@free.fr>
serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()
Jacques Nilo <jnilo@free.fr>
serial: 8250: dispatch SysRq character in serial8250_handle_irq()
Jacques Nilo <jnilo@free.fr>
serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Convert to use a platform device
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Switch to using channel reset
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix bootconsole handover lockup
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Convert to use a platform device
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole handover lockup
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole message clobbering at chip reset
Ziyi Guo <n7l8m4@u.northwestern.edu>
drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO
Christian König <christian.koenig@amd.com>
drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx
Michael Bommarito <michael.bommarito@gmail.com>
drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO
David Francis <David.Francis@amd.com>
drm/amdkfd: Check for pdd drm file first in CRIU restore path
Eric Huang <jinhuieric.huang@amd.com>
drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
Eric Huang <jinhuieric.huang@amd.com>
drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
Shitalkumar Gandhi <shital.gandhi45@gmail.com>
serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix swapped RI/DSR modem line transition counting
Hongling Zeng <zenghongling@kylinos.cn>
serial: sh-sci: fix memory region release in error path
Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
Prasanna S <prasanna.s@oss.qualcomm.com>
serial: qcom-geni: fix UART_RX_PAR_EN bit position
Myeonghun Pak <mhun512@gmail.com>
serial: altera_jtaguart: handle uart_add_one_port() failures
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/si: Disregard vblank time when no displays are connected
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915: Fix potential UAF in TTM object purge
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Block DC states on vblank enable when Panel Replay supported
Zhenghang Xiao <kipreyyy@gmail.com>
drm/gem: fix race between change_handle and handle_delete
Berkant Koc <me@berkoc.com>
drm/hyperv: validate VMBus packet size in receive callback
Berkant Koc <me@berkoc.com>
drm/hyperv: validate resolution_count and fix WIN8 fallback
Alexandru Hossu <hossu.alexandru@gmail.com>
scsi: target: iscsi: Validate CHAP_R length before base64 decode
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
Michael Bommarito <michael.bommarito@gmail.com>
scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
Michael Bommarito <michael.bommarito@gmail.com>
scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
Michael Bommarito <michael.bommarito@gmail.com>
usb: gadget: f_fs: serialize DMABUF cancel against request completion
Michael Bommarito <michael.bommarito@gmail.com>
usb: gadget: f_fs: copy only received bytes on short ep0 read
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
Jeremy Erazo <mendozayt13@gmail.com>
usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: f_hid: fix device reference leak in hidg_alloc()
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: net2280: Fix double free in probe error path
Kai Aizen <kai.aizen.dev@gmail.com>
usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
Johan Hovold <johan@kernel.org>
USB: serial: mxuport: fix memory corruption with small endpoint
Johan Hovold <johan@kernel.org>
USB: serial: keyspan: fix missing indat transfer sanity check
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: cypress_m8: validate interrupt packet headers
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: belkin_sa: validate interrupt status length
Wanquan Zhong <wanquan.zhong@fibocom.com>
USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
Jan Volckaert <janvolck@gmail.com>
USB: serial: option: add MeiG SRM813Q
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Don't update power_supply on power role change if not connected
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Check if power role change actually happened before handling
Sebastian Reichel <sebastian.reichel@collabora.com>
usb: typec: tcpm: improve handling of DISCOVER_MODES failures
Dan Carpenter <error27@gmail.com>
usb: typec: tipd: Fix error code in tps6598x_probe()
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: check URB actual_length for interrupt-IN notifications
Michael Bommarito <michael.bommarito@gmail.com>
usbip: vudc: Fix use after free bug in vudc_remove due to race condition
Sam Burkels <sam@1a38.nl>
usb: storage: Add quirks for PNY Elite Portable SSD
Stephen J. Fuhry <fuhrysteve@gmail.com>
USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
Wentao Liang <vulab@iscas.ac.cn>
usb: musb: omap2430: Fix use-after-free in omap2430_probe()
Michal Pecio <michal.pecio@gmail.com>
usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
Xu Yang <xu.yang_2@nxp.com>
usb: chipidea: core: convert ci_role_switch to local variable
Tudor Ambarus <tudor.ambarus@linaro.org>
tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
Zhaoyang Yu <2426767509@qq.com>
tty: serial: pch_uart: add check for dma_alloc_coherent()
Guangshuo Li <lgs201920130244@gmail.com>
counter: Fix refcount leak in counter_alloc() error path
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
Hongling Zeng <zenghongling@kylinos.cn>
gpib: cb7210: Fix region leak when request_irq fails
Nicolás Bazaes <contacto@bazaes.cl>
Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
Xiaolei Wang <xiaolei.wang@windriver.com>
misc: rp1: Send IACK on IRQ activate to fix kdump/kexec
Ali Ganiyev <ali.qaniyev@gmail.com>
ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
Dmitriy Zharov <contact@zharov.dev>
Input: xpad - add support for ASUS ROG RAIKIRI II
Qbeliw Tanaka <q.tanaka@gmx.com>
Input: xpad - add "Nova 2 Lite" from GameSir
Zhang Heng <zhangheng@kylinos.cn>
ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP
Jingguo Tan <tanjingguo@huawei.com>
xfrm: esp: restore combined single-frag length gate
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: close stream only when running
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: firewire-motu: Protect register DSP event queue positions
Geoffrey D. Bennett <g@b4.vu>
ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: use skb_to_full_sk in async output callbacks
Herbert Xu <herbert@gondor.apana.org.au>
xfrm: ipcomp: Free destination pages on acomp errors
Maoyi Xie <maoyixie.tju@gmail.com>
xfrm: route MIGRATE notifications to caller's netns
Ashutosh Desai <ashutoshdesai993@gmail.com>
nfc: hci: fix out-of-bounds read in HCP header parsing
Arnd Bergmann <arnd@arndb.de>
iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
Lee Jones <lee@kernel.org>
HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
Santhosh Kumar K <s-k6@ti.com>
spi: spi-mem: avoid mutating op template in spi_mem_supports_op()
Minh Nguyen <minhnguyen.080505@gmail.com>
net: skbuff: fix missing zerocopy reference in pskb_carve helpers
Kuniyuki Iwashima <kuniyu@google.com>
ip6: vti: Use ip6_tnl.net in vti6_changelink().
Michael Bommarito <michael.bommarito@gmail.com>
l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname
Zhengchuan Liang <zcliangcn@gmail.com>
xfrm: input: hold netns during deferred transport reinjection
Qi Tang <tpluszz77@gmail.com>
ipv6: validate extension header length before copying to cmsg
Maoyi Xie <maoyixie.tju@gmail.com>
ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
Zhengchuan Liang <zcliangcn@gmail.com>
ipv6: exthdrs: refresh nh after handling HAO option
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
Justin Iurman <justin.iurman@gmail.com>
ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
Junrui Luo <moonafterrain@outlook.com>
macsec: fix replay protection at XPN lower-PN wrap
Yuqi Xu <xuyq21@lenovo.com>
bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: send: append trailer after expanding head
Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
Chaitanya Sabnis <chaitanya.msabnis@gmail.com>
i2c: davinci: fix division by zero on missing clock-frequency
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: elan_i2c - validate firmware size before use
Dan Carpenter <error27@gmail.com>
usb: dwc2: Fix use after free in debug code
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
Yongchao Wu <yongchao.wu@autochips.com>
usb: cdns3: gadget: fix request skipping after clearing halt
Johan Hovold <johan@kernel.org>
USB: serial: omninet: fix memory corruption with small endpoint
Benoît Monin <benoit.monin@bootlin.com>
iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
Felix Gu <ustc.gu@gmail.com>
iio: buffer: hw-consumer: fix use-after-free in error path
Aldo Conte <aldocontelk@gmail.com>
iio: light: cm3323: fix reg_conf not being initialized correctly
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: scd30: fix division by zero in write_raw
Pengpeng Hou <pengpeng@iscas.ac.cn>
iio: chemical: mhz19b: reject oversized serial replies
Svyatoslav Ryhel <clamor95@gmail.com>
iio: Fix iio_multiply_value use in iio_read_channel_processed_scale
Felix Gu <ustc.gu@gmail.com>
iio: light: veml6070: Fix resource leak in probe error path
Advait Dhamorikar <advaitd@mechasystems.com>
iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
Salah Triki <salah.triki@gmail.com>
iio: temperature: tsys01: fix broken PROM checksum validation
Sanjay Chitroda <sanjayembeddedse@gmail.com>
iio: ssp_sensors: cancel delayed work_refresh on remove
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: adis16260: fix division by zero in write_raw
David Carlier <devnexen@gmail.com>
iio: gyro: itg3200: fix i2c read into the wrong stack location
Radu Sabau <radu.sabau@analog.com>
iio: adc: ad4695: Fix call ordering in offload buffer postenable
Salah Triki <salah.triki@gmail.com>
iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
Salah Triki <salah.triki@gmail.com>
iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix powerdown control on dual-channel devices
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: acquire lock when doing powerdown control
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix input raw value check
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix ref bit initialization for single-channel parts
Salah Triki <salah.triki@gmail.com>
iio: dac: max5821: fix return value check in powerdown sync
Kim Seer Paller <kimseer.paller@analog.com>
iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings
David Carlier <devnexen@gmail.com>
iio: adc: npcm: fix unbalanced clk_disable_unprepare()
Christofer Jonason <christofer.jonason@guidelinegeo.com>
iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
Nathan Chancellor <nathan@kernel.org>
Disable -Wattribute-alias for clang-23 and newer
Sean Christopherson <seanjc@google.com>
KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()
Sean Christopherson <seanjc@google.com>
KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
Sean Christopherson <seanjc@google.com>
KVM: SEV: Check PSC request indices against the actual size of the buffer
Sean Christopherson <seanjc@google.com>
KVM: SEV: Compute the correct max length of the in-GHCB scratch area
Sean Christopherson <seanjc@google.com>
KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
Sean Christopherson <seanjc@google.com>
KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
Sean Christopherson <seanjc@google.com>
KVM: SEV: Ignore Port I/O requests of length '0'
Michael Roth <michael.roth@amd.com>
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
Sean Christopherson <seanjc@google.com>
KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
Qiang Ma <maqianga@uniontech.com>
KVM: arm64: PMU: Preserve AArch32 counter low bits
Mark Brown <broonie@kernel.org>
KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor
Wentao Guan <guanwentao@uniontech.com>
USB: cdc-acm: Fix bit overlap and move quirk definitions to header
Alice Ryhl <aliceryhl@google.com>
rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN
Matthew Maurer <mmaurer@google.com>
rust_binder: Avoid holding lock when dropping delivered_death
Ben Hutchings <benh@debian.org>
parport: Fix race between port and client registration
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: xpad - fix out-of-bounds access for Share button
Doruk Tan Ozturk <doruk@0sec.ai>
Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading
Pavitra Jha <jhapavitra98@gmail.com>
Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: ISO: fix UAF in iso_recv_frame
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: HIDP: fix missing length checks in hidp_input_report()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
Steve French <stfrench@microsoft.com>
smb: client: fix uninitialized variable in smb2_writev_callback
Stepan Ionichev <sozdayvek@gmail.com>
auxdisplay: line-display: fix OOB read on zero-length message_store()
Dev Jain <dev.jain@arm.com>
mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one
Pratyush Yadav (Google) <pratyush@kernel.org>
memfd: deny writeable mappings when implying SEAL_WRITE
Alexandre Ghiti <alex@ghiti.fr>
mm: memcontrol: propagate NMI slab stats to memcg vmstats
Linpu Yu <linpu5433@gmail.com>
ipc: limit next_id allocation to the valid ID range
SeongJae Park <sj@kernel.org>
mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()
Mikulas Patocka <mpatocka@redhat.com>
hpfs: fix a crash if hpfs_map_dnode_bitmap fails
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: btusb: Allow firmware re-download when version matches
hlleng <a909204013@gmail.com>
HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
Thomas Fourier <fourier.thomas@gmail.com>
Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
Henri A <contact@henrialfonso.com>
media: rc: igorplugusb: fix control request setup packet
Johan Hovold <johan@kernel.org>
USB: serial: safe_serial: fix memory corruption with small endpoint
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: validate connector number in ucsi_connector_change()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: altmodes/displayport: validate count before reading Status Update VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: ccg: reject firmware images without a ':' record header
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: pressure: bmp280: fix stack leak in bmp580 trigger handler
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: imu: adis16550: fix stack leak in trigger handler
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Read Intel DPCD workaround register
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/cio: Restore GFP_DMA for CHSC allocation
Andrei Vagin <avagin@google.com>
Revert "x86/fpu: Refine and simplify the magic number check during signal return"
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate the whole DACL before rewriting it in cifsacl
Oliver Neukum <oneukum@suse.com>
media: rc: ttusbir: fix inverted error logic
Sean Young <sean@mess.org>
media: rc: fix race between unregister and urb/irq callbacks
Pavel Begunkov <asml.silence@gmail.com>
net: skbuff: fix pskb_carve leaking zcopy pages
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: fix possible infinite loop in fib6_select_path()
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: fix possible infinite loop in rt6_fill_node()
Jingguo Tan <tanjingguo@huawei.com>
vsock/virtio: bind uarg before filling zerocopy skb
Zhenghang Xiao <kipreyyy@gmail.com>
sctp: fix race between sctp_wait_for_connect and peeloff
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: Skip redundant detach on already-detached port
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: Add NULL guards in teardown path to prevent panic on attach failure
Marco Scardovi <scardracs@disroot.org>
gpio: rockchip: teardown bugs and resource leaks
Marco Scardovi <scardracs@disroot.org>
gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
Dan Carpenter <error27@gmail.com>
gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
gpio: adnp: fix flow control regression caused by scoped_guard()
Heitor Alves de Siqueira <halves@igalia.com>
Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
Heitor Alves de Siqueira <halves@igalia.com>
Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
Zhenghang Xiao <kipreyyy@gmail.com>
Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
Chuck Lever <chuck.lever@oracle.com>
net/handshake: Pass negative errno through handshake_complete()
Chuck Lever <chuck.lever@oracle.com>
nvme-tcp: store negative errno in queue->tls_err
Chuck Lever <chuck.lever@oracle.com>
net/handshake: Use spin_lock_bh for hn_lock
Jijie Shao <shaojijie@huawei.com>
net: hibmcge: disable Relaxed Ordering to fix RX packet corruption
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
Rahul Chandelkar <rc@rexion.ai>
ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
Jakub Kicinski <kuba@kernel.org>
ethtool: eeprom: add more safeties to EEPROM Netlink fallback
Jakub Kicinski <kuba@kernel.org>
ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback
Jakub Kicinski <kuba@kernel.org>
ethtool: strset: fix header attribute index in ethnl_req_get_phydev()
Jakub Kicinski <kuba@kernel.org>
ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure
Jakub Kicinski <kuba@kernel.org>
ethtool: tsinfo: fix uninitialized stats on the by-PHC path
Jakub Kicinski <kuba@kernel.org>
ethtool: tsconfig: fix missing ethnl_ops_complete()
Jakub Kicinski <kuba@kernel.org>
ethtool: pse-pd: fix missing ethnl_ops_complete()
Jakub Kicinski <kuba@kernel.org>
ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error
Jakub Kicinski <kuba@kernel.org>
ethtool: tsconfig: fix reply error handling
Jakub Kicinski <kuba@kernel.org>
ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
Ido Schimmel <idosch@nvidia.com>
bridge: Fix sleep in atomic context in sysfs path
Ido Schimmel <idosch@nvidia.com>
bridge: Fix sleep in atomic context in netlink path
Oliver Hartkopp <socketcan@hartkopp.net>
bonding: refuse to enslave CAN devices
Zhao Dongdong <zhaodongdong@kylinos.cn>
Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
drm/xe: Restore IDLEDLY regiter on engine reset
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: codecs: simple-mux: Fix enum control bounds check
Sean Shen <grayhat@foxmail.com>
ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
Eric Dumazet <edumazet@google.com>
tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
Eric Dumazet <edumazet@google.com>
vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
Eric Dumazet <edumazet@google.com>
tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
Li Ming <ming.li@zohomail.com>
cxl/test: Update mock dev array before calling platform_device_add()
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: validate fw->size against start_cmd_payload_size
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: validate start_cmd_payload_size from module
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: require exact CDB reply length
Jakub Kicinski <kuba@kernel.org>
ethtool: module: fix cleanup if socket used for flashing multiple devices
Jakub Kicinski <kuba@kernel.org>
ethtool: module: check fw_flash_in_progress under rtnl_lock
Jakub Kicinski <kuba@kernel.org>
ethtool: module: avoid racy updates to dev->ethtool bitfield
Jakub Kicinski <kuba@kernel.org>
ethtool: module: avoid leaking a netdev ref on module flash errors
Jakub Kicinski <kuba@kernel.org>
ethtool: module: call ethnl_ops_complete() on module flash errors
Jakub Kicinski <kuba@kernel.org>
ethtool: rss: avoid device context leak on reply-build failure
Jakub Kicinski <kuba@kernel.org>
ethtool: rss: fix hkey leak when indir_size is 0
Jakub Kicinski <kuba@kernel.org>
ethtool: rss: fix indir_table and hkey leak on get_rxfh failure
Jakub Kicinski <kuba@kernel.org>
ethtool: rss: fix falsely ignoring indir table updates
Jakub Kicinski <kuba@kernel.org>
ethtool: rss: add missing errno on RSS context delete
Jakub Kicinski <kuba@kernel.org>
ethtool: rss: avoid modifying the RSS context response
Björn Töpel <bjorn@kernel.org>
net: Avoid checksumming unreadable skb tail on trim
Weiming Shi <bestswngs@gmail.com>
net: team: fix NULL pointer dereference in team_xmit during mode change
Marc Harvey <marcharvey@google.com>
net: team: Rename port_disabled team mode op to port_tx_disabled
Marc Harvey <marcharvey@google.com>
net: team: Remove unused team_mode_op, port_enabled
Alexander Stein <alexander.stein@ew.tq-group.com>
gpio: mxc: fix irq_high handling
Luka Gejak <luka.gejak@linux.dev>
net: hsr: fix potential OOB access in supervision frame handling
Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
net/mlx5: HWS: Reject unsupported remove-header action
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: pcm: oss: Fix setup list UAF on proc write error
Eric Dumazet <edumazet@google.com>
ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
David Jeffery <djeffery@redhat.com>
scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues
Breno Leitao <leitao@debian.org>
net/iucv: fix locking in .getsockopt
Alexandra Winter <wintera@linux.ibm.com>
net/smc: Do not re-initialize smc hashtables
Ilya Maximets <i.maximets@ovn.org>
net: netlink: don't set nsid on local notifications
Ilya Maximets <i.maximets@ovn.org>
net: netlink: fix sending unassigned nsid after assigned one
Ziyu Zhang <ziyuzhang201@gmail.com>
vsock: keep poll shutdown state consistent
Weiming Shi <bestswngs@gmail.com>
tun: free page on build_skb failure in tun_xdp_one()
Weiming Shi <bestswngs@gmail.com>
tun: free page on short-frame rejection in tun_xdp_one()
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nf_tables: fix dst corruption in same register operation
Florian Westphal <fw@strlen.de>
netfilter: ebtables: fix OOB read in compat_mtw_from_user
Florian Westphal <fw@strlen.de>
netfilter: xt_cpu: prefer raw_smp_processor_id
Chris Mason <clm@meta.com>
netfilter: synproxy: refresh tcphdr after skb_ensure_writable
Deepanshu Kartikey <kartikey406@gmail.com>
kernel/fork: validate exit_signal in kernel_clone()
Dhabaleshwar Das <dhabal123@gmail.com>
accel/rocket: fix UAF via dangling GEM handle in create_bo
Florian Schmaus <florian.schmaus@codasip.com>
kunit: fix use-after-free in debugfs when using kunit.filter
Liu Kai <lukace97@outlook.com>
HID: remove duplicate hid_warn_ratelimited definition
Hongtao Lee <lihongtao@kylinos.cn>
tools/bootconfig: Fix buf leaks in apply_xbc
Carl Lee <carl.lee@amd.com>
nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
David Ahern <dahern@nvidia.com>
xfrm: Check for underflow in xfrm_state_mtu
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free in llcp_sock_release()
Mingzhe Zou <mingzhe.zou@easystack.cn>
bcache: fix uninitialized closure object
Victor Nogueria <victor@mojatatu.com>
net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Usama Arif <usama.arif@linux.dev>
xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
Jeremy Kerr <jk@codeconstruct.com.au>
net: mctp: ensure our nlmsg responses are initialised
Davide Caratti <dcaratti@redhat.com>
net/sched: cls_fw: fix NULL dereference of "old" filters before change()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
-------------
Diffstat:
Documentation/netlink/specs/handshake.yaml | 8 +
Makefile | 4 +-
arch/arm64/include/asm/kvm_host.h | 2 +-
arch/arm64/include/asm/tlb.h | 2 +-
arch/arm64/kvm/hyp/include/hyp/switch.h | 16 +-
arch/arm64/kvm/nested.c | 5 +
arch/arm64/kvm/pmu-emul.c | 4 +-
arch/arm64/kvm/sys_regs.c | 11 +-
arch/mips/dec/platform.c | 109 ++++++++++-
arch/riscv/include/asm/syscall_wrapper.h | 4 +
arch/x86/kernel/cpu/cpuid-deps.c | 1 +
arch/x86/kernel/fpu/signal.c | 11 +-
arch/x86/kernel/ftrace.c | 7 +
arch/x86/kvm/svm/avic.c | 35 +++-
arch/x86/kvm/svm/sev.c | 76 ++++---
drivers/accel/rocket/rocket_gem.c | 17 +-
drivers/android/binder/allocation.rs | 8 +
drivers/android/binder/process.rs | 7 +-
drivers/android/binder/transaction.rs | 11 +-
drivers/auxdisplay/line-display.c | 2 +-
drivers/bluetooth/btusb.c | 8 +-
drivers/bluetooth/hci_qca.c | 42 ++--
drivers/comedi/drivers/comedi_test.c | 5 +-
drivers/counter/counter-core.c | 3 +-
drivers/cpufreq/intel_pstate.c | 13 +-
drivers/gpio/gpio-adnp.c | 4 +-
drivers/gpio/gpio-mxc.c | 2 +-
drivers/gpio/gpio-rockchip.c | 23 ++-
drivers/gpio/gpio-virtuser.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 11 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +-
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +-
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 +
drivers/gpu/drm/bridge/sil-sii8620.c | 1 +
drivers/gpu/drm/drm_gem.c | 2 +
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 113 +++++++++--
drivers/gpu/drm/i915/display/intel_display_core.h | 1 +
drivers/gpu/drm/i915/display/intel_display_irq.c | 8 +-
drivers/gpu/drm/i915/display/intel_display_types.h | 3 +
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 ++
drivers/gpu/drm/i915/display/intel_psr.c | 60 ++++--
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 +--
drivers/gpu/drm/xe/xe_guc_ads.c | 5 +
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-picolcd_cir.c | 1 +
drivers/hid/hid-quirks.c | 1 +
drivers/hid/wacom_sys.c | 13 +-
drivers/hid/wacom_wac.h | 1 +
drivers/hwmon/pmbus/adm1266.c | 7 +
drivers/hwmon/pmbus/pmbus.h | 5 +
drivers/hwmon/pmbus/pmbus_core.c | 8 +
drivers/i2c/busses/i2c-davinci.c | 2 +-
drivers/iio/adc/ad4695.c | 23 +--
drivers/iio/adc/mt6359-auxadc.c | 1 +
drivers/iio/adc/npcm_adc.c | 25 +--
drivers/iio/adc/viperboard_adc.c | 4 +-
drivers/iio/adc/xilinx-xadc-core.c | 11 +-
drivers/iio/buffer/industrialio-hw-consumer.c | 4 +-
drivers/iio/chemical/mhz19b.c | 17 ++
drivers/iio/chemical/scd30_core.c | 2 +-
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
drivers/iio/dac/ad3530r.c | 54 +++--
drivers/iio/dac/ad5686.c | 56 ++++--
drivers/iio/dac/ad5686.h | 1 +
drivers/iio/dac/max5821.c | 9 +-
drivers/iio/gyro/adis16260.c | 3 +
drivers/iio/gyro/itg3200_buffer.c | 2 +-
drivers/iio/imu/adis16550.c | 2 +-
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
drivers/iio/industrialio-buffer.c | 1 +
drivers/iio/inkern.c | 6 +-
drivers/iio/light/cm3323.c | 5 +-
drivers/iio/light/veml6070.c | 14 +-
drivers/iio/magnetometer/st_magn_core.c | 13 +-
drivers/iio/pressure/bmp280-core.c | 2 +-
drivers/iio/temperature/tsys01.c | 2 +-
drivers/input/joystick/xpad.c | 14 +-
drivers/input/misc/ims-pcu.c | 2 +-
drivers/input/mouse/elan_i2c_core.c | 5 +
drivers/input/mouse/synaptics.c | 1 +
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
drivers/input/touchscreen/usbtouchscreen.c | 5 +
drivers/iommu/io-pgtable-arm-v7s.c | 18 +-
drivers/mailbox/mailbox.c | 15 +-
drivers/mailbox/tegra-hsp.c | 2 +-
drivers/md/bcache/super.c | 3 +-
drivers/media/cec/core/cec-core.c | 2 +-
drivers/media/common/siano/smsir.c | 1 +
drivers/media/i2c/ir-kbd-i2c.c | 2 +
drivers/media/pci/bt8xx/bttv-input.c | 3 +-
drivers/media/pci/cx23885/cx23885-input.c | 1 +
drivers/media/pci/cx88/cx88-input.c | 3 +-
drivers/media/pci/dm1105/dm1105.c | 1 +
drivers/media/pci/mantis/mantis_input.c | 1 +
drivers/media/pci/saa7134/saa7134-input.c | 1 +
drivers/media/pci/smipcie/smipcie-ir.c | 1 +
drivers/media/pci/ttpci/budget-ci.c | 1 +
drivers/media/rc/ati_remote.c | 6 +-
drivers/media/rc/ene_ir.c | 2 +-
drivers/media/rc/fintek-cir.c | 3 +-
drivers/media/rc/igorplugusb.c | 3 +-
drivers/media/rc/iguanair.c | 1 +
drivers/media/rc/img-ir/img-ir-hw.c | 3 +-
drivers/media/rc/img-ir/img-ir-raw.c | 3 +-
drivers/media/rc/imon.c | 3 +-
drivers/media/rc/ir-hix5hd2.c | 2 +-
drivers/media/rc/ir_toy.c | 1 +
drivers/media/rc/ite-cir.c | 2 +-
drivers/media/rc/mceusb.c | 1 +
drivers/media/rc/rc-ir-raw.c | 5 -
drivers/media/rc/rc-loopback.c | 1 +
drivers/media/rc/rc-main.c | 6 +-
drivers/media/rc/redrat3.c | 4 +-
drivers/media/rc/st_rc.c | 2 +-
drivers/media/rc/streamzap.c | 7 +-
drivers/media/rc/sunxi-cir.c | 1 +
drivers/media/rc/ttusbir.c | 4 +-
drivers/media/rc/winbond-cir.c | 2 +-
drivers/media/rc/xbox_remote.c | 5 +-
drivers/media/usb/au0828/au0828-input.c | 1 +
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 1 +
drivers/media/usb/dvb-usb/dvb-usb-remote.c | 6 +-
drivers/media/usb/em28xx/em28xx-input.c | 1 +
drivers/misc/rp1/rp1_pci.c | 1 +
drivers/net/bonding/bond_main.c | 6 +
drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c | 3 +
.../ethernet/marvell/octeontx2/nic/otx2_common.c | 2 +
.../mellanox/mlx5/core/steering/hws/fs_hws.c | 4 +-
drivers/net/ethernet/microsoft/mana/mana_en.c | 78 +++++---
drivers/net/macsec.c | 3 +-
drivers/net/phy/micrel.c | 15 +-
drivers/net/phy/mscc/mscc.h | 8 +-
drivers/net/phy/mscc/mscc_main.c | 23 +--
drivers/net/team/team_core.c | 51 +++--
drivers/net/team/team_mode_loadbalance.c | 4 +-
drivers/net/tun.c | 5 +-
drivers/net/vxlan/vxlan_core.c | 4 +-
drivers/net/wireguard/send.c | 20 +-
drivers/nfc/nxp-nci/i2c.c | 21 +-
drivers/nvme/host/tcp.c | 2 +-
drivers/parport/share.c | 11 +-
drivers/platform/x86/intel/vsec.c | 91 ++++-----
drivers/s390/cio/chsc.c | 4 +-
drivers/s390/cio/chsc_sch.c | 20 +-
drivers/s390/cio/scm.c | 2 +-
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
drivers/scsi/scsi_lib.c | 27 ++-
drivers/scsi/scsi_transport_fc.c | 77 ++++----
drivers/spi/spi-mem.c | 15 +-
drivers/staging/gpib/cb7210/cb7210.c | 10 +-
drivers/staging/media/av7110/av7110_ir.c | 1 +
drivers/target/iscsi/iscsi_target.c | 5 +-
drivers/target/iscsi/iscsi_target_auth.c | 19 +-
drivers/target/iscsi/iscsi_target_nego.c | 7 +-
drivers/target/iscsi/iscsi_target_parameters.c | 62 ++++--
drivers/target/iscsi/iscsi_target_parameters.h | 2 +-
drivers/thunderbolt/property.c | 32 ++-
drivers/tty/serdev/core.c | 21 ++
drivers/tty/serial/8250/8250_dw.c | 2 +-
drivers/tty/serial/8250/8250_port.c | 7 +-
drivers/tty/serial/altera_jtaguart.c | 7 +-
drivers/tty/serial/dz.c | 171 ++++++++--------
drivers/tty/serial/fsl_lpuart.c | 15 +-
drivers/tty/serial/pch_uart.c | 19 +-
drivers/tty/serial/qcom_geni_serial.c | 16 +-
drivers/tty/serial/samsung_tty.c | 8 -
drivers/tty/serial/sh-sci.c | 2 +-
drivers/tty/serial/zs.c | 218 ++++++++-------------
drivers/tty/serial/zs.h | 1 -
drivers/usb/cdns3/cdns3-gadget.c | 12 +-
drivers/usb/cdns3/cdns3-plat.c | 11 +-
drivers/usb/chipidea/core.c | 16 +-
drivers/usb/class/cdc-acm.c | 2 -
drivers/usb/class/cdc-acm.h | 2 +
drivers/usb/class/usbtmc.c | 14 ++
drivers/usb/core/config.c | 9 +-
drivers/usb/core/quirks.c | 4 +
drivers/usb/dwc2/hcd.c | 4 +-
drivers/usb/dwc3/dwc3-xilinx.c | 27 +--
drivers/usb/gadget/composite.c | 5 +-
drivers/usb/gadget/function/f_fs.c | 26 ++-
drivers/usb/gadget/function/f_hid.c | 3 +-
drivers/usb/gadget/function/f_uvc.c | 28 ++-
drivers/usb/gadget/udc/dummy_hcd.c | 4 +
drivers/usb/gadget/udc/net2280.c | 4 +-
drivers/usb/host/xhci-tegra.c | 77 ++++----
drivers/usb/musb/omap2430.c | 3 +-
drivers/usb/serial/belkin_sa.c | 3 +
drivers/usb/serial/cypress_m8.c | 20 +-
drivers/usb/serial/digi_acceleport.c | 23 ++-
drivers/usb/serial/keyspan.c | 4 +
drivers/usb/serial/mct_u232.c | 26 ++-
drivers/usb/serial/mxuport.c | 8 +
drivers/usb/serial/omninet.c | 9 +-
drivers/usb/serial/option.c | 9 +-
drivers/usb/serial/safe_serial.c | 11 ++
drivers/usb/storage/unusual_uas.h | 7 +
drivers/usb/typec/altmodes/displayport.c | 2 +
drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +
drivers/usb/typec/tcpm/tcpm.c | 117 ++++++-----
drivers/usb/typec/tcpm/wcove.c | 13 +-
drivers/usb/typec/tipd/core.c | 1 +
drivers/usb/typec/ucsi/displayport.c | 4 +
drivers/usb/typec/ucsi/ucsi.c | 24 ++-
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 +-
fs/hpfs/alloc.c | 2 +-
fs/smb/client/cifsacl.c | 116 ++++++++---
fs/smb/client/smb2pdu.c | 2 +-
fs/smb/server/smb2pdu.c | 11 ++
fs/smb/server/smbacl.c | 8 +-
include/kunit/test.h | 1 +
include/linux/compat.h | 4 +
include/linux/compiler-clang.h | 6 +
include/linux/compiler_attributes.h | 11 ++
include/linux/compiler_types.h | 4 +
include/linux/hid.h | 2 -
include/linux/if_team.h | 3 +-
include/linux/intel_vsec.h | 4 +-
include/linux/mailbox_controller.h | 3 +
include/linux/parport.h | 1 +
include/linux/serdev.h | 1 +
include/linux/serial_core.h | 12 ++
include/linux/syscalls.h | 4 +
include/media/rc-core.h | 2 -
include/net/netfilter/nf_tables.h | 7 +
include/net/xfrm.h | 3 +-
ipc/util.c | 2 +-
kernel/fork.c | 11 +-
lib/debugobjects.c | 2 +-
lib/kunit/executor.c | 19 +-
lib/kunit/test.c | 1 +
mm/damon/sysfs-schemes.c | 8 +-
mm/memcontrol.c | 6 +
mm/memfd.c | 12 +-
mm/rmap.c | 2 +
mm/slab_common.c | 2 +
mm/slub.c | 1 +
net/bluetooth/6lowpan.c | 2 +
net/bluetooth/hci_conn.c | 4 +-
net/bluetooth/hci_sync.c | 16 +-
net/bluetooth/hidp/core.c | 23 ++-
net/bluetooth/iso.c | 12 +-
net/bluetooth/l2cap_core.c | 41 +++-
net/bluetooth/l2cap_sock.c | 16 +-
net/bridge/br_netlink.c | 17 +-
net/bridge/br_switchdev.c | 1 -
net/bridge/br_sysfs_if.c | 30 ++-
net/bridge/netfilter/ebtables.c | 30 +++
net/core/devmem.c | 11 ++
net/core/filter.c | 2 +-
net/core/skbuff.c | 45 ++++-
net/ethtool/cmis.h | 4 +-
net/ethtool/cmis_cdb.c | 9 +-
net/ethtool/cmis_fw_update.c | 44 +++--
net/ethtool/coalesce.c | 6 +
net/ethtool/eeprom.c | 10 +-
net/ethtool/linkstate.c | 6 +-
net/ethtool/module.c | 41 ++--
net/ethtool/netlink.c | 4 +-
net/ethtool/netlink.h | 4 +-
net/ethtool/pse-pd.c | 10 +-
net/ethtool/rss.c | 37 ++--
net/ethtool/strset.c | 2 +-
net/ethtool/tsconfig.c | 15 +-
net/ethtool/tsinfo.c | 19 +-
net/handshake/genl.c | 3 +-
net/handshake/genl.h | 1 +
net/handshake/handshake-test.c | 2 +-
net/handshake/handshake.h | 4 +-
net/handshake/netlink.c | 6 +-
net/handshake/request.c | 16 +-
net/handshake/tlshd.c | 6 +-
net/hsr/hsr_forward.c | 4 +-
net/ipv4/ah4.c | 2 +-
net/ipv4/esp4.c | 4 +-
net/ipv4/ip_tunnel_core.c | 22 ++-
net/ipv4/sysctl_net_ipv4.c | 2 +-
net/ipv6/ah6.c | 2 +-
net/ipv6/datagram.c | 54 ++++-
net/ipv6/esp6.c | 4 +-
net/ipv6/exthdrs.c | 6 +-
net/ipv6/ip6_vti.c | 23 ++-
net/ipv6/route.c | 5 +
net/iucv/af_iucv.c | 20 +-
net/key/af_key.c | 6 +-
net/l2tp/l2tp_core.c | 11 +-
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 1 +
net/mptcp/fastopen.c | 4 +-
net/mptcp/mib.c | 1 -
net/mptcp/mib.h | 1 -
net/mptcp/protocol.c | 65 ++++--
net/mptcp/protocol.h | 31 ++-
net/mptcp/subflow.c | 8 +-
net/netfilter/nf_conntrack_proto_tcp.c | 3 +-
net/netfilter/nf_synproxy_core.c | 2 +
net/netfilter/nft_bitwise.c | 18 +-
net/netfilter/nft_byteorder.c | 13 +-
net/netfilter/xt_cpu.c | 2 +-
net/netlink/af_netlink.c | 11 +-
net/nfc/hci/core.c | 10 +
net/nfc/llcp_core.c | 11 ++
net/nfc/llcp_sock.c | 2 +
net/nfc/nci/hci.c | 10 +
net/rxrpc/ar-internal.h | 14 +-
net/rxrpc/call_event.c | 22 +--
net/rxrpc/call_object.c | 2 +
net/rxrpc/conn_event.c | 30 ++-
net/rxrpc/insecure.c | 8 +-
net/rxrpc/recvmsg.c | 68 +++++--
net/rxrpc/rxgk.c | 147 ++++++--------
net/rxrpc/rxgk_app.c | 46 ++---
net/rxrpc/rxgk_common.h | 66 +++----
net/rxrpc/rxkad.c | 115 ++++-------
net/sched/cls_fw.c | 6 +-
net/sched/sch_netem.c | 40 ----
net/sched/sch_sfb.c | 2 +-
net/sctp/socket.c | 2 +
net/smc/af_smc.c | 4 +-
net/vmw_vsock/af_vsock.c | 49 +++--
net/vmw_vsock/hyperv_transport.c | 9 +-
net/vmw_vsock/virtio_transport_common.c | 26 ++-
net/vmw_vsock/vmci_transport.c | 8 +-
net/xfrm/xfrm_input.c | 16 +-
net/xfrm/xfrm_ipcomp.c | 12 +-
net/xfrm/xfrm_iptfs.c | 29 ++-
net/xfrm/xfrm_policy.c | 17 +-
net/xfrm/xfrm_state.c | 23 ++-
net/xfrm/xfrm_user.c | 5 +-
sound/core/oss/pcm_oss.c | 18 +-
.../motu/motu-register-dsp-message-parser.c | 11 +-
sound/hda/codecs/realtek/alc269.c | 1 +
sound/soc/codecs/simple-mux.c | 2 +-
sound/soc/intel/boards/bytcht_es8316.c | 29 ++-
sound/soc/qcom/qdsp6/q6asm-dai.c | 43 ++--
sound/usb/mixer_scarlett2.c | 33 +++-
tools/bootconfig/main.c | 4 +-
tools/testing/cxl/test/cxl.c | 105 ++++------
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +-
tools/testing/selftests/net/mptcp/mptcp_lib.sh | 10 +-
346 files changed, 3284 insertions(+), 1733 deletions(-)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 001/315] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 002/315] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
` (315 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream.
nexio_read_data() pulls data_len and x_len from a packed __be16 header
in the device's interrupt packet and then walks packet->data[0..x_len)
and packet->data[x_len..data_len) comparing each byte against a
threshold.
Both fields are 16-bit on the wire (max 65535). The existing
adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
packed header — so packet->data[] has 1017 valid bytes. read_data()
callbacks are not given urb->actual_length, and nothing else bounds the
walk.
A device that lies about its length can get a ~64 KiB out-of-bounds read
past the coherent DMA allocation. The first index whose byte exceeds
NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
reported touch coordinates, so adjacent kernel memory contents leak to
userspace as ABS_X / ABS_Y events. Far enough out, the read can also
hit an unmapped page and fault.
Fix this all by clamping data_len to the buffer's data[] capacity and
x_len to data_len.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/usbtouchscreen.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/touchscreen/usbtouchscreen.c
+++ b/drivers/input/touchscreen/usbtouchscreen.c
@@ -1070,6 +1070,11 @@ static int nexio_read_data(struct usbtou
if (x_len > 0xff)
x_len -= 0x80;
+ if (data_len > usbtouch->data_size - sizeof(*packet))
+ data_len = usbtouch->data_size - sizeof(*packet);
+ if (x_len > data_len)
+ x_len = data_len;
+
/* send ACK */
ret = usb_submit_urb(priv->ack, GFP_ATOMIC);
if (ret)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 002/315] net/sched: cls_fw: fix NULL dereference of "old" filters before change()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 001/315] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 003/315] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
` (314 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Davide Caratti,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 65782b2db7321d5f97c16718c4c7f6c7205a56be ]
Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched:
protect filter_chain list with filter_chain_lock mutex") TC filters are
added to a shared block and published to datapath before their ->change()
function is called. This is a problem for cls_fw: an invalid filter
created with the "old" method can still classify some packets before it
is destroyed by the validation logic added by Xiang.
Therefore, insisting with repeated runs of the following script:
# ip link add dev crash0 type dummy
# ip link set dev crash0 up
# mausezahn crash0 -c 100000 -P 10 \
> -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q &
# sleep 1
# tc qdisc add dev crash0 egress_block 1 clsact
# tc filter add block 1 protocol ip prio 1 matchall \
> action skbedit mark 65536 continue
# tc filter add block 1 protocol ip prio 2 fw
# ip link del dev crash0
can still make fw_classify() hit the WARN_ON() in [2]:
WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399
Modules linked in: cls_fw(E) act_skbedit(E)
CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014
RIP: 0010:fw_classify+0x244/0x250 [cls_fw]
Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202
RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004
RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40
RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0
R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000
R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000
FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0
Call Trace:
<TASK>
tcf_classify+0x17d/0x5c0
tc_run+0x9d/0x150
__dev_queue_xmit+0x2ab/0x14d0
ip_finish_output2+0x340/0x8f0
ip_output+0xa4/0x250
raw_sendmsg+0x147d/0x14b0
__sys_sendto+0x1cc/0x1f0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x126/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fca40e822ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba
RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003
RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e
R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000
</TASK>
irq event stamp: 1045778
hardirqs last enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60
hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60
softirqs last enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260
softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0
Then, because of the value in the packet's mark, dereference on 'q->handle'
with NULL 'q' occurs:
BUG: kernel NULL pointer dereference, address: 0000000000000038
[...]
RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]
[...]
Skip "old-style" classification on shared blocks, so that the NULL
dereference is fixed and WARN_ON() is not hit anymore in the short
lifetime of invalid cls_fw "old-style" filters.
[1] https://sashiko.dev/#/patchset/20260331050217.504278-1-xmei5%40asu.edu
[2] https://elixir.bootlin.com/linux/v7.0-rc6/source/include/net/pkt_cls.h#L86
Fixes: faeea8bbf6e9 ("net/sched: cls_fw: fix NULL pointer dereference on shared blocks")
Fixes: ed76f5edccc9 ("net: sched: protect filter_chain list with filter_chain_lock mutex")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/e39cbd3103a337f1e515d186fe697b4459d24757.1775661704.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_fw.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 83a7372ea15c2a..fd9c6c2815a1c2 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -74,9 +74,13 @@ TC_INDIRECT_SCOPE int fw_classify(struct sk_buff *skb,
}
}
} else {
- struct Qdisc *q = tcf_block_q(tp->chain->block);
+ struct Qdisc *q;
/* Old method: classify the packet using its skb mark. */
+ if (tcf_block_shared(tp->chain->block))
+ return -1;
+
+ q = tcf_block_q(tp->chain->block);
if (id && (TC_H_MAJ(id) == 0 ||
!(TC_H_MAJ(id ^ q->handle)))) {
res->classid = id;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 003/315] net: mctp: ensure our nlmsg responses are initialised
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 001/315] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 002/315] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 004/315] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Greg Kroah-Hartman
` (313 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Simon Horman,
Jakub Kicinski, Li hongliang, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit a6a9bc544b675d8b5180f2718ec985ad267b5cbf ]
Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from
DEVCORE Research Team working with Trend Micro Zero Day Initiative
report that a RTM_GETNEIGH will return uninitalised data in the pad
bytes of the ndmsg data.
Ensure we're initialising the netlink data to zero, in the link, addr
and neigh response messages.
Fixes: 831119f88781 ("mctp: Add neighbour netlink interface")
Fixes: 06d2f4c583a7 ("mctp: Add netlink route management")
Fixes: 583be982d934 ("mctp: Add device handling and netlink interface")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260209-dev-mctp-nlmsg-v1-1-f1e30c346a43@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/net/mctp/device.c b/net/mctp/device.c
index 4d404edd7446e1..04c5570bacff69 100644
--- a/net/mctp/device.c
+++ b/net/mctp/device.c
@@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ifa_family = AF_MCTP;
hdr->ifa_prefixlen = 0;
hdr->ifa_flags = 0;
diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c
index 05b899f22d902b..fc85f0e6930143 100644
--- a/net/mctp/neigh.c
+++ b/net/mctp/neigh.c
@@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ndm_family = AF_MCTP;
hdr->ndm_ifindex = dev->ifindex;
hdr->ndm_state = 0; // TODO other state bits?
diff --git a/net/mctp/route.c b/net/mctp/route.c
index d4fdaac8037aba..eb817f1eb5c8eb 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -1650,6 +1650,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->rtm_family = AF_MCTP;
/* we use the _len fields as a number of EIDs, rather than
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 004/315] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 003/315] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 005/315] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
` (312 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Usama Arif, Steffen Klassert,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Usama Arif <usama.arif@linux.dev>
[ Upstream commit 3e52417318473782012b236d0325bf7d2266a597 ]
The struct pernet_operations docstring in include/net/net_namespace.h
explicitly warns against blocking RCU primitives in .exit handlers:
Exit methods using blocking RCU primitives, such as
synchronize_rcu(), should be implemented via exit_batch.
[...]
Please, avoid synchronize_rcu() at all, where it's possible.
Note that a combination of pre_exit() and exit() can
be used, since a synchronize_rcu() is guaranteed between
the calls.
xfrm_policy_fini() violates this: it calls synchronize_rcu() before
freeing the policy_bydst hash tables (so no RCU reader is mid-
traversal at free time), but runs from xfrm_net_ops.exit -- once per
namespace -- so a cleanup_net() of N namespaces pays N full RCU
grace periods serially.
Use the documented pre_exit/exit split. Move the policy flush (and
the workqueue drains it depends on) into a new .pre_exit handler;
xfrm_policy_fini() then runs in .exit and frees the hash tables
after the synchronize_rcu_expedited() that cleanup_net() guarantees
between the two phases. Providing O(1) RCU grace periods per batch
instead of O(N).
Observed on Linux 6.18 with a workload doing unshare(CLONE_NEWNET)
at ~13/sec sustained: cleanup_net() and the netns_wq rescuer kthread
both stuck in xfrm_policy_fini()'s synchronize_rcu(), >300k struct
net accumulated in the cleanup queue, Percpu in /proc/meminfo climbed
to 130+ GB on 256-CPU hosts, and memcg OOMs followed. setup_net and
__put_net counts were balanced, ruling out a refcount leak.
Fixes: 069daad4f2ae ("xfrm: Wait for RCU readers during policy netns exit")
Signed-off-by: Usama Arif <usama.arif@linux.dev>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 29c94ee0ceb256..96e9262c4b482a 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4276,21 +4276,21 @@ static int __net_init xfrm_policy_init(struct net *net)
return -ENOMEM;
}
-static void xfrm_policy_fini(struct net *net)
+static void __net_exit xfrm_net_pre_exit(struct net *net)
{
- struct xfrm_pol_inexact_bin *b, *t;
- unsigned int sz;
- int dir;
-
disable_work_sync(&net->xfrm.policy_hthresh.work);
-
flush_work(&net->xfrm.policy_hash_work);
#ifdef CONFIG_XFRM_SUB_POLICY
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
#endif
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+}
- synchronize_rcu();
+static void xfrm_policy_fini(struct net *net)
+{
+ struct xfrm_pol_inexact_bin *b, *t;
+ unsigned int sz;
+ int dir;
WARN_ON(!list_empty(&net->xfrm.policy_all));
@@ -4368,6 +4368,7 @@ static void __net_exit xfrm_net_exit(struct net *net)
static struct pernet_operations __net_initdata xfrm_net_ops = {
.init = xfrm_net_init,
+ .pre_exit = xfrm_net_pre_exit,
.exit = xfrm_net_exit,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 005/315] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 004/315] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 006/315] bcache: fix uninitialized closure object Greg Kroah-Hartman
` (311 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Nogueria, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueria <victor@mojatatu.com>
[ Upstream commit 1b9bc71153b01dbde8045b9edede4240f4f5520e ]
When sfb has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (sfb in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(sfb) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (sfb). And herein lies the problem.
- sfb will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 127.594489][ T453] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 127.594741][ T453] CPU: 2 UID: 0 PID: 453 Comm: ping Not tainted 7.1.0-rc1-00035-gac961974495b-dirty #793 PREEMPT(full)
[ 127.595059][ T453] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 127.595254][ T453] RIP: 0010:qfq_dequeue+0x35c/0x1650 [sch_qfq]
[ 127.595461][ T453] Code: 00 fc ff df 80 3c 02 00 0f 85 17 0e 00 00 4c 8d 73 48 48 89 9d b8 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 76 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
[ 127.596081][ T453] RSP: 0018:ffff88810e5af440 EFLAGS: 00010216
[ 127.596337][ T453] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
[ 127.596623][ T453] RDX: 0000000000000009 RSI: 0000001880000000 RDI: ffff888104fd82b0
[ 127.596917][ T453] RBP: ffff888104fd8000 R08: ffff888104fd8280 R09: 1ffff110211893a3
[ 127.597165][ T453] R10: 1ffff110211893a6 R11: 1ffff110211893a7 R12: 0000001880000000
[ 127.597404][ T453] R13: ffff888104fd82b8 R14: 0000000000000048 R15: 0000000040000000
[ 127.597644][ T453] FS: 00007fc380cbfc40(0000) GS:ffff88816f2a8000(0000) knlGS:0000000000000000
[ 127.597956][ T453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 127.598160][ T453] CR2: 00005610aa9890a8 CR3: 000000010369e000 CR4: 0000000000750ef0
[ 127.598390][ T453] PKRU: 55555554
[ 127.598509][ T453] Call Trace:
[ 127.598629][ T453] <TASK>
[ 127.598718][ T453] ? mark_held_locks+0x40/0x70
[ 127.598890][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599053][ T453] sfb_dequeue+0x88/0x4d0
[ 127.599174][ T453] ? ktime_get+0x137/0x230
[ 127.599328][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599480][ T453] ? qdisc_peek_dequeued+0x7b/0x350 [sch_qfq]
[ 127.599670][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599831][ T453] tbf_dequeue+0x6b1/0x1098 [sch_tbf]
[ 127.599988][ T453] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler")
Signed-off-by: Victor Nogueria <victor@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430152957.194015-3-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index 00286c930b8de7..14ac8897784757 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -441,7 +441,7 @@ static struct sk_buff *sfb_dequeue(struct Qdisc *sch)
struct Qdisc *child = q->qdisc;
struct sk_buff *skb;
- skb = child->dequeue(q->qdisc);
+ skb = qdisc_dequeue_peeked(child);
if (skb) {
qdisc_bstats_update(sch, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 006/315] bcache: fix uninitialized closure object
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 005/315] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 007/315] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
` (310 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingzhe Zou, Coly Li, Jens Axboe,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingzhe Zou <mingzhe.zou@easystack.cn>
[ Upstream commit 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 ]
In the previous patch ("bcache: fix cached_dev.sb_bio use-after-free and
crash"), we adopted a simple modification suggestion from AI to fix the
use-after-free.
But in actual testing, we found an extreme case where the device is
stopped before calling bch_write_bdev_super().
At this point, struct closure sb_write has not been initialized yet.
For this patch, we ensure that sb_bio has been completed via
sb_write_mutex.
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Signed-off-by: Coly Li <colyli@fnnas.com>
Link: https://patch.msgid.link/20260403042135.2221247-1-colyli@fnnas.com
Fixes: fec114a98b87 ("bcache: fix cached_dev.sb_bio use-after-free and crash")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 2f06945533d673..d4ebd13a59f820 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1378,7 +1378,8 @@ static CLOSURE_CALLBACK(cached_dev_free)
* The sb_bio is embedded in struct cached_dev, so we must
* ensure no I/O is in progress.
*/
- closure_sync(&dc->sb_write);
+ down(&dc->sb_write_mutex);
+ up(&dc->sb_write_mutex);
if (dc->sb_disk)
folio_put(virt_to_folio(dc->sb_disk));
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 007/315] nfc: llcp: Fix use-after-free in llcp_sock_release()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 006/315] bcache: fix uninitialized closure object Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 008/315] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
` (309 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, David Heidelberg,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit f4268b466190dae95a7585f69b4f1f8ad097632c ]
llcp_sock_release() unconditionally unlinks the socket from the local
sockets list. However, if the socket is still in connecting state, it
is on the connecting list.
Fix this by checking the socket state and unlinking from the correct list.
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Signed-off-by: Lee Jones <lee@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-1-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 57a2f97004e172..915929cd724f90 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
if (sock->type == SOCK_RAW)
nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+ else if (sk->sk_state == LLCP_CONNECTING)
+ nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
else
nfc_llcp_sock_unlink(&local->sockets, sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 008/315] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 007/315] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 009/315] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
` (308 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Simon Horman,
David Heidelberg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit b493ea2765cc17cb8aa7e7544a4b6dcb05b6ed77 ]
A race condition exists in the NFC LLCP connection state machine where
the connection acceptance packet (CC) can be processed concurrently with
socket release. This can lead to a use-after-free of the socket object.
When nfc_llcp_recv_cc() moves the socket from the connecting_sockets
list to the sockets list, it does so without holding the socket lock.
If llcp_sock_release() is executing concurrently, it might have already
unlinked the socket and dropped its references, which can result in
nfc_llcp_recv_cc() linking a freed socket into the live list.
Fix this by holding lock_sock() during the state transition and list
movement in nfc_llcp_recv_cc(). After acquiring the lock, check if
the socket is still hashed to ensure it hasn't already been unlinked
and marked for destruction by the release path. This aligns the locking
pattern with recv_hdlc() and recv_disc().
Fixes: a69f32af86e3 ("NFC: Socket linked list")
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-2-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index da8d3add0018f3..c83a00e429852c 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1218,6 +1218,15 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk = &llcp_sock->sk;
+ lock_sock(sk);
+
+ /* Check if socket was destroyed whilst waiting for the lock */
+ if (!sk_hashed(sk)) {
+ release_sock(sk);
+ nfc_llcp_sock_put(llcp_sock);
+ return;
+ }
+
/* Unlink from connecting and link to the client array */
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
nfc_llcp_sock_link(&local->sockets, sk);
@@ -1229,6 +1238,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk->sk_state = LLCP_CONNECTED;
sk->sk_state_change(sk);
+ release_sock(sk);
+
nfc_llcp_sock_put(llcp_sock);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 009/315] xfrm: Check for underflow in xfrm_state_mtu
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 008/315] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 010/315] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
` (307 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Lin, David Ahern,
Steffen Klassert, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <dahern@nvidia.com>
[ Upstream commit 742b04d0550b0ec89dcbc99537ec88653bd1ad90 ]
Leo Lin reported OOB write issue in esp component:
xfrm_state_mtu() returns u32 but performs its arithmetic in unsigned
modulo-2^32 space using an attacker-influenced "header_len + authsize +
net_adj" subtracted from a small "mtu" argument. A nobody user can
install an IPv4 ESP tunnel SA with a large authentication key
(XFRMA_ALG_AUTH_TRUNC, e.g. hmac(sha512), 64-byte key, 64-byte trunc),
configure a small interface MTU (68 bytes), and set XFRMA_TFCPAD to a
large value. When a single UDP datagram is then sent through the
tunnel, xfrm_state_mtu() underflows to a near-2^32 value, and
esp_output() consumes it as a signed int via:
padto = min(x->tfcpad, xfrm_state_mtu(x, mtu_cached))
esp.tfclen = padto - skb->len (assigned to int)
esp.tfclen ends up negative (e.g. -207). It is sign-extended to size_t
when passed to memset() inside esp_output_fill_trailer(), producing a
~16 EB write of zeroes at skb_tail_pointer(skb). KASAN logs it as
"Write of size 18446744073709551537 at addr ffff888...".
Check for underflow and return 1. This causes the sendmsg attempt to
fail with ENETUNREACH.
Fixes: c5c252389374 ("[XFRM]: Optimize MTU calculation")
Reported-by: Leo Lin <leo@depthfirst.com>
Assisted-by: Codex:26.506.31004
Signed-off-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f6ba58f18ac18e..1b81e92e3eee78 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3113,10 +3113,14 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
const struct xfrm_type *type = READ_ONCE(x->type);
struct crypto_aead *aead;
u32 blksize, net_adj = 0;
+ u32 overhead, payload_mtu;
if (x->km.state != XFRM_STATE_VALID ||
- !type || type->proto != IPPROTO_ESP)
+ !type || type->proto != IPPROTO_ESP) {
+ if (mtu <= x->props.header_len)
+ return 1;
return mtu - x->props.header_len;
+ }
aead = x->data;
blksize = ALIGN(crypto_aead_blocksize(aead), 4);
@@ -3139,8 +3143,17 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
break;
}
- return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
- net_adj) & ~(blksize - 1)) + net_adj - 2;
+ overhead = x->props.header_len + crypto_aead_authsize(aead) + net_adj;
+ if (mtu <= overhead)
+ return 1;
+
+ payload_mtu = mtu - overhead;
+ payload_mtu &= ~(blksize - 1);
+ if (payload_mtu <= 2)
+ return 1;
+
+ return payload_mtu + net_adj - 2;
+
}
EXPORT_SYMBOL_GPL(xfrm_state_mtu);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 000/307] 6.12.93-rc1 review
@ 2026-06-07 9:56 Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 001/307] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
` (306 more replies)
0 siblings, 307 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.12.93 release.
There are 307 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue, 09 Jun 2026 09:56:47 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.93-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.12.93-rc1
Pratyush Yadav (Google) <pratyush@kernel.org>
memfd: deny writeable mappings when implying SEAL_WRITE
Liu Ye <liuye@kylinos.cn>
mm/memfd: fix spelling and grammatical issues
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: perform all memfd seal checks in a single place
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
Abdurrahman Hussain <abdurrahman@nexthop.ai>
hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
Ingo Molnar <mingo@kernel.org>
x86/alternatives: Rename 'apply_relocation()' to 'text_poke_apply_relocation()'
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Don't update power_supply on power role change if not connected
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Check if power role change actually happened before handling
Wentao Liang <vulab@iscas.ac.cn>
usb: musb: omap2430: Fix use-after-free in omap2430_probe()
Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
usb: dwc3: xilinx: fix error handling in zynqmp init error paths
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: firewire-motu: Protect register DSP event queue positions
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix ref bit initialization for single-channel parts
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: scd30: fix division by zero in write_raw
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: chemical: scd30: Use guard(mutex) to allow early returns
SeongJae Park <sj@kernel.org>
mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: do not drop partial packets
Paolo Abeni <pabeni@redhat.com>
mptcp: handle first subflow closing consistently
Paolo Abeni <pabeni@redhat.com>
mptcp: introduce the mptcp_init_skb helper
Dawei Feng <dawei.feng@seu.edu.cn>
octeontx2-pf: avoid double free of pool->stack on AQ init failure
Zeng Heng <zengheng4@huawei.com>
arm64: tlb: Flush walk cache when unsharing PMD tables
Paolo Abeni <pabeni@redhat.com>
mptcp: reset rcv wnd on disconnect
Paolo Abeni <pabeni@redhat.com>
mptcp: cleanup fallback dummy mapping generation
Masami Hiramatsu (Google) <mhiramat@kernel.org>
ring-buffer: Flush and stop persistent ring buffer on panic
Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
ice: fix VF queue configuration with low MTU values
Li Xiasong <lixiasong1@huawei.com>
mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: drop nanoseconds width specifier
Michael Bommarito <michael.bommarito@gmail.com>
net: hsr: defer node table free until after RCU readers
Lukas Wunner <lukas@wunner.de>
platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
Alistair Popple <apopple@nvidia.com>
mm/memory: fix spurious warning when unmapping device-private/exclusive pages
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: scarlett2: Allow flash writes ending at segment boundary
Geoffrey D. Bennett <g@b4.vu>
ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: hci_qca: Convert timeout from jiffies to ms
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Bluetooth: hci_qca: Migrate to serdev specific shutdown function
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
serdev: Provide a bustype shutdown function
David Howells <dhowells@redhat.com>
rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
David Howells <dhowells@redhat.com>
rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
Aleksandr Nogikh <nogikh@google.com>
x86/kexec: Disable KCOV instrumentation after load_segments()
Brian Gerst <brgerst@gmail.com>
x86/boot: Disable stack protector for early boot code
Tushar Dave <tdave@nvidia.com>
iommu: Skip PASID validation for devices without PASID capability
Wei-Cheng Chen <weichengc@nvidia.com>
xhci: tegra: Fix ghost USB device on dual-role port unplug
Johan Hovold <johan@kernel.org>
USB: serial: digi_acceleport: fix memory corruption with small endpoints
Johan Hovold <johan@kernel.org>
USB: serial: cypress_m8: fix memory corruption with small endpoint
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Convert to use a platform device
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Switch to using channel reset
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix bootconsole handover lockup
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Convert to use a platform device
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole handover lockup
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole message clobbering at chip reset
David Francis <David.Francis@amd.com>
drm/amdkfd: Check for pdd drm file first in CRIU restore path
Eric Huang <jinhuieric.huang@amd.com>
drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
Eric Huang <jinhuieric.huang@amd.com>
drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
Shitalkumar Gandhi <shital.gandhi45@gmail.com>
serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix swapped RI/DSR modem line transition counting
Hongling Zeng <zenghongling@kylinos.cn>
serial: sh-sci: fix memory region release in error path
Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
Prasanna S <prasanna.s@oss.qualcomm.com>
serial: qcom-geni: fix UART_RX_PAR_EN bit position
Myeonghun Pak <mhun512@gmail.com>
serial: altera_jtaguart: handle uart_add_one_port() failures
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/pm/si: Disregard vblank time when no displays are connected
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/i915: Fix potential UAF in TTM object purge
Berkant Koc <me@berkoc.com>
drm/hyperv: validate VMBus packet size in receive callback
Berkant Koc <me@berkoc.com>
drm/hyperv: validate resolution_count and fix WIN8 fallback
Alexandru Hossu <hossu.alexandru@gmail.com>
scsi: target: iscsi: Validate CHAP_R length before base64 decode
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
Michael Bommarito <michael.bommarito@gmail.com>
scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
Michael Bommarito <michael.bommarito@gmail.com>
scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
Michael Bommarito <michael.bommarito@gmail.com>
usb: gadget: f_fs: serialize DMABUF cancel against request completion
Michael Bommarito <michael.bommarito@gmail.com>
usb: gadget: f_fs: copy only received bytes on short ep0 read
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
Jeremy Erazo <mendozayt13@gmail.com>
usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: f_hid: fix device reference leak in hidg_alloc()
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: net2280: Fix double free in probe error path
Kai Aizen <kai.aizen.dev@gmail.com>
usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
Johan Hovold <johan@kernel.org>
USB: serial: mxuport: fix memory corruption with small endpoint
Johan Hovold <johan@kernel.org>
USB: serial: keyspan: fix missing indat transfer sanity check
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: cypress_m8: validate interrupt packet headers
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: belkin_sa: validate interrupt status length
Wanquan Zhong <wanquan.zhong@fibocom.com>
USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
Jan Volckaert <janvolck@gmail.com>
USB: serial: option: add MeiG SRM813Q
Sebastian Reichel <sebastian.reichel@collabora.com>
usb: typec: tcpm: improve handling of DISCOVER_MODES failures
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: check URB actual_length for interrupt-IN notifications
Michael Bommarito <michael.bommarito@gmail.com>
usbip: vudc: Fix use after free bug in vudc_remove due to race condition
Sam Burkels <sam@1a38.nl>
usb: storage: Add quirks for PNY Elite Portable SSD
Stephen J. Fuhry <fuhrysteve@gmail.com>
USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
Michal Pecio <michal.pecio@gmail.com>
usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
Xu Yang <xu.yang_2@nxp.com>
usb: chipidea: core: convert ci_role_switch to local variable
Tudor Ambarus <tudor.ambarus@linaro.org>
tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
Zhaoyang Yu <2426767509@qq.com>
tty: serial: pch_uart: add check for dma_alloc_coherent()
Guangshuo Li <lgs201920130244@gmail.com>
counter: Fix refcount leak in counter_alloc() error path
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
Nicolás Bazaes <contacto@bazaes.cl>
Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
Ali Ganiyev <ali.qaniyev@gmail.com>
ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
Dmitriy Zharov <contact@zharov.dev>
Input: xpad - add support for ASUS ROG RAIKIRI II
Qbeliw Tanaka <q.tanaka@gmx.com>
Input: xpad - add "Nova 2 Lite" from GameSir
Jingguo Tan <tanjingguo@huawei.com>
xfrm: esp: restore combined single-frag length gate
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: close stream only when running
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
Geoffrey D. Bennett <g@b4.vu>
ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: use skb_to_full_sk in async output callbacks
Maoyi Xie <maoyixie.tju@gmail.com>
xfrm: route MIGRATE notifications to caller's netns
Ashutosh Desai <ashutoshdesai993@gmail.com>
nfc: hci: fix out-of-bounds read in HCP header parsing
Arnd Bergmann <arnd@arndb.de>
iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
Lee Jones <lee@kernel.org>
HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
Minh Nguyen <minhnguyen.080505@gmail.com>
net: skbuff: fix missing zerocopy reference in pskb_carve helpers
Kuniyuki Iwashima <kuniyu@google.com>
ip6: vti: Use ip6_tnl.net in vti6_changelink().
Michael Bommarito <michael.bommarito@gmail.com>
l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname
Zhengchuan Liang <zcliangcn@gmail.com>
xfrm: input: hold netns during deferred transport reinjection
Qi Tang <tpluszz77@gmail.com>
ipv6: validate extension header length before copying to cmsg
Maoyi Xie <maoyixie.tju@gmail.com>
ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
Zhengchuan Liang <zcliangcn@gmail.com>
ipv6: exthdrs: refresh nh after handling HAO option
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
Justin Iurman <justin.iurman@gmail.com>
ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
Junrui Luo <moonafterrain@outlook.com>
macsec: fix replay protection at XPN lower-PN wrap
Yuqi Xu <xuyq21@lenovo.com>
bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: send: append trailer after expanding head
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: elan_i2c - validate firmware size before use
Dan Carpenter <error27@gmail.com>
usb: dwc2: Fix use after free in debug code
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
Yongchao Wu <yongchao.wu@autochips.com>
usb: cdns3: gadget: fix request skipping after clearing halt
Johan Hovold <johan@kernel.org>
USB: serial: omninet: fix memory corruption with small endpoint
Benoît Monin <benoit.monin@bootlin.com>
iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
Felix Gu <ustc.gu@gmail.com>
iio: buffer: hw-consumer: fix use-after-free in error path
Aldo Conte <aldocontelk@gmail.com>
iio: light: cm3323: fix reg_conf not being initialized correctly
Advait Dhamorikar <advaitd@mechasystems.com>
iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
Salah Triki <salah.triki@gmail.com>
iio: temperature: tsys01: fix broken PROM checksum validation
Sanjay Chitroda <sanjayembeddedse@gmail.com>
iio: ssp_sensors: cancel delayed work_refresh on remove
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: adis16260: fix division by zero in write_raw
David Carlier <devnexen@gmail.com>
iio: gyro: itg3200: fix i2c read into the wrong stack location
Salah Triki <salah.triki@gmail.com>
iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
Salah Triki <salah.triki@gmail.com>
iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: acquire lock when doing powerdown control
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix input raw value check
Salah Triki <salah.triki@gmail.com>
iio: dac: max5821: fix return value check in powerdown sync
David Carlier <devnexen@gmail.com>
iio: adc: npcm: fix unbalanced clk_disable_unprepare()
Christofer Jonason <christofer.jonason@guidelinegeo.com>
iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
Nathan Chancellor <nathan@kernel.org>
Disable -Wattribute-alias for clang-23 and newer
Sean Christopherson <seanjc@google.com>
KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()
Sean Christopherson <seanjc@google.com>
KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
Sean Christopherson <seanjc@google.com>
KVM: SEV: Check PSC request indices against the actual size of the buffer
Sean Christopherson <seanjc@google.com>
KVM: SEV: Compute the correct max length of the in-GHCB scratch area
Sean Christopherson <seanjc@google.com>
KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
Sean Christopherson <seanjc@google.com>
KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
Michael Roth <michael.roth@amd.com>
KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
Sean Christopherson <seanjc@google.com>
KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
Qiang Ma <maqianga@uniontech.com>
KVM: arm64: PMU: Preserve AArch32 counter low bits
Wentao Guan <guanwentao@uniontech.com>
USB: cdc-acm: Fix bit overlap and move quirk definitions to header
Ben Hutchings <benh@debian.org>
parport: Fix race between port and client registration
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: xpad - fix out-of-bounds access for Share button
Doruk Tan Ozturk <doruk@0sec.ai>
Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: ISO: fix UAF in iso_recv_frame
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: HIDP: fix missing length checks in hidp_input_report()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
Stepan Ionichev <sozdayvek@gmail.com>
auxdisplay: line-display: fix OOB read on zero-length message_store()
Linpu Yu <linpu5433@gmail.com>
ipc: limit next_id allocation to the valid ID range
Mikulas Patocka <mpatocka@redhat.com>
hpfs: fix a crash if hpfs_map_dnode_bitmap fails
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: btusb: Allow firmware re-download when version matches
hlleng <a909204013@gmail.com>
HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
Thomas Fourier <fourier.thomas@gmail.com>
Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
Henri A <contact@henrialfonso.com>
media: rc: igorplugusb: fix control request setup packet
Johan Hovold <johan@kernel.org>
USB: serial: safe_serial: fix memory corruption with small endpoint
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: validate connector number in ucsi_connector_change()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: altmodes/displayport: validate count before reading Status Update VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: ccg: reject firmware images without a ':' record header
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: prevent TVLV entry number overflow
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
Will Deacon <will@kernel.org>
arm64: io: Extract user memory type in ioremap_prot()
Will Deacon <will@kernel.org>
arm64: io: Rename ioremap_prot() to __ioremap_prot()
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
Suraj Kandpal <suraj.kandpal@intel.com>
drm/dp: Add eDP 1.5 bit definition
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Read Intel DPCD workaround register
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
Nathan Chancellor <nathan@kernel.org>
HID: core: Fix size_t specifier in hid_report_raw_event()
Benjamin Tissoires <bentiss@kernel.org>
HID: core: introduce hid_safe_input_report()
Benjamin Tissoires <bentiss@kernel.org>
HID: pass the buffer size to hid_report_raw_event
Vicki Pfau <vi@endrift.com>
HID: core: Add printk_ratelimited variants to hid_warn() etc
Jakub Kicinski <kuba@kernel.org>
inet: frags: flush pending skbs in fqdir_pre_exit()
Jakub Kicinski <kuba@kernel.org>
inet: frags: add inet_frag_queue_flush()
Oliver Neukum <oneukum@suse.com>
media: rc: ttusbir: fix inverted error logic
Sean Young <sean@mess.org>
media: rc: fix race between unregister and urb/irq callbacks
Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
mm/page_alloc: clear page->private in free_pages_prepare()
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: avoid double decrement of bla.num_requests
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: avoid empty VLAN responses
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: fix TOCTOU race for reported vlans
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: directly shut down timer on cleanup
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/cio: Restore GFP_DMA for CHSC allocation
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: avoid role confusion in tp_list
Sven Eckelmann <sven@narfation.org>
batman-adv: iv: recover OGM scheduling after forward packet error
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: reject oversized TVLV packets
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: reject oversized local TVLV buffers
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: abort OGM send on tvlv append failure
Sven Eckelmann <sven@narfation.org>
batman-adv: v: stop OGMv2 on disabled interface
Yeoreum Yun <yeoreum.yun@arm.com>
perf: Fix dangling cgroup pointer in cpuctx
Pavel Begunkov <asml.silence@gmail.com>
net: skbuff: fix pskb_carve leaking zcopy pages
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: fix possible infinite loop in fib6_select_path()
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: fix possible infinite loop in rt6_fill_node()
Zhenghang Xiao <kipreyyy@gmail.com>
sctp: fix race between sctp_wait_for_connect and peeloff
Dipayaan Roy <dipayanroy@linux.microsoft.com>
net: mana: Add NULL guards in teardown path to prevent panic on attach failure
Marco Scardovi <scardracs@disroot.org>
gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
Dan Carpenter <error27@gmail.com>
gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
Heitor Alves de Siqueira <halves@igalia.com>
Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
Zhenghang Xiao <kipreyyy@gmail.com>
Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
Chuck Lever <chuck.lever@oracle.com>
net/handshake: Drain pending requests at net namespace exit
Chuck Lever <chuck.lever@oracle.com>
net/handshake: Take a long-lived file reference at submit
Al Viro <viro@zeniv.linux.org.uk>
remove pointless includes of <linux/fdtable.h>
Chuck Lever <chuck.lever@oracle.com>
net/handshake: Pass negative errno through handshake_complete()
Chuck Lever <chuck.lever@oracle.com>
nvme-tcp: store negative errno in queue->tls_err
Chuck Lever <chuck.lever@oracle.com>
net/handshake: Use spin_lock_bh for hn_lock
Victor Nogueira <victor@mojatatu.com>
net/sched: act_mirred: Fix return code in early mirred redirect error paths
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop
Jamal Hadi Salim <jhs@mojatatu.com>
net: Introduce skb tc depth field to track packet loops
Eric Dumazet <edumazet@google.com>
net/sched: act_mirred: add loop detection
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
net/sched: act_mirred: Move the recursion counter struct netdev_xmit
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: fix packet loop on netem when duplicate is on
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
Rahul Chandelkar <rc@rexion.ai>
ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
Jakub Kicinski <kuba@kernel.org>
ethtool: eeprom: add more safeties to EEPROM Netlink fallback
Jakub Kicinski <kuba@kernel.org>
ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback
Jakub Kicinski <kuba@kernel.org>
ethtool: strset: fix header attribute index in ethnl_req_get_phydev()
Jakub Kicinski <kuba@kernel.org>
ethtool: pse-pd: fix missing ethnl_ops_complete()
Jakub Kicinski <kuba@kernel.org>
ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error
Jakub Kicinski <kuba@kernel.org>
ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
Oliver Hartkopp <socketcan@hartkopp.net>
bonding: refuse to enslave CAN devices
Zhao Dongdong <zhaodongdong@kylinos.cn>
Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: codecs: simple-mux: Fix enum control bounds check
Eric Dumazet <edumazet@google.com>
tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
Eric Dumazet <edumazet@google.com>
vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
Eric Dumazet <edumazet@google.com>
tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
Li Ming <ming.li@zohomail.com>
cxl/test: Update mock dev array before calling platform_device_add()
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: validate fw->size against start_cmd_payload_size
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: validate start_cmd_payload_size from module
Danielle Ratson <danieller@nvidia.com>
net: ethtool: Add support for writing firmware blocks using EPL payload
Danielle Ratson <danieller@nvidia.com>
net: ethtool: Add new parameters and a function to support EPL
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl
Jakub Kicinski <kuba@kernel.org>
ethtool: cmis: require exact CDB reply length
Jakub Kicinski <kuba@kernel.org>
ethtool: module: fix cleanup if socket used for flashing multiple devices
Jakub Kicinski <kuba@kernel.org>
ethtool: module: check fw_flash_in_progress under rtnl_lock
Jakub Kicinski <kuba@kernel.org>
ethtool: module: avoid leaking a netdev ref on module flash errors
Jakub Kicinski <kuba@kernel.org>
ethtool: rss: fix hkey leak when indir_size is 0
Björn Töpel <bjorn@kernel.org>
net: Avoid checksumming unreadable skb tail on trim
Alexander Stein <alexander.stein@ew.tq-group.com>
gpio: mxc: fix irq_high handling
Dan Carpenter <error27@gmail.com>
accel/ivpu: prevent uninitialized data bug in debugfs
Luka Gejak <luka.gejak@linux.dev>
net: hsr: fix potential OOB access in supervision frame handling
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: pcm: oss: Fix setup list UAF on proc write error
Eric Dumazet <edumazet@google.com>
ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
David Jeffery <djeffery@redhat.com>
scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues
Breno Leitao <leitao@debian.org>
net/iucv: fix locking in .getsockopt
Alexandra Winter <wintera@linux.ibm.com>
net/smc: Do not re-initialize smc hashtables
Ilya Maximets <i.maximets@ovn.org>
net: netlink: don't set nsid on local notifications
Ilya Maximets <i.maximets@ovn.org>
net: netlink: fix sending unassigned nsid after assigned one
Ziyu Zhang <ziyuzhang201@gmail.com>
vsock: keep poll shutdown state consistent
Weiming Shi <bestswngs@gmail.com>
tun: free page on build_skb failure in tun_xdp_one()
Weiming Shi <bestswngs@gmail.com>
tun: free page on short-frame rejection in tun_xdp_one()
Florian Westphal <fw@strlen.de>
netfilter: ebtables: fix OOB read in compat_mtw_from_user
Florian Westphal <fw@strlen.de>
netfilter: xt_cpu: prefer raw_smp_processor_id
Chris Mason <clm@meta.com>
netfilter: synproxy: refresh tcphdr after skb_ensure_writable
Deepanshu Kartikey <kartikey406@gmail.com>
kernel/fork: validate exit_signal in kernel_clone()
Florian Schmaus <florian.schmaus@codasip.com>
kunit: fix use-after-free in debugfs when using kunit.filter
Carl Lee <carl.lee@amd.com>
nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
David Ahern <dahern@nvidia.com>
xfrm: Check for underflow in xfrm_state_mtu
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free in llcp_sock_release()
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: always unmask interrupts in el0_softstp()
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: remove debug exception registration infrastructure
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: split bkpt32 exception entry
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: split brk64 exception entry
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: split hardware watchpoint exception entry
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: split single stepping exception entry
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: refactor reinstall_suspended_bps()
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: split hardware breakpoint exception entry
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: entry: Add entry and exit functions for debug exceptions
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: remove break/step handler registration infrastructure
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: call step handlers statically
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: call software breakpoint handlers statically
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: refactor aarch32_break_handler()
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64: debug: clean up single_step_handler logic
Mostafa Saleh <smostafa@google.com>
arm64: Introduce esr_is_ubsan_brk()
Kevin Hao <haokexin@gmail.com>
net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
Mingzhe Zou <mingzhe.zou@easystack.cn>
bcache: fix uninitialized closure object
Victor Nogueria <victor@mojatatu.com>
net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Usama Arif <usama.arif@linux.dev>
xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
Jeremy Kerr <jk@codeconstruct.com.au>
net: mctp: ensure our nlmsg responses are initialised
Davide Caratti <dcaratti@redhat.com>
net/sched: cls_fw: fix NULL dereference of "old" filters before change()
Maíra Canal <mcanal@igalia.com>
drm/v3d: Release indirect CSD GEM reference on CPU job free
Maíra Canal <mcanal@igalia.com>
drm/v3d: Fix use-after-free of CPU job query arrays on error path
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
-------------
Diffstat:
Documentation/netlink/specs/handshake.yaml | 8 +
Makefile | 4 +-
arch/alpha/include/asm/Kbuild | 1 +
arch/arc/include/asm/Kbuild | 1 +
arch/arm/include/asm/Kbuild | 1 +
arch/arm64/include/asm/debug-monitors.h | 34 +--
arch/arm64/include/asm/esr.h | 5 +
arch/arm64/include/asm/exception.h | 14 +-
arch/arm64/include/asm/io.h | 24 +-
arch/arm64/include/asm/kgdb.h | 12 +
arch/arm64/include/asm/kprobes.h | 8 +
arch/arm64/include/asm/ring_buffer.h | 10 +
arch/arm64/include/asm/system_misc.h | 4 -
arch/arm64/include/asm/tlb.h | 2 +-
arch/arm64/include/asm/traps.h | 6 +
arch/arm64/include/asm/uprobes.h | 11 +
arch/arm64/kernel/acpi.c | 2 +-
arch/arm64/kernel/debug-monitors.c | 258 ++++++++-------------
arch/arm64/kernel/entry-common.c | 148 +++++++++++-
arch/arm64/kernel/hw_breakpoint.c | 60 ++---
arch/arm64/kernel/kgdb.c | 39 +---
arch/arm64/kernel/probes/kprobes.c | 31 +--
arch/arm64/kernel/probes/kprobes_trampoline.S | 2 +-
arch/arm64/kernel/probes/uprobes.c | 24 +-
arch/arm64/kernel/traps.c | 80 +------
arch/arm64/kvm/pmu-emul.c | 4 +-
arch/arm64/mm/fault.c | 75 ------
arch/arm64/mm/ioremap.c | 7 +-
arch/csky/include/asm/Kbuild | 1 +
arch/hexagon/include/asm/Kbuild | 1 +
arch/loongarch/include/asm/Kbuild | 1 +
arch/m68k/include/asm/Kbuild | 1 +
arch/microblaze/include/asm/Kbuild | 1 +
arch/mips/dec/platform.c | 109 ++++++++-
arch/mips/include/asm/Kbuild | 1 +
arch/nios2/include/asm/Kbuild | 1 +
arch/openrisc/include/asm/Kbuild | 1 +
arch/parisc/include/asm/Kbuild | 1 +
arch/powerpc/include/asm/Kbuild | 1 +
arch/riscv/include/asm/Kbuild | 1 +
arch/riscv/include/asm/syscall_wrapper.h | 4 +
arch/s390/include/asm/Kbuild | 1 +
arch/sh/include/asm/Kbuild | 1 +
arch/sparc/include/asm/Kbuild | 1 +
arch/um/include/asm/Kbuild | 1 +
arch/x86/include/asm/Kbuild | 1 +
arch/x86/include/asm/text-patching.h | 2 +-
arch/x86/kernel/Makefile | 16 ++
arch/x86/kernel/alternative.c | 6 +-
arch/x86/kernel/callthunks.c | 6 +-
arch/x86/kernel/ftrace.c | 7 +
arch/x86/kvm/svm/avic.c | 35 ++-
arch/x86/kvm/svm/sev.c | 68 ++++--
arch/x86/mm/Makefile | 2 +
arch/xtensa/include/asm/Kbuild | 1 +
drivers/accel/ivpu/ivpu_debugfs.c | 2 +-
drivers/auxdisplay/line-display.c | 2 +-
drivers/bluetooth/btusb.c | 8 +-
drivers/bluetooth/hci_qca.c | 38 ++-
drivers/comedi/drivers/comedi_test.c | 5 +-
drivers/counter/counter-core.c | 3 +-
drivers/gpio/gpio-mxc.c | 2 +-
drivers/gpio/gpio-rockchip.c | 6 +-
drivers/gpio/gpio-virtuser.c | 4 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +-
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +-
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 +
drivers/gpu/drm/bridge/sil-sii8620.c | 1 +
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 113 +++++++--
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 ++
drivers/gpu/drm/i915/display/intel_psr.c | 34 ++-
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 ++-
drivers/gpu/drm/v3d/v3d_sched.c | 16 +-
drivers/gpu/drm/v3d/v3d_submit.c | 22 +-
drivers/hid/bpf/hid_bpf_dispatch.c | 6 +-
drivers/hid/hid-core.c | 62 ++++-
drivers/hid/hid-gfrm.c | 4 +-
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-picolcd_cir.c | 1 +
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-quirks.c | 1 +
drivers/hid/hid-vivaldi-common.c | 2 +-
drivers/hid/i2c-hid/i2c-hid-core.c | 7 +-
drivers/hid/usbhid/hid-core.c | 11 +-
drivers/hid/wacom_sys.c | 19 +-
drivers/hid/wacom_wac.h | 1 +
drivers/hwmon/pmbus/adm1266.c | 54 ++++-
drivers/iio/adc/mt6359-auxadc.c | 1 +
drivers/iio/adc/npcm_adc.c | 25 +-
drivers/iio/adc/viperboard_adc.c | 4 +-
drivers/iio/adc/xilinx-xadc-core.c | 11 +-
drivers/iio/buffer/industrialio-hw-consumer.c | 4 +-
drivers/iio/chemical/scd30_core.c | 65 +++---
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
drivers/iio/dac/ad5686.c | 16 +-
drivers/iio/dac/ad5686.h | 1 +
drivers/iio/dac/max5821.c | 9 +-
drivers/iio/gyro/adis16260.c | 3 +
drivers/iio/gyro/itg3200_buffer.c | 2 +-
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
drivers/iio/industrialio-buffer.c | 1 +
drivers/iio/light/cm3323.c | 5 +-
drivers/iio/magnetometer/st_magn_core.c | 13 +-
drivers/iio/temperature/tsys01.c | 2 +-
drivers/input/joystick/xpad.c | 14 +-
drivers/input/misc/ims-pcu.c | 2 +-
drivers/input/mouse/elan_i2c_core.c | 5 +
drivers/input/mouse/synaptics.c | 1 +
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
drivers/input/touchscreen/usbtouchscreen.c | 5 +
drivers/iommu/io-pgtable-arm-v7s.c | 18 +-
drivers/iommu/iommu.c | 25 +-
drivers/md/bcache/super.c | 3 +-
drivers/media/cec/core/cec-core.c | 2 +-
drivers/media/common/siano/smsir.c | 1 +
drivers/media/i2c/ir-kbd-i2c.c | 2 +
drivers/media/pci/bt8xx/bttv-input.c | 3 +-
drivers/media/pci/cx23885/cx23885-input.c | 1 +
drivers/media/pci/cx88/cx88-input.c | 3 +-
drivers/media/pci/dm1105/dm1105.c | 1 +
drivers/media/pci/mantis/mantis_input.c | 1 +
drivers/media/pci/saa7134/saa7134-input.c | 1 +
drivers/media/pci/smipcie/smipcie-ir.c | 1 +
drivers/media/pci/ttpci/budget-ci.c | 1 +
drivers/media/rc/ati_remote.c | 6 +-
drivers/media/rc/ene_ir.c | 2 +-
drivers/media/rc/fintek-cir.c | 3 +-
drivers/media/rc/igorplugusb.c | 3 +-
drivers/media/rc/iguanair.c | 1 +
drivers/media/rc/img-ir/img-ir-hw.c | 3 +-
drivers/media/rc/img-ir/img-ir-raw.c | 3 +-
drivers/media/rc/imon.c | 3 +-
drivers/media/rc/ir-hix5hd2.c | 2 +-
drivers/media/rc/ir_toy.c | 1 +
drivers/media/rc/ite-cir.c | 2 +-
drivers/media/rc/mceusb.c | 1 +
drivers/media/rc/rc-ir-raw.c | 5 -
drivers/media/rc/rc-loopback.c | 1 +
drivers/media/rc/rc-main.c | 6 +-
drivers/media/rc/redrat3.c | 4 +-
drivers/media/rc/st_rc.c | 2 +-
drivers/media/rc/streamzap.c | 7 +-
drivers/media/rc/sunxi-cir.c | 1 +
drivers/media/rc/ttusbir.c | 4 +-
drivers/media/rc/winbond-cir.c | 2 +-
drivers/media/rc/xbox_remote.c | 5 +-
drivers/media/usb/au0828/au0828-input.c | 1 +
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 1 +
drivers/media/usb/dvb-usb/dvb-usb-remote.c | 6 +-
drivers/media/usb/em28xx/em28xx-input.c | 1 +
drivers/net/bonding/bond_main.c | 6 +
drivers/net/ethernet/intel/ice/ice_virtchnl.c | 2 +-
.../ethernet/marvell/octeontx2/nic/otx2_common.c | 2 +
drivers/net/ethernet/microsoft/mana/mana_en.c | 72 +++---
drivers/net/ethernet/ti/cpsw_new.c | 4 +-
drivers/net/macsec.c | 3 +-
drivers/net/phy/mscc/mscc.h | 8 +-
drivers/net/phy/mscc/mscc_main.c | 23 +-
drivers/net/tun.c | 5 +-
drivers/net/vxlan/vxlan_core.c | 4 +-
drivers/net/wireguard/send.c | 20 +-
drivers/nfc/nxp-nci/i2c.c | 21 +-
drivers/nvme/host/tcp.c | 2 +-
drivers/parport/share.c | 11 +-
drivers/platform/x86/intel/vsec.c | 36 +--
drivers/s390/cio/chsc.c | 4 +-
drivers/s390/cio/chsc_sch.c | 20 +-
drivers/s390/cio/scm.c | 2 +-
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
drivers/scsi/scsi_lib.c | 27 ++-
drivers/scsi/scsi_transport_fc.c | 77 +++---
drivers/staging/greybus/hid.c | 2 +-
drivers/staging/media/av7110/av7110_ir.c | 1 +
drivers/target/iscsi/iscsi_target.c | 6 +-
drivers/target/iscsi/iscsi_target_auth.c | 19 +-
drivers/target/iscsi/iscsi_target_nego.c | 7 +-
drivers/target/iscsi/iscsi_target_parameters.c | 62 +++--
drivers/target/iscsi/iscsi_target_parameters.h | 2 +-
drivers/thunderbolt/property.c | 32 ++-
drivers/tty/serdev/core.c | 21 ++
drivers/tty/serial/altera_jtaguart.c | 7 +-
drivers/tty/serial/dz.c | 171 +++++++-------
drivers/tty/serial/fsl_lpuart.c | 15 +-
drivers/tty/serial/pch_uart.c | 19 +-
drivers/tty/serial/qcom_geni_serial.c | 16 +-
drivers/tty/serial/samsung_tty.c | 8 -
drivers/tty/serial/sh-sci.c | 2 +-
drivers/tty/serial/zs.c | 218 +++++++----------
drivers/tty/serial/zs.h | 1 -
drivers/usb/cdns3/cdns3-gadget.c | 12 +-
drivers/usb/cdns3/cdns3-plat.c | 11 +-
drivers/usb/chipidea/core.c | 16 +-
drivers/usb/class/cdc-acm.c | 2 -
drivers/usb/class/cdc-acm.h | 2 +
drivers/usb/class/usbtmc.c | 14 ++
drivers/usb/core/config.c | 9 +-
drivers/usb/core/quirks.c | 4 +
drivers/usb/dwc2/hcd.c | 4 +-
drivers/usb/dwc3/dwc3-xilinx.c | 26 ++-
drivers/usb/gadget/composite.c | 5 +-
drivers/usb/gadget/function/f_fs.c | 26 ++-
drivers/usb/gadget/function/f_hid.c | 3 +-
drivers/usb/gadget/function/f_uvc.c | 28 ++-
drivers/usb/gadget/udc/dummy_hcd.c | 4 +
drivers/usb/gadget/udc/net2280.c | 4 +-
drivers/usb/host/xhci-tegra.c | 77 +++---
drivers/usb/musb/omap2430.c | 3 +-
drivers/usb/serial/belkin_sa.c | 3 +
drivers/usb/serial/cypress_m8.c | 20 +-
drivers/usb/serial/digi_acceleport.c | 23 +-
drivers/usb/serial/keyspan.c | 4 +
drivers/usb/serial/mct_u232.c | 5 +
drivers/usb/serial/mxuport.c | 8 +
drivers/usb/serial/omninet.c | 9 +-
drivers/usb/serial/option.c | 9 +-
drivers/usb/serial/safe_serial.c | 11 +
drivers/usb/storage/unusual_uas.h | 7 +
drivers/usb/typec/altmodes/displayport.c | 2 +
drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +
drivers/usb/typec/tcpm/tcpm.c | 117 ++++++----
drivers/usb/typec/tcpm/wcove.c | 13 +-
drivers/usb/typec/ucsi/displayport.c | 4 +
drivers/usb/typec/ucsi/ucsi.c | 24 +-
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 +-
fs/fcntl.c | 1 -
fs/file_table.c | 1 -
fs/hpfs/alloc.c | 2 +-
fs/hugetlbfs/inode.c | 5 -
fs/notify/fanotify/fanotify.c | 1 -
fs/notify/fanotify/fanotify_user.c | 1 -
fs/overlayfs/copy_up.c | 1 -
fs/proc/base.c | 1 -
fs/smb/server/smbacl.c | 8 +-
include/asm-generic/ring_buffer.h | 13 ++
include/drm/display/drm_dp.h | 1 +
include/kunit/test.h | 1 +
include/linux/compat.h | 4 +
include/linux/compiler-clang.h | 6 +
include/linux/compiler_attributes.h | 11 +
include/linux/compiler_types.h | 4 +
include/linux/hid.h | 17 +-
include/linux/hid_bpf.h | 14 +-
include/linux/memfd.h | 23 +-
include/linux/mm.h | 55 -----
include/linux/netdevice_xmit.h | 10 +
include/linux/parport.h | 1 +
include/linux/serdev.h | 1 +
include/linux/skbuff.h | 2 +
include/linux/syscalls.h | 4 +
include/media/rc-core.h | 2 -
include/net/inet_frag.h | 18 +-
include/net/ipv6_frag.h | 9 +-
include/net/xfrm.h | 3 +-
io_uring/io_uring.c | 1 -
ipc/util.c | 2 +-
kernel/bpf/bpf_inode_storage.c | 1 -
kernel/bpf/bpf_task_storage.c | 1 -
kernel/bpf/token.c | 1 -
kernel/events/core.c | 16 +-
kernel/exit.c | 1 -
kernel/fork.c | 11 +-
kernel/module/dups.c | 1 -
kernel/module/kmod.c | 1 -
kernel/trace/ring_buffer.c | 22 ++
kernel/umh.c | 1 -
lib/debugobjects.c | 2 +-
lib/kunit/executor.c | 19 +-
lib/kunit/test.c | 1 +
mm/damon/sysfs-schemes.c | 8 +-
mm/memfd.c | 56 ++++-
mm/memory.c | 2 +-
mm/mmap.c | 12 +-
mm/page_alloc.c | 1 +
mm/shmem.c | 6 -
net/batman-adv/bat_iv_ogm.c | 82 +++++--
net/batman-adv/bat_v_ogm.c | 59 +++--
net/batman-adv/bridge_loop_avoidance.c | 57 +++--
net/batman-adv/soft-interface.c | 1 +
net/batman-adv/tp_meter.c | 67 +++---
net/batman-adv/translation-table.c | 57 ++++-
net/batman-adv/tvlv.c | 28 ++-
net/batman-adv/tvlv.h | 2 +-
net/batman-adv/types.h | 42 +++-
net/bluetooth/6lowpan.c | 2 +
net/bluetooth/hci_sync.c | 12 +-
net/bluetooth/hidp/core.c | 23 +-
net/bluetooth/iso.c | 12 +-
net/bluetooth/l2cap_core.c | 41 +++-
net/bluetooth/l2cap_sock.c | 16 +-
net/bridge/netfilter/ebtables.c | 30 +++
net/core/filter.c | 2 +-
net/core/skbuff.c | 45 +++-
net/ethtool/cmis.h | 20 +-
net/ethtool/cmis_cdb.c | 103 ++++++--
net/ethtool/cmis_fw_update.c | 214 ++++++++++++-----
net/ethtool/coalesce.c | 6 +
net/ethtool/eeprom.c | 10 +-
net/ethtool/linkstate.c | 6 +-
net/ethtool/module.c | 26 +--
net/ethtool/netlink.c | 4 +-
net/ethtool/netlink.h | 4 +-
net/ethtool/pse-pd.c | 10 +-
net/ethtool/rss.c | 3 +-
net/ethtool/strset.c | 2 +-
net/handshake/genl.c | 3 +-
net/handshake/genl.h | 1 +
net/handshake/handshake-test.c | 2 +-
net/handshake/handshake.h | 6 +-
net/handshake/netlink.c | 22 +-
net/handshake/request.c | 64 +++--
net/handshake/tlshd.c | 6 +-
net/hsr/hsr_forward.c | 4 +-
net/hsr/hsr_framereg.c | 6 +-
net/ipv4/ah4.c | 2 +-
net/ipv4/esp4.c | 4 +-
net/ipv4/inet_fragment.c | 51 +++-
net/ipv4/ip_fragment.c | 18 +-
net/ipv4/ip_tunnel_core.c | 22 +-
net/ipv4/sysctl_net_ipv4.c | 2 +-
net/ipv6/ah6.c | 2 +-
net/ipv6/datagram.c | 54 ++++-
net/ipv6/esp6.c | 4 +-
net/ipv6/exthdrs.c | 6 +-
net/ipv6/ip6_vti.c | 23 +-
net/ipv6/route.c | 5 +
net/iucv/af_iucv.c | 20 +-
net/key/af_key.c | 6 +-
net/l2tp/l2tp_core.c | 11 +-
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 1 +
net/mptcp/pm.c | 40 +++-
net/mptcp/pm_netlink.c | 16 +-
net/mptcp/protocol.c | 92 +++++---
net/mptcp/protocol.h | 3 +-
net/mptcp/subflow.c | 8 +-
net/netfilter/nf_conntrack_proto_tcp.c | 3 +-
net/netfilter/nf_synproxy_core.c | 2 +
net/netfilter/xt_cpu.c | 2 +-
net/netlink/af_netlink.c | 11 +-
net/nfc/hci/core.c | 10 +
net/nfc/llcp_core.c | 11 +
net/nfc/llcp_sock.c | 2 +
net/nfc/nci/hci.c | 10 +
net/rxrpc/ar-internal.h | 12 +-
net/rxrpc/call_event.c | 27 +--
net/rxrpc/call_object.c | 2 +
net/rxrpc/conn_event.c | 30 +--
net/rxrpc/insecure.c | 8 +-
net/rxrpc/recvmsg.c | 68 ++++--
net/rxrpc/rxkad.c | 115 ++++-----
net/sched/act_mirred.c | 77 ++++--
net/sched/cls_fw.c | 6 +-
net/sched/sch_netem.c | 47 +---
net/sched/sch_sfb.c | 2 +-
net/sctp/socket.c | 2 +
net/smc/af_smc.c | 4 +-
net/vmw_vsock/af_vsock.c | 49 ++--
net/vmw_vsock/hyperv_transport.c | 9 +-
net/vmw_vsock/virtio_transport_common.c | 14 +-
net/vmw_vsock/vmci_transport.c | 8 +-
net/xfrm/xfrm_input.c | 16 +-
net/xfrm/xfrm_policy.c | 17 +-
net/xfrm/xfrm_state.c | 23 +-
net/xfrm/xfrm_user.c | 5 +-
security/apparmor/domain.c | 1 -
sound/core/oss/pcm_oss.c | 18 +-
.../motu/motu-register-dsp-message-parser.c | 14 +-
sound/soc/codecs/simple-mux.c | 2 +-
sound/soc/intel/boards/bytcht_es8316.c | 29 ++-
sound/soc/qcom/qdsp6/q6asm-dai.c | 43 ++--
sound/usb/mixer_scarlett2.c | 38 ++-
tools/testing/cxl/test/cxl.c | 105 ++++-----
tools/testing/selftests/mm/hmm-tests.c | 50 ++++
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +-
tools/testing/selftests/net/mptcp/mptcp_lib.sh | 10 +-
382 files changed, 3974 insertions(+), 2279 deletions(-)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 010/315] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 009/315] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 011/315] tools/bootconfig: Fix buf leaks in apply_xbc Greg Kroah-Hartman
` (306 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carl Lee, Bartosz Golaszewski,
Mark Pearson, Luca Stefani, David Heidelberg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carl Lee <carl.lee@amd.com>
[ Upstream commit f23bf992d65a42007c517b060ca35cebdea3525a ]
Some ACPI-based platforms report incorrect IRQ trigger types (e.g.
IRQF_TRIGGER_HIGH), which can lead to interrupt storms.
Use the historically working rising-edge trigger on ACPI systems to
avoid this regression.
Device Tree-based systems continue to use the firmware-provided
trigger type.
Fixes: 57be33f85e36 ("nfc: nxp-nci: remove interrupt trigger type")
Signed-off-by: Carl Lee <carl.lee@amd.com>
Tested-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Luca Stefani <luca.stefani.ge1@gmail.com>
Link: https://patch.msgid.link/20260516-nfc-nxp-nci-i2c-restore-irq-trigger-fallback-v3-1-37ba4b6e9086@amd.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/nxp-nci/i2c.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index b3d34433bd14a0..a6c08175d9dd93 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -16,6 +16,7 @@
#include <linux/delay.h>
#include <linux/i2c.h>
#include <linux/interrupt.h>
+#include <linux/irq.h>
#include <linux/module.h>
#include <linux/nfc.h>
#include <linux/gpio/consumer.h>
@@ -267,6 +268,7 @@ static int nxp_nci_i2c_probe(struct i2c_client *client)
{
struct device *dev = &client->dev;
struct nxp_nci_i2c_phy *phy;
+ unsigned long irqflags;
int r;
if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
@@ -303,9 +305,26 @@ static int nxp_nci_i2c_probe(struct i2c_client *client)
if (r < 0)
return r;
+ /*
+ * ACPI platforms may report incorrect IRQ trigger types
+ * (e.g. level-high), which can lead to interrupt storms.
+ *
+ * Use the historically stable rising-edge trigger for ACPI devices.
+ *
+ * On non-ACPI systems (e.g. Device Tree), prefer the firmware-
+ * provided trigger type, falling back to rising-edge if not set.
+ */
+ if (ACPI_COMPANION(dev)) {
+ irqflags = IRQF_TRIGGER_RISING;
+ } else {
+ irqflags = irq_get_trigger_type(client->irq);
+ if (!irqflags)
+ irqflags = IRQF_TRIGGER_RISING;
+ }
+
r = request_threaded_irq(client->irq, NULL,
nxp_nci_i2c_irq_thread_fn,
- IRQF_ONESHOT,
+ irqflags | IRQF_ONESHOT,
NXP_NCI_I2C_DRIVER_NAME, phy);
if (r < 0)
nfc_err(&client->dev, "Unable to register IRQ handler\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 001/307] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 002/307] drm/v3d: Fix use-after-free of CPU job query arrays on error path Greg Kroah-Hartman
` (305 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream.
nexio_read_data() pulls data_len and x_len from a packed __be16 header
in the device's interrupt packet and then walks packet->data[0..x_len)
and packet->data[x_len..data_len) comparing each byte against a
threshold.
Both fields are 16-bit on the wire (max 65535). The existing
adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
packed header — so packet->data[] has 1017 valid bytes. read_data()
callbacks are not given urb->actual_length, and nothing else bounds the
walk.
A device that lies about its length can get a ~64 KiB out-of-bounds read
past the coherent DMA allocation. The first index whose byte exceeds
NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
reported touch coordinates, so adjacent kernel memory contents leak to
userspace as ABS_X / ABS_Y events. Far enough out, the read can also
hit an unmapped page and fault.
Fix this all by clamping data_len to the buffer's data[] capacity and
x_len to data_len.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/usbtouchscreen.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/touchscreen/usbtouchscreen.c
+++ b/drivers/input/touchscreen/usbtouchscreen.c
@@ -1070,6 +1070,11 @@ static int nexio_read_data(struct usbtou
if (x_len > 0xff)
x_len -= 0x80;
+ if (data_len > usbtouch->data_size - sizeof(*packet))
+ data_len = usbtouch->data_size - sizeof(*packet);
+ if (x_len > data_len)
+ x_len = data_len;
+
/* send ACK */
ret = usb_submit_urb(priv->ack, GFP_ATOMIC);
if (ret)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 011/315] tools/bootconfig: Fix buf leaks in apply_xbc
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 010/315] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 012/315] HID: remove duplicate hid_warn_ratelimited definition Greg Kroah-Hartman
` (305 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hongtao Lee,
Masami Hiramatsu (Google), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongtao Lee <lihongtao@kylinos.cn>
[ Upstream commit f42d01aadcedd7bbf4f9a466cabe25c1781dedad ]
If data calloc failed, free the buf before return.
Link: https://lore.kernel.org/all/20260520030126.147782-1-lihongtao@kylinos.cn/
Fixes: 950313ebf79c ("tools: bootconfig: Add bootconfig command")
Signed-off-by: Hongtao Lee <lihongtao@kylinos.cn>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bootconfig/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
index 643f707b8f1da1..ddabde20585f21 100644
--- a/tools/bootconfig/main.c
+++ b/tools/bootconfig/main.c
@@ -390,8 +390,10 @@ static int apply_xbc(const char *path, const char *xbc_path)
/* Backup the bootconfig data */
data = calloc(size + BOOTCONFIG_ALIGN + BOOTCONFIG_FOOTER_SIZE, 1);
- if (!data)
+ if (!data) {
+ free(buf);
return -ENOMEM;
+ }
memcpy(data, buf, size);
/* Check the data format */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 002/307] drm/v3d: Fix use-after-free of CPU job query arrays on error path
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 001/307] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 003/307] drm/v3d: Release indirect CSD GEM reference on CPU job free Greg Kroah-Hartman
` (304 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Iago Toral Quiroga, Maíra Canal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit b0fe80c0b9250b35e2211bf3117e7aca814a21b0 ]
The CPU job ioctl's fail label calls kvfree() on cpu_job's timestamp and
performance query arrays after v3d_job_cleanup(), which drops the job's
last reference and frees cpu_job. Reading cpu_job at that point is a
use-after-free. Also, on the early v3d_job_init() failure path, it is a
NULL dereference, since v3d_job_deallocate() zeroes the local pointer.
In the success path, the arrays are released from the scheduler's
.free_job callback, but on the error path, they are freed manually, as
the job was never pushed to the scheduler. While the success path deals
with this correctly, the fail path doesn't.
On top of that, the manual kvfree() calls only free the array storage;
they don't drm_syncobj_put() the per-query syncobjs that
v3d_timestamp_query_info_free() and v3d_performance_query_info_free()
release on the success path. So the same fail path that triggers the
use-after-free also leaks one syncobj reference per query.
Unify the CPU job teardown into the CPU job's kref destructor, mirroring
v3d_render_job_free(). The scheduler's .free_job slot reverts to the
generic v3d_sched_job_free() and the fail label drops the manual
kvfree() calls, leaving a single teardown path that is reached from both
the scheduler and the ioctl error path. That removes the use-after-free,
the NULL dereference, and the syncobj leak by construction.
Cc: stable@vger.kernel.org
Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job")
Assisted-by: Claude:claude-opus-4.7
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Link: https://patch.msgid.link/20260515-v3d-cpu-job-leaks-v1-1-7f147cbbf935@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/v3d/v3d_sched.c | 16 +---------------
drivers/gpu/drm/v3d/v3d_submit.c | 19 ++++++++++++++++---
2 files changed, 17 insertions(+), 18 deletions(-)
diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c
index c9c88d3ad6698f..90eef062766c8d 100644
--- a/drivers/gpu/drm/v3d/v3d_sched.c
+++ b/drivers/gpu/drm/v3d/v3d_sched.c
@@ -103,20 +103,6 @@ v3d_performance_query_info_free(struct v3d_performance_query_info *query_info,
}
}
-static void
-v3d_cpu_job_free(struct drm_sched_job *sched_job)
-{
- struct v3d_cpu_job *job = to_cpu_job(sched_job);
-
- v3d_timestamp_query_info_free(&job->timestamp_query,
- job->timestamp_query.count);
-
- v3d_performance_query_info_free(&job->performance_query,
- job->performance_query.count);
-
- v3d_job_cleanup(&job->base);
-}
-
static void
v3d_switch_perfmon(struct v3d_dev *v3d, struct v3d_job *job)
{
@@ -846,7 +832,7 @@ static const struct drm_sched_backend_ops v3d_cache_clean_sched_ops = {
static const struct drm_sched_backend_ops v3d_cpu_sched_ops = {
.run_job = v3d_cpu_job_run,
.timedout_job = v3d_generic_job_timedout,
- .free_job = v3d_cpu_job_free
+ .free_job = v3d_sched_job_free
};
int
diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
index ddc20191a1ceef..40c21aaade0d67 100644
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -118,6 +118,21 @@ v3d_render_job_free(struct kref *ref)
v3d_job_free(ref);
}
+static void
+v3d_cpu_job_free(struct kref *ref)
+{
+ struct v3d_cpu_job *job = container_of(ref, struct v3d_cpu_job,
+ base.refcount);
+
+ v3d_timestamp_query_info_free(&job->timestamp_query,
+ job->timestamp_query.count);
+
+ v3d_performance_query_info_free(&job->performance_query,
+ job->performance_query.count);
+
+ v3d_job_free(ref);
+}
+
void v3d_job_cleanup(struct v3d_job *job)
{
if (!job)
@@ -1310,7 +1325,7 @@ v3d_submit_cpu_ioctl(struct drm_device *dev, void *data,
trace_v3d_submit_cpu_ioctl(&v3d->drm, cpu_job->job_type);
ret = v3d_job_init(v3d, file_priv, &cpu_job->base,
- v3d_job_free, 0, &se, V3D_CPU);
+ v3d_cpu_job_free, 0, &se, V3D_CPU);
if (ret) {
v3d_job_deallocate((void *)&cpu_job);
goto fail;
@@ -1393,8 +1408,6 @@ v3d_submit_cpu_ioctl(struct drm_device *dev, void *data,
v3d_job_cleanup((void *)csd_job);
v3d_job_cleanup(clean_job);
v3d_put_multisync_post_deps(&se);
- kvfree(cpu_job->timestamp_query.queries);
- kvfree(cpu_job->performance_query.queries);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 012/315] HID: remove duplicate hid_warn_ratelimited definition
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 011/315] tools/bootconfig: Fix buf leaks in apply_xbc Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 013/315] kunit: fix use-after-free in debugfs when using kunit.filter Greg Kroah-Hartman
` (304 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liu Kai, Benjamin Tissoires,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Kai <lukace97@outlook.com>
[ Upstream commit dd2147375a8fe7c5bc3f1f1b1d3a9567c26faefa ]
The hid_warn_ratelimited macro is defined twice in include/linux/hid.h:
- first one added by commit 4051ead99888 ("HID: rate-limit hid_warn to
prevent log flooding")
- second one added by commit 1d64624243af ("HID: core: Add
printk_ratelimited variants to hid_warn() etc")).
The second definition is correctly grouped with other ratelimited macros.
Remove the duplicate definition.
Fixes: 1d64624243af ("HID: core: Add printk_ratelimited variants to hid_warn() etc")
Signed-off-by: Liu Kai <lukace97@outlook.com>
[bentiss: edited commit message]
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/hid.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 204ada8d12e5c8..29561887bea8c0 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1276,8 +1276,6 @@ void hid_quirks_exit(__u16 bus);
dev_notice(&(hid)->dev, fmt, ##__VA_ARGS__)
#define hid_warn(hid, fmt, ...) \
dev_warn(&(hid)->dev, fmt, ##__VA_ARGS__)
-#define hid_warn_ratelimited(hid, fmt, ...) \
- dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
#define hid_info(hid, fmt, ...) \
dev_info(&(hid)->dev, fmt, ##__VA_ARGS__)
#define hid_dbg(hid, fmt, ...) \
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 003/307] drm/v3d: Release indirect CSD GEM reference on CPU job free
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 001/307] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 002/307] drm/v3d: Fix use-after-free of CPU job query arrays on error path Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 004/307] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
` (303 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Iago Toral Quiroga, Maíra Canal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maíra Canal <mcanal@igalia.com>
[ Upstream commit 6eb6e5acafa46854d4363e6c34981289995f3ace ]
v3d_get_cpu_indirect_csd_params() takes a reference to the indirect BO via
drm_gem_object_lookup() and stashes it in cpu_job->indirect_csd.indirect,
but nothing on the CPU job teardown path ever drops that reference.
Drop the extra reference in v3d_cpu_job_free(). The NULL check covers ioctl
errors before the lookup ran and CPU job types other than
V3D_CPU_JOB_TYPE_INDIRECT_CSD, which leave the field zero-initialised.
Cc: stable@vger.kernel.org
Fixes: 18b8413b25b7 ("drm/v3d: Create a CPU job extension for a indirect CSD job")
Assisted-by: Claude:claude-opus-4.7
Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
Link: https://patch.msgid.link/20260515-v3d-cpu-job-leaks-v1-2-7f147cbbf935@igalia.com
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/v3d/v3d_submit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c
index 40c21aaade0d67..23472c7af41a96 100644
--- a/drivers/gpu/drm/v3d/v3d_submit.c
+++ b/drivers/gpu/drm/v3d/v3d_submit.c
@@ -130,6 +130,9 @@ v3d_cpu_job_free(struct kref *ref)
v3d_performance_query_info_free(&job->performance_query,
job->performance_query.count);
+ if (job->indirect_csd.indirect)
+ drm_gem_object_put(job->indirect_csd.indirect);
+
v3d_job_free(ref);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 013/315] kunit: fix use-after-free in debugfs when using kunit.filter
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 012/315] HID: remove duplicate hid_warn_ratelimited definition Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 014/315] accel/rocket: fix UAF via dangling GEM handle in create_bo Greg Kroah-Hartman
` (303 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Schmaus, Martin Kaiser,
David Gow, Shuah Khan, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Schmaus <florian.schmaus@codasip.com>
[ Upstream commit fb6988b83b4cafe8db63999c1ddff1b7c66d2ff5 ]
When the kernel is booted with a kunit filter (e.g.,
kunit.filter="speed!=slow"), the kunit executor dynamically allocates
copies of the filtered test suites using kmalloc/kmemdup.
During the initial boot execution, kunit_debugfs_create_suite() creates
debugfs files (such as /sys/kernel/debug/kunit/<suite>/run) and
permanently stores a pointer to the dynamically allocated suite in the
inode's i_private field.
Previously, the executor freed this dynamically allocated suite_set
immediately after executing the boot-time tests. Because the debugfs
nodes were not destroyed, any subsequent interaction with the debugfs
`run` file from userspace triggered a use-after-free (UAF). On systems
with architectural capabilities, like CHERI RISC-V, this resulted in
an immediate fatal hardware exception due to the invalidation of the
capability tags on the reclaimed memory. On other architectures, it
resulted in silent memory corruption.
Fix this UAF by properly coupling the lifetime of the filtered suite
memory allocation to the lifetime of the kunit subsystem and its
associated VFS nodes. Ownership of the boot-time suite_set is now
transferred to a global tracker ('kunit_boot_suites'), and the memory
is cleanly released in kunit_exit() during module teardown.
Link: https://lore.kernel.org/r/20260507084854.233984-1-florian.schmaus@codasip.com
Fixes: e2219db280e3 ("kunit: add debugfs /sys/kernel/debug/kunit/<suite>/results display")
Signed-off-by: Florian Schmaus <florian.schmaus@codasip.com>
Reviewed-by: Martin Kaiser <martin@kaiser.cx>
Reviewed-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/kunit/test.h | 1 +
lib/kunit/executor.c | 19 ++++++++++++++++---
lib/kunit/test.c | 1 +
3 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/include/kunit/test.h b/include/kunit/test.h
index 5ec5182b5e5751..aedffe2f2d49de 100644
--- a/include/kunit/test.h
+++ b/include/kunit/test.h
@@ -613,6 +613,7 @@ unsigned long kunit_vm_mmap(struct kunit *test, struct file *file,
unsigned long offset);
void kunit_cleanup(struct kunit *test);
+void kunit_free_boot_suites(void);
void __printf(2, 3) kunit_log_append(struct string_stream *log, const char *fmt, ...);
diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
index 0061d4c7e35170..9abaed8275845f 100644
--- a/lib/kunit/executor.c
+++ b/lib/kunit/executor.c
@@ -15,6 +15,16 @@ extern struct kunit_suite * const __kunit_suites_end[];
extern struct kunit_suite * const __kunit_init_suites_start[];
extern struct kunit_suite * const __kunit_init_suites_end[];
+static struct kunit_suite_set kunit_boot_suites;
+
+void kunit_free_boot_suites(void)
+{
+ if (kunit_boot_suites.start) {
+ kunit_free_suite_set(kunit_boot_suites);
+ kunit_boot_suites = (struct kunit_suite_set){ NULL, NULL };
+ }
+}
+
static char *action_param;
module_param_named(action, action_param, charp, 0400);
@@ -409,9 +419,12 @@ int kunit_run_all_tests(void)
pr_err("kunit executor: unknown action '%s'\n", action_param);
free_out:
- if (filter_glob_param || filter_param)
- kunit_free_suite_set(suite_set);
- else if (init_num_suites > 0)
+ if (filter_glob_param || filter_param) {
+ if (err)
+ kunit_free_suite_set(suite_set);
+ else
+ kunit_boot_suites = suite_set;
+ } else if (init_num_suites > 0)
/* Don't use kunit_free_suite_set because suites aren't individually allocated */
kfree(suite_set.start);
diff --git a/lib/kunit/test.c b/lib/kunit/test.c
index 62eb529824c657..f0e1e02a98d8b3 100644
--- a/lib/kunit/test.c
+++ b/lib/kunit/test.c
@@ -1056,6 +1056,7 @@ static void __exit kunit_exit(void)
kunit_bus_shutdown();
kunit_debugfs_cleanup();
+ kunit_free_boot_suites();
}
module_exit(kunit_exit);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 014/315] accel/rocket: fix UAF via dangling GEM handle in create_bo
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 013/315] kunit: fix use-after-free in debugfs when using kunit.filter Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 015/315] kernel/fork: validate exit_signal in kernel_clone() Greg Kroah-Hartman
` (302 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dhabaleshwar Das, Tomeu Vizoso,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dhabaleshwar Das <dhabal123@gmail.com>
[ Upstream commit f706e6a4ce75585af979aec3dcbdce68bc76306b ]
rocket_ioctl_create_bo() inserts a GEM handle into the file's IDR via
drm_gem_handle_create() early on, then performs several operations that
can fail (sgt allocation, drm_mm insert, iommu_map). If any fail after
the handle is live, the error path calls drm_gem_shmem_object_free()
which kfree's the object without removing the handle from the IDR.
This leaves a dangling handle pointing to freed slab memory. Any
subsequent ioctl using that handle (PREP_BO, FINI_BO, SUBMIT) calls
drm_gem_object_lookup() and dereferences freed memory (UAF).
Fix by moving drm_gem_handle_create() to after all fallible operations
succeed, matching the pattern used by panfrost, lima, and etnaviv.
Also fix drm_mm_insert_node_generic() whose return value was silently
overwritten by iommu_map_sgtable() on the next line. Add the missing
error check.
[tomeu: Move handle creation to the very end]
Fixes: 658ebeac3351 ("accel/rocket: Add IOCTL for BO creation")
Reported-by: Dhabaleshwar Das <dhabal123@gmail.com>
Signed-off-by: Dhabaleshwar Das <dhabal123@gmail.com>
Reviewed-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
Link: https://patch.msgid.link/20260521165720.2113571-1-tomeu@tomeuvizoso.net
Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/rocket/rocket_gem.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/accel/rocket/rocket_gem.c b/drivers/accel/rocket/rocket_gem.c
index c3c86e1abd25a3..b1b24d60973e82 100644
--- a/drivers/accel/rocket/rocket_gem.c
+++ b/drivers/accel/rocket/rocket_gem.c
@@ -78,11 +78,6 @@ int rocket_ioctl_create_bo(struct drm_device *dev, void *data, struct drm_file *
rkt_obj->size = args->size;
rkt_obj->offset = 0;
- ret = drm_gem_handle_create(file, gem_obj, &args->handle);
- drm_gem_object_put(gem_obj);
- if (ret)
- goto err;
-
sgt = drm_gem_shmem_get_pages_sgt(shmem_obj);
if (IS_ERR(sgt)) {
ret = PTR_ERR(sgt);
@@ -94,6 +89,8 @@ int rocket_ioctl_create_bo(struct drm_device *dev, void *data, struct drm_file *
rkt_obj->size, PAGE_SIZE,
0, 0);
mutex_unlock(&rocket_priv->mm_lock);
+ if (ret)
+ goto err;
ret = iommu_map_sgtable(rocket_priv->domain->domain,
rkt_obj->mm.start,
@@ -111,8 +108,18 @@ int rocket_ioctl_create_bo(struct drm_device *dev, void *data, struct drm_file *
args->offset = drm_vma_node_offset_addr(&gem_obj->vma_node);
args->dma_address = rkt_obj->mm.start;
+ ret = drm_gem_handle_create(file, gem_obj, &args->handle);
+ if (ret)
+ goto err_unmap;
+
+ drm_gem_object_put(gem_obj);
+
return 0;
+err_unmap:
+ iommu_unmap(rocket_priv->domain->domain,
+ rkt_obj->mm.start, rkt_obj->size);
+
err_remove_node:
mutex_lock(&rocket_priv->mm_lock);
drm_mm_remove_node(&rkt_obj->mm);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 004/307] net/sched: cls_fw: fix NULL dereference of "old" filters before change()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 003/307] drm/v3d: Release indirect CSD GEM reference on CPU job free Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 005/307] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
` (302 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Davide Caratti,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 65782b2db7321d5f97c16718c4c7f6c7205a56be ]
Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched:
protect filter_chain list with filter_chain_lock mutex") TC filters are
added to a shared block and published to datapath before their ->change()
function is called. This is a problem for cls_fw: an invalid filter
created with the "old" method can still classify some packets before it
is destroyed by the validation logic added by Xiang.
Therefore, insisting with repeated runs of the following script:
# ip link add dev crash0 type dummy
# ip link set dev crash0 up
# mausezahn crash0 -c 100000 -P 10 \
> -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q &
# sleep 1
# tc qdisc add dev crash0 egress_block 1 clsact
# tc filter add block 1 protocol ip prio 1 matchall \
> action skbedit mark 65536 continue
# tc filter add block 1 protocol ip prio 2 fw
# ip link del dev crash0
can still make fw_classify() hit the WARN_ON() in [2]:
WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399
Modules linked in: cls_fw(E) act_skbedit(E)
CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014
RIP: 0010:fw_classify+0x244/0x250 [cls_fw]
Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202
RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004
RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40
RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0
R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000
R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000
FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0
Call Trace:
<TASK>
tcf_classify+0x17d/0x5c0
tc_run+0x9d/0x150
__dev_queue_xmit+0x2ab/0x14d0
ip_finish_output2+0x340/0x8f0
ip_output+0xa4/0x250
raw_sendmsg+0x147d/0x14b0
__sys_sendto+0x1cc/0x1f0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x126/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fca40e822ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba
RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003
RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e
R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000
</TASK>
irq event stamp: 1045778
hardirqs last enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60
hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60
softirqs last enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260
softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0
Then, because of the value in the packet's mark, dereference on 'q->handle'
with NULL 'q' occurs:
BUG: kernel NULL pointer dereference, address: 0000000000000038
[...]
RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]
[...]
Skip "old-style" classification on shared blocks, so that the NULL
dereference is fixed and WARN_ON() is not hit anymore in the short
lifetime of invalid cls_fw "old-style" filters.
[1] https://sashiko.dev/#/patchset/20260331050217.504278-1-xmei5%40asu.edu
[2] https://elixir.bootlin.com/linux/v7.0-rc6/source/include/net/pkt_cls.h#L86
Fixes: faeea8bbf6e9 ("net/sched: cls_fw: fix NULL pointer dereference on shared blocks")
Fixes: ed76f5edccc9 ("net: sched: protect filter_chain list with filter_chain_lock mutex")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/e39cbd3103a337f1e515d186fe697b4459d24757.1775661704.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_fw.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 83a7372ea15c2a..fd9c6c2815a1c2 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -74,9 +74,13 @@ TC_INDIRECT_SCOPE int fw_classify(struct sk_buff *skb,
}
}
} else {
- struct Qdisc *q = tcf_block_q(tp->chain->block);
+ struct Qdisc *q;
/* Old method: classify the packet using its skb mark. */
+ if (tcf_block_shared(tp->chain->block))
+ return -1;
+
+ q = tcf_block_q(tp->chain->block);
if (id && (TC_H_MAJ(id) == 0 ||
!(TC_H_MAJ(id ^ q->handle)))) {
res->classid = id;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 015/315] kernel/fork: validate exit_signal in kernel_clone()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 014/315] accel/rocket: fix UAF via dangling GEM handle in create_bo Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 016/315] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
` (301 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Deepanshu Kartikey, Oleg Nesterov,
syzbot+bbe6b99feefc3a0842de, Michal Hocko, Ben Segall,
Christian Brauner, David Hildenbrand, Dietmar Eggemann,
Ingo Molnar, Juri Lelli, Kees Cook, Liam Howlett,
Lorenzo Stoakes (Oracle), Mel Gorman, Mike Rapoport,
Peter Zijlstra, Steven Rostedt, Suren Baghdasaryan,
Valentin Schneider, Vincent Guittot, Vlastimil Babka,
Tetsuo Handa, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
When a child process exits, it sends exit_signal to its parent via
do_notify_parent(). The clone() syscall constructs exit_signal as:
(lower_32_bits(clone_flags) & CSIGNAL)
CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
non-zero non-valid exit_signal acts the same as exit_signal == 0: the
parent process is not signaled when the child terminates.
The syzkaller reproducer triggers this by calling clone() with flags=0x80,
resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
is not a valid signal.
The v1 of this patch added the check only in the clone() syscall handler,
which is incomplete. kernel_clone() has other callers such as
sys_ia32_clone() which would remain unprotected. Move the check to
kernel_clone() to cover all callers.
Since the valid_signal() check is now in kernel_clone() and covers all
callers including clone3(), the same check in copy_clone_args_from_user()
becomes redundant and is removed. The higher 32bits check for clone3() is
kept as it is clone3() specific.
Note that this is a user-visible change: previously, passing an invalid
exit_signal to clone() was silently accepted. The man page for clone()
does not document any defined behavior for invalid exit_signal values, so
rejecting them with -EINVAL is the correct behavior. It is unlikely that
any sane application relies on passing an invalid exit_signal.
[oleg@redhat.com: the comment above kernel_clone() should be updated]
Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Ben Segall <bsegall@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Liam Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index 1215d3f52c6d21..521e9d2be6f097 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2562,8 +2562,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
*
* It copies the process, and if successful kick-starts
* it and waits for it to finish using the VM if required.
- *
- * args->exit_signal is expected to be checked for sanity by the caller.
*/
pid_t kernel_clone(struct kernel_clone_args *args)
{
@@ -2588,6 +2586,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
(args->pidfd == args->parent_tid))
return -EINVAL;
+ if (!valid_signal(args->exit_signal))
+ return -EINVAL;
+
/*
* Determine whether and which event to report to ptracer. When
* called from kernel_thread or CLONE_UNTRACED is explicitly
@@ -2786,11 +2787,9 @@ static noinline int copy_clone_args_from_user(struct kernel_clone_args *kargs,
return -EINVAL;
/*
- * Verify that higher 32bits of exit_signal are unset and that
- * it is a valid signal
+ * Verify that higher 32bits of exit_signal are unset
*/
- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
- !valid_signal(args.exit_signal)))
+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
return -EINVAL;
if ((args.flags & CLONE_INTO_CGROUP) &&
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 005/307] net: mctp: ensure our nlmsg responses are initialised
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 004/307] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 006/307] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Greg Kroah-Hartman
` (301 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Simon Horman,
Jakub Kicinski, Li hongliang, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit a6a9bc544b675d8b5180f2718ec985ad267b5cbf ]
Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from
DEVCORE Research Team working with Trend Micro Zero Day Initiative
report that a RTM_GETNEIGH will return uninitalised data in the pad
bytes of the ndmsg data.
Ensure we're initialising the netlink data to zero, in the link, addr
and neigh response messages.
Fixes: 831119f88781 ("mctp: Add neighbour netlink interface")
Fixes: 06d2f4c583a7 ("mctp: Add netlink route management")
Fixes: 583be982d934 ("mctp: Add device handling and netlink interface")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260209-dev-mctp-nlmsg-v1-1-f1e30c346a43@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/net/mctp/device.c b/net/mctp/device.c
index 8d1386601bbe06..67576cb2728ece 100644
--- a/net/mctp/device.c
+++ b/net/mctp/device.c
@@ -70,6 +70,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ifa_family = AF_MCTP;
hdr->ifa_prefixlen = 0;
hdr->ifa_flags = 0;
diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c
index 590f642413e4ef..c0151a69d2b7c2 100644
--- a/net/mctp/neigh.c
+++ b/net/mctp/neigh.c
@@ -218,6 +218,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ndm_family = AF_MCTP;
hdr->ndm_ifindex = dev->ifindex;
hdr->ndm_state = 0; // TODO other state bits?
diff --git a/net/mctp/route.c b/net/mctp/route.c
index ccba2abbbbfbcc..35a0681123a33f 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -1405,6 +1405,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->rtm_family = AF_MCTP;
/* we use the _len fields as a number of EIDs, rather than
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 016/315] netfilter: synproxy: refresh tcphdr after skb_ensure_writable
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 015/315] kernel/fork: validate exit_signal in kernel_clone() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 017/315] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
` (300 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason,
Fernando Fernandez Mancera, Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
[ Upstream commit 92170e6afe927ab2792a3f71902845789c8e31b1 ]
synproxy_tstamp_adjust() rewrites the TCP timestamp option in place
and then patches the TCP checksum via inet_proto_csum_replace4() on
the caller-supplied tcphdr pointer. Both ipv4_synproxy_hook() and
ipv6_synproxy_hook() obtain that pointer with skb_header_pointer()
before calling in, so it may either alias skb->head directly or
point at the caller's on-stack _tcph buffer.
Between obtaining the pointer and using it, the function calls
skb_ensure_writable(skb, optend), which on a cloned or non-linear
skb invokes pskb_expand_head() and frees the old skb->head. After
that point the cached th is stale:
caller (ipv[46]_synproxy_hook)
th = skb_header_pointer(skb, ..., &_tcph)
synproxy_tstamp_adjust(skb, protoff, th, ...)
skb_ensure_writable(skb, optend)
pskb_expand_head() /* kfree(old skb->head) */
...
inet_proto_csum_replace4(&th->check, ...)
/* writes into freed head, or
into the caller's stack copy
leaving the on-wire checksum
stale */
The option bytes are written through skb->data and are fine; only
the checksum update goes through th and so lands in the wrong
place. The result is either a write into freed slab memory or a
packet leaving with a checksum that does not match its payload.
Fix by re-deriving th from skb->data + protoff immediately after
skb_ensure_writable() succeeds, so the subsequent checksum update
targets the linear, writable header.
Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_synproxy_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 3fa3f5dfb26444..6a851ac4dd048f 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -199,6 +199,8 @@ synproxy_tstamp_adjust(struct sk_buff *skb, unsigned int protoff,
if (skb_ensure_writable(skb, optend))
return 0;
+ th = (struct tcphdr *)(skb->data + protoff);
+
while (optoff < optend) {
unsigned char *op = skb->data + optoff;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 006/307] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 005/307] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 007/307] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
` (300 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Usama Arif, Steffen Klassert,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Usama Arif <usama.arif@linux.dev>
[ Upstream commit 3e52417318473782012b236d0325bf7d2266a597 ]
The struct pernet_operations docstring in include/net/net_namespace.h
explicitly warns against blocking RCU primitives in .exit handlers:
Exit methods using blocking RCU primitives, such as
synchronize_rcu(), should be implemented via exit_batch.
[...]
Please, avoid synchronize_rcu() at all, where it's possible.
Note that a combination of pre_exit() and exit() can
be used, since a synchronize_rcu() is guaranteed between
the calls.
xfrm_policy_fini() violates this: it calls synchronize_rcu() before
freeing the policy_bydst hash tables (so no RCU reader is mid-
traversal at free time), but runs from xfrm_net_ops.exit -- once per
namespace -- so a cleanup_net() of N namespaces pays N full RCU
grace periods serially.
Use the documented pre_exit/exit split. Move the policy flush (and
the workqueue drains it depends on) into a new .pre_exit handler;
xfrm_policy_fini() then runs in .exit and frees the hash tables
after the synchronize_rcu_expedited() that cleanup_net() guarantees
between the two phases. Providing O(1) RCU grace periods per batch
instead of O(N).
Observed on Linux 6.18 with a workload doing unshare(CLONE_NEWNET)
at ~13/sec sustained: cleanup_net() and the netns_wq rescuer kthread
both stuck in xfrm_policy_fini()'s synchronize_rcu(), >300k struct
net accumulated in the cleanup queue, Percpu in /proc/meminfo climbed
to 130+ GB on 256-CPU hosts, and memcg OOMs followed. setup_net and
__put_net counts were balanced, ruling out a refcount leak.
Fixes: 069daad4f2ae ("xfrm: Wait for RCU readers during policy netns exit")
Signed-off-by: Usama Arif <usama.arif@linux.dev>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index fca07f8e60749a..863e37d3d7f0f7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4264,21 +4264,21 @@ static int __net_init xfrm_policy_init(struct net *net)
return -ENOMEM;
}
-static void xfrm_policy_fini(struct net *net)
+static void __net_exit xfrm_net_pre_exit(struct net *net)
{
- struct xfrm_pol_inexact_bin *b, *t;
- unsigned int sz;
- int dir;
-
disable_work_sync(&net->xfrm.policy_hthresh.work);
-
flush_work(&net->xfrm.policy_hash_work);
#ifdef CONFIG_XFRM_SUB_POLICY
xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false);
#endif
xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false);
+}
- synchronize_rcu();
+static void xfrm_policy_fini(struct net *net)
+{
+ struct xfrm_pol_inexact_bin *b, *t;
+ unsigned int sz;
+ int dir;
WARN_ON(!list_empty(&net->xfrm.policy_all));
@@ -4356,6 +4356,7 @@ static void __net_exit xfrm_net_exit(struct net *net)
static struct pernet_operations __net_initdata xfrm_net_ops = {
.init = xfrm_net_init,
+ .pre_exit = xfrm_net_pre_exit,
.exit = xfrm_net_exit,
};
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 017/315] netfilter: xt_cpu: prefer raw_smp_processor_id
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 016/315] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 018/315] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
` (299 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+690d3e3ffa7335ac10eb,
Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit c376f07e16c02239ed44cabb97145d03f65b4d15 ]
With PREEMPT_RCU we get splat:
BUG: using smp_processor_id() in preemptible [..]
caller is cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
CPU: 1 .. Comm: syz.3.1377 #0 PREEMPT(full)
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
[..]
Just use raw version instead.
This is similar to 14d14a5d2957 ("netfilter: nft_meta: use raw_smp_processor_id()").
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: syzbot+690d3e3ffa7335ac10eb@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_cpu.c b/net/netfilter/xt_cpu.c
index 3bdc302a0f9137..9cb259902a586b 100644
--- a/net/netfilter/xt_cpu.c
+++ b/net/netfilter/xt_cpu.c
@@ -34,7 +34,7 @@ static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_cpu_info *info = par->matchinfo;
- return (info->cpu == smp_processor_id()) ^ info->invert;
+ return (info->cpu == raw_smp_processor_id()) ^ info->invert;
}
static struct xt_match cpu_mt_reg __read_mostly = {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 007/307] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 006/307] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 008/307] bcache: fix uninitialized closure object Greg Kroah-Hartman
` (299 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Nogueria, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueria <victor@mojatatu.com>
[ Upstream commit 1b9bc71153b01dbde8045b9edede4240f4f5520e ]
When sfb has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (sfb in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(sfb) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (sfb). And herein lies the problem.
- sfb will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 127.594489][ T453] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 127.594741][ T453] CPU: 2 UID: 0 PID: 453 Comm: ping Not tainted 7.1.0-rc1-00035-gac961974495b-dirty #793 PREEMPT(full)
[ 127.595059][ T453] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 127.595254][ T453] RIP: 0010:qfq_dequeue+0x35c/0x1650 [sch_qfq]
[ 127.595461][ T453] Code: 00 fc ff df 80 3c 02 00 0f 85 17 0e 00 00 4c 8d 73 48 48 89 9d b8 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 76 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
[ 127.596081][ T453] RSP: 0018:ffff88810e5af440 EFLAGS: 00010216
[ 127.596337][ T453] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
[ 127.596623][ T453] RDX: 0000000000000009 RSI: 0000001880000000 RDI: ffff888104fd82b0
[ 127.596917][ T453] RBP: ffff888104fd8000 R08: ffff888104fd8280 R09: 1ffff110211893a3
[ 127.597165][ T453] R10: 1ffff110211893a6 R11: 1ffff110211893a7 R12: 0000001880000000
[ 127.597404][ T453] R13: ffff888104fd82b8 R14: 0000000000000048 R15: 0000000040000000
[ 127.597644][ T453] FS: 00007fc380cbfc40(0000) GS:ffff88816f2a8000(0000) knlGS:0000000000000000
[ 127.597956][ T453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 127.598160][ T453] CR2: 00005610aa9890a8 CR3: 000000010369e000 CR4: 0000000000750ef0
[ 127.598390][ T453] PKRU: 55555554
[ 127.598509][ T453] Call Trace:
[ 127.598629][ T453] <TASK>
[ 127.598718][ T453] ? mark_held_locks+0x40/0x70
[ 127.598890][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599053][ T453] sfb_dequeue+0x88/0x4d0
[ 127.599174][ T453] ? ktime_get+0x137/0x230
[ 127.599328][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599480][ T453] ? qdisc_peek_dequeued+0x7b/0x350 [sch_qfq]
[ 127.599670][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599831][ T453] tbf_dequeue+0x6b1/0x1098 [sch_tbf]
[ 127.599988][ T453] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler")
Signed-off-by: Victor Nogueria <victor@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430152957.194015-3-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index c36725f0870d46..9a2edaf8352adc 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -439,7 +439,7 @@ static struct sk_buff *sfb_dequeue(struct Qdisc *sch)
struct Qdisc *child = q->qdisc;
struct sk_buff *skb;
- skb = child->dequeue(q->qdisc);
+ skb = qdisc_dequeue_peeked(child);
if (skb) {
qdisc_bstats_update(sch, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 018/315] netfilter: ebtables: fix OOB read in compat_mtw_from_user
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 017/315] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 019/315] netfilter: nf_tables: fix dst corruption in same register operation Greg Kroah-Hartman
` (298 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Luxiao Xu, Ren Wei, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit f438d1786d657d57790c5d138d6db3fc9fdac392 ]
Luxiao Xu says:
The function compat_mtw_from_user() converts ebtables extensions from
32-bit user structures to kernel native structures. However, it lacks
proper validation of the user-supplied match_size/target_size.
When certain extensions are processed, the kernel-side translation
logic may perform memory accesses based on the extension's expected
size. If the user provides a size smaller than what the extension
requires, it results in an out-of-bounds read as reported by KASAN.
This fix introduces a check to ensure match_size is at least as large
as the extension's required compatsize. This covers matches, watchers,
and targets, while maintaining compatibility with standard targets.
AFAIU this is relevant for matches that need to go though
match->compat_from_user() call. Those that use plain memcpy with the
user-provided size are ok because the caller checks that size vs the
start of the next rule entry offset (which itself is checked vs. total
size copied from userspace).
The ->compat_from_user() callbacks assume they can read compatsize bytes,
so they need this extra check.
Based on an earlier patch from Luxiao Xu.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 77df9e856c2e73..ecd7baa25d7268 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1956,6 +1956,25 @@ enum compat_mwt {
EBT_COMPAT_TARGET,
};
+static bool match_size_ok(const struct xt_match *match, unsigned int match_size)
+{
+ u16 csize;
+
+ if (match->matchsize == -1) /* cannot validate ebt_among */
+ return true;
+
+ csize = match->compatsize ? : match->matchsize;
+
+ return match_size >= csize;
+}
+
+static bool tgt_size_ok(const struct xt_target *tgt, unsigned int tgt_size)
+{
+ u16 csize = tgt->compatsize ? : tgt->targetsize;
+
+ return tgt_size >= csize;
+}
+
static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
enum compat_mwt compat_mwt,
struct ebt_entries_buf_state *state,
@@ -1981,6 +2000,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
if (IS_ERR(match))
return PTR_ERR(match);
+ if (!match_size_ok(match, match_size)) {
+ module_put(match->me);
+ return -EINVAL;
+ }
+
off = ebt_compat_match_offset(match, match_size);
if (dst) {
if (match->compat_from_user)
@@ -2000,6 +2024,12 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
mwt->u.revision);
if (IS_ERR(wt))
return PTR_ERR(wt);
+
+ if (!tgt_size_ok(wt, match_size)) {
+ module_put(wt->me);
+ return -EINVAL;
+ }
+
off = xt_compat_target_offset(wt);
if (dst) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 008/307] bcache: fix uninitialized closure object
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 007/307] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 009/307] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
` (298 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingzhe Zou, Coly Li, Jens Axboe,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingzhe Zou <mingzhe.zou@easystack.cn>
[ Upstream commit 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 ]
In the previous patch ("bcache: fix cached_dev.sb_bio use-after-free and
crash"), we adopted a simple modification suggestion from AI to fix the
use-after-free.
But in actual testing, we found an extreme case where the device is
stopped before calling bch_write_bdev_super().
At this point, struct closure sb_write has not been initialized yet.
For this patch, we ensure that sb_bio has been completed via
sb_write_mutex.
Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
Signed-off-by: Coly Li <colyli@fnnas.com>
Link: https://patch.msgid.link/20260403042135.2221247-1-colyli@fnnas.com
Fixes: fec114a98b87 ("bcache: fix cached_dev.sb_bio use-after-free and crash")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 6e0ac0958c10b5..f969ea43492531 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1378,7 +1378,8 @@ static CLOSURE_CALLBACK(cached_dev_free)
* The sb_bio is embedded in struct cached_dev, so we must
* ensure no I/O is in progress.
*/
- closure_sync(&dc->sb_write);
+ down(&dc->sb_write_mutex);
+ up(&dc->sb_write_mutex);
if (dc->sb_disk)
put_page(virt_to_page(dc->sb_disk));
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 019/315] netfilter: nf_tables: fix dst corruption in same register operation
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 018/315] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 020/315] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
` (297 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Sowden,
Fernando Fernandez Mancera, Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 18014147d3ee7831dce53fe65d7fc8d428b02552 ]
For lshift and rshift, the shift operations are performed in a loop over
32-bit words. The loop calculates the shifted value and write it to dst,
and then immediately reads from src to calculate the carry for the next
iteration. Because src and dst could point to the same memory location,
the carry is incorrectly calculated using the newly modified dst value
instead of the original src value.
Adding a temporary local variable to cache the original value before
writing to dst and using it for the carry calculation solves the
problem. In addition, partial overlap is rejected from control plane for
all kind of operations including byteorder. This was tested with the
following bytecode:
table test_table ip flags 0 use 1 handle 1
ip test_table test_chain use 3 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1
ip test_table test_chain 2
[ immediate reg 1 0x44332211 0x88776655 ]
[ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]
[ cmp eq reg 1 0x66443322 0x00887766 ]
[ counter pkts 0 bytes 0 ]
ip test_table test_chain 4 3
[ immediate reg 1 0x44332211 0x88776655 ]
[ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]
[ cmp eq reg 1 0x55443322 0x00887766 ]
[ counter pkts 21794 bytes 1917798 ]
Fixes: 567d746b55bc ("netfilter: bitwise: add support for shifts.")
Acked-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 7 +++++++
net/netfilter/nft_bitwise.c | 18 ++++++++++++++----
net/netfilter/nft_byteorder.c | 13 ++++++++++---
3 files changed, 31 insertions(+), 7 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 4dc080f7f27c65..b35e8c02fadcd5 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -188,6 +188,13 @@ static inline u64 nft_reg_load64(const u32 *sreg)
return get_unaligned((u64 *)sreg);
}
+static inline bool nft_reg_overlap(u8 src, u8 dst, u32 len)
+{
+ unsigned int n = DIV_ROUND_UP(len, sizeof(u32));
+
+ return src != dst && src < dst + n && dst < src + n;
+}
+
static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
unsigned int len)
{
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index af990c600745be..1afb36fb5994db 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -43,8 +43,10 @@ static void nft_bitwise_eval_lshift(u32 *dst, const u32 *src,
u32 carry = 0;
for (i = DIV_ROUND_UP(priv->len, sizeof(u32)); i > 0; i--) {
- dst[i - 1] = (src[i - 1] << shift) | carry;
- carry = src[i - 1] >> (BITS_PER_TYPE(u32) - shift);
+ u32 tmp_src = src[i - 1];
+
+ dst[i - 1] = (tmp_src << shift) | carry;
+ carry = tmp_src >> (BITS_PER_TYPE(u32) - shift);
}
}
@@ -56,8 +58,10 @@ static void nft_bitwise_eval_rshift(u32 *dst, const u32 *src,
u32 carry = 0;
for (i = 0; i < DIV_ROUND_UP(priv->len, sizeof(u32)); i++) {
- dst[i] = carry | (src[i] >> shift);
- carry = src[i] << (BITS_PER_TYPE(u32) - shift);
+ u32 tmp_src = src[i];
+
+ dst[i] = carry | (tmp_src >> shift);
+ carry = tmp_src << (BITS_PER_TYPE(u32) - shift);
}
}
@@ -235,6 +239,9 @@ static int nft_bitwise_init_bool(const struct nft_ctx *ctx,
&priv->sreg2, priv->len);
if (err < 0)
return err;
+
+ if (nft_reg_overlap(priv->sreg2, priv->dreg, priv->len))
+ return -EINVAL;
}
return 0;
@@ -265,6 +272,9 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
if (err < 0)
return err;
+ if (nft_reg_overlap(priv->sreg, priv->dreg, priv->len))
+ return -EINVAL;
+
if (tb[NFTA_BITWISE_OP]) {
priv->op = ntohl(nla_get_be32(tb[NFTA_BITWISE_OP]));
switch (priv->op) {
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index af9206a3afd181..5e7a7841b789b0 100644
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -144,9 +144,16 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
if (err < 0)
return err;
- return nft_parse_register_store(ctx, tb[NFTA_BYTEORDER_DREG],
- &priv->dreg, NULL, NFT_DATA_VALUE,
- priv->len);
+ err = nft_parse_register_store(ctx, tb[NFTA_BYTEORDER_DREG],
+ &priv->dreg, NULL, NFT_DATA_VALUE,
+ priv->len);
+ if (err < 0)
+ return err;
+
+ if (nft_reg_overlap(priv->sreg, priv->dreg, priv->len))
+ return -EINVAL;
+
+ return 0;
}
static int nft_byteorder_dump(struct sk_buff *skb,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 009/307] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 008/307] bcache: fix uninitialized closure object Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 010/307] arm64: Introduce esr_is_ubsan_brk() Greg Kroah-Hartman
` (297 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Hao, Alexander Sverdlin,
Jakub Kicinski, Wenshan Lan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
[ Upstream commit 9d724b34fbe13b71865ad0906a4be97571f19cf5 ]
If an error occurs during register_netdev() for the first MAC in
cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,
cpsw->slaves[1].ndev would remain unchanged. This could later cause
cpsw_unregister_ports() to attempt unregistering the second MAC.
To address this, add a check for ndev->reg_state before calling
unregister_netdev(). With this change, setting cpsw->slaves[i].ndev
to NULL becomes unnecessary and can be removed accordingly.
Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Link: https://patch.msgid.link/20260205-cpsw-error-path-v1-2-6e58bae6b299@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/cpsw_new.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c
index a74caaca94d110..fa161a10960459 100644
--- a/drivers/net/ethernet/ti/cpsw_new.c
+++ b/drivers/net/ethernet/ti/cpsw_new.c
@@ -1443,7 +1443,8 @@ static void cpsw_unregister_ports(struct cpsw_common *cpsw)
int i = 0;
for (i = 0; i < cpsw->data.slaves; i++) {
- if (!cpsw->slaves[i].ndev)
+ if (!cpsw->slaves[i].ndev ||
+ cpsw->slaves[i].ndev->reg_state != NETREG_REGISTERED)
continue;
unregister_netdev(cpsw->slaves[i].ndev);
@@ -1463,7 +1464,6 @@ static int cpsw_register_ports(struct cpsw_common *cpsw)
if (ret) {
dev_err(cpsw->dev,
"cpsw: err registering net device%d\n", i);
- cpsw->slaves[i].ndev = NULL;
break;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 020/315] tun: free page on short-frame rejection in tun_xdp_one()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 019/315] netfilter: nf_tables: fix dst corruption in same register operation Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 021/315] tun: free page on build_skb failure " Greg Kroah-Hartman
` (296 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit f4feb1e20058e407cb00f45aff47f5b7e19a6bbf ]
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Fixes: 049584807f1d ("tun: add missing verification for short frame")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260520160020.375349-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 8192740357a09c..afba37965ce3b7 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2392,8 +2392,10 @@ static int tun_xdp_one(struct tun_struct *tun,
bool skb_xdp = false;
struct page *page;
- if (unlikely(datasize < ETH_HLEN))
+ if (unlikely(datasize < ETH_HLEN)) {
+ put_page(virt_to_head_page(xdp->data));
return -EINVAL;
+ }
xdp_prog = rcu_dereference(tun->xdp_prog);
if (xdp_prog) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 010/307] arm64: Introduce esr_is_ubsan_brk()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 009/307] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 011/307] arm64: debug: clean up single_step_handler logic Greg Kroah-Hartman
` (296 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mostafa Saleh, Kees Cook,
Marc Zyngier, Sebastian Andrzej Siewior, Ada Couprie Diaz,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mostafa Saleh <smostafa@google.com>
[ Upstream commit dc1fd37a7f501731e488c1c6f86b2f591632a4ad ]
Soon, KVM is going to use this logic for hypervisor panics,
so add it in a wrapper that can be used by the hypervisor exit
handler to decode hyp panics.
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250430162713.1997569-2-smostafa@google.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/esr.h | 5 +++++
arch/arm64/kernel/traps.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
index 5f4dc6364dbb9d..b0520b18192c5a 100644
--- a/arch/arm64/include/asm/esr.h
+++ b/arch/arm64/include/asm/esr.h
@@ -409,6 +409,11 @@ static inline bool esr_is_cfi_brk(unsigned long esr)
(esr_brk_comment(esr) & ~CFI_BRK_IMM_MASK) == CFI_BRK_IMM_BASE;
}
+static inline bool esr_is_ubsan_brk(unsigned long esr)
+{
+ return (esr_brk_comment(esr) & ~UBSAN_BRK_MASK) == UBSAN_BRK_IMM;
+}
+
static inline bool esr_fsc_is_translation_fault(unsigned long esr)
{
esr = esr & ESR_ELx_FSC;
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index e2e8ffa65aa586..5e138cf5d4ade3 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -1136,7 +1136,7 @@ int __init early_brk64(unsigned long addr, unsigned long esr,
return kasan_handler(regs, esr) != DBG_HOOK_HANDLED;
#endif
#ifdef CONFIG_UBSAN_TRAP
- if ((esr_brk_comment(esr) & ~UBSAN_BRK_MASK) == UBSAN_BRK_IMM)
+ if (esr_is_ubsan_brk(esr))
return ubsan_handler(regs, esr) != DBG_HOOK_HANDLED;
#endif
return bug_handler(regs, esr) != DBG_HOOK_HANDLED;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 021/315] tun: free page on build_skb failure in tun_xdp_one()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 020/315] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 022/315] vsock: keep poll shutdown state consistent Greg Kroah-Hartman
` (295 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit aa8963fdce667a42fb7f0bdd2909fadcab02f9a8 ]
When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.
Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.
Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260521163312.1479805-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index afba37965ce3b7..9a767da38c71e7 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2437,6 +2437,7 @@ static int tun_xdp_one(struct tun_struct *tun,
build:
skb = build_skb(xdp->data_hard_start, buflen);
if (!skb) {
+ put_page(virt_to_head_page(xdp->data));
ret = -ENOMEM;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 011/307] arm64: debug: clean up single_step_handler logic
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 010/307] arm64: Introduce esr_is_ubsan_brk() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 012/307] arm64: refactor aarch32_break_handler() Greg Kroah-Hartman
` (295 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Anshuman Khandual, Mark Rutland,
Will Deacon, Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit ad8b22648b7d0bc6f84230508436b1aafc2e2516 ]
Remove the unnecessary boolean which always checks if the handler was found
and return early instead.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250707114109.35672-2-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/debug-monitors.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index 024a7b245056a8..b7a2155bca42b1 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -241,8 +241,6 @@ static void send_user_sigtrap(int si_code)
static int single_step_handler(unsigned long unused, unsigned long esr,
struct pt_regs *regs)
{
- bool handler_found = false;
-
/*
* If we are stepping a pending breakpoint, call the hw_breakpoint
* handler first.
@@ -250,10 +248,10 @@ static int single_step_handler(unsigned long unused, unsigned long esr,
if (!reinstall_suspended_bps(regs))
return 0;
- if (!handler_found && call_step_hook(regs, esr) == DBG_HOOK_HANDLED)
- handler_found = true;
+ if (call_step_hook(regs, esr) == DBG_HOOK_HANDLED)
+ return 0;
- if (!handler_found && user_mode(regs)) {
+ if (user_mode(regs)) {
send_user_sigtrap(TRAP_TRACE);
/*
@@ -263,7 +261,7 @@ static int single_step_handler(unsigned long unused, unsigned long esr,
* to the active-not-pending state).
*/
user_rewind_single_step(current);
- } else if (!handler_found) {
+ } else {
pr_warn("Unexpected kernel single-step exception at EL1\n");
/*
* Re-enable stepping since we know that we will be
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 022/315] vsock: keep poll shutdown state consistent
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 021/315] tun: free page on build_skb failure " Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 023/315] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
` (294 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyu Zhang, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyu Zhang <ziyuzhang201@gmail.com>
[ Upstream commit aae9d8a5528b8ee9ff8dc5d3558b8a9f852a724a ]
vsock_poll() reads vsk->peer_shutdown before taking the socket lock
to set EPOLLHUP and EPOLLRDHUP, then reads it again after taking
the lock to report EOF readability. A shutdown packet can update
peer_shutdown while poll is waiting for the lock, so one poll invocation
can report EOF readability without the corresponding HUP/RDHUP bits.
For connectible sockets, take one peer_shutdown snapshot after
lock_sock() and use it for all peer-shutdown-derived poll bits. For
datagram sockets, which do not take lock_sock() in poll(), take one
lockless READ_ONCE() snapshot and pair it with WRITE_ONCE() on the
writer side.
This keeps the peer-shutdown-derived bits internally consistent for each
poll pass.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Ziyu Zhang <ziyuzhang201@gmail.com>
Link: https://patch.msgid.link/20260519165636.62542-1-ziyuzhang201@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/af_vsock.c | 49 ++++++++++++++++---------
net/vmw_vsock/hyperv_transport.c | 9 +++--
net/vmw_vsock/virtio_transport_common.c | 14 ++++---
net/vmw_vsock/vmci_transport.c | 8 ++--
4 files changed, 52 insertions(+), 28 deletions(-)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 9d0e1915abbe86..2db48b53e47c77 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -523,7 +523,7 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
*/
sock_reset_flag(sk, SOCK_DONE);
sk->sk_state = TCP_CLOSE;
- vsk->peer_shutdown = 0;
+ WRITE_ONCE(vsk->peer_shutdown, 0);
}
if (sk->sk_type == SOCK_SEQPACKET) {
@@ -814,7 +814,7 @@ static struct sock *__vsock_create(struct net *net,
vsk->rejected = false;
vsk->sent_request = false;
vsk->ignore_connecting_rst = false;
- vsk->peer_shutdown = 0;
+ WRITE_ONCE(vsk->peer_shutdown, 0);
INIT_DELAYED_WORK(&vsk->connect_work, vsock_connect_timeout);
INIT_DELAYED_WORK(&vsk->pending_work, vsock_pending_work);
@@ -1122,6 +1122,25 @@ static int vsock_shutdown(struct socket *sock, int mode)
return err;
}
+static __poll_t vsock_poll_shutdown(struct sock *sk, u32 peer_shutdown)
+{
+ __poll_t mask = 0;
+
+ /* INET sockets treat local write shutdown and peer write shutdown as a
+ * case of EPOLLHUP set.
+ */
+ if (sk->sk_shutdown == SHUTDOWN_MASK ||
+ ((sk->sk_shutdown & SEND_SHUTDOWN) &&
+ (peer_shutdown & SEND_SHUTDOWN)))
+ mask |= EPOLLHUP;
+
+ if (sk->sk_shutdown & RCV_SHUTDOWN ||
+ peer_shutdown & SEND_SHUTDOWN)
+ mask |= EPOLLRDHUP;
+
+ return mask;
+}
+
static __poll_t vsock_poll(struct file *file, struct socket *sock,
poll_table *wait)
{
@@ -1139,24 +1158,17 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
/* Signify that there has been an error on this socket. */
mask |= EPOLLERR;
- /* INET sockets treat local write shutdown and peer write shutdown as a
- * case of EPOLLHUP set.
- */
- if ((sk->sk_shutdown == SHUTDOWN_MASK) ||
- ((sk->sk_shutdown & SEND_SHUTDOWN) &&
- (vsk->peer_shutdown & SEND_SHUTDOWN))) {
- mask |= EPOLLHUP;
- }
-
- if (sk->sk_shutdown & RCV_SHUTDOWN ||
- vsk->peer_shutdown & SEND_SHUTDOWN) {
- mask |= EPOLLRDHUP;
- }
-
if (sk_is_readable(sk))
mask |= EPOLLIN | EPOLLRDNORM;
if (sock->type == SOCK_DGRAM) {
+ u32 peer_shutdown = READ_ONCE(vsk->peer_shutdown);
+
+ /* DGRAM sockets do not take lock_sock() in poll(), so use one
+ * lockless snapshot for all shutdown-derived mask bits.
+ */
+ mask |= vsock_poll_shutdown(sk, peer_shutdown);
+
/* For datagram sockets we can read if there is something in
* the queue and write as long as the socket isn't shutdown for
* sending.
@@ -1171,6 +1183,7 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
} else if (sock_type_connectible(sk->sk_type)) {
const struct vsock_transport *transport;
+ u32 peer_shutdown;
lock_sock(sk);
@@ -1203,8 +1216,10 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
* terminated should also be considered read, and we check the
* shutdown flag for that.
*/
+ peer_shutdown = READ_ONCE(vsk->peer_shutdown);
+ mask |= vsock_poll_shutdown(sk, peer_shutdown);
if (sk->sk_shutdown & RCV_SHUTDOWN ||
- vsk->peer_shutdown & SEND_SHUTDOWN) {
+ peer_shutdown & SEND_SHUTDOWN) {
mask |= EPOLLIN | EPOLLRDNORM;
}
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index f9dc9b4d302383..4da752b47b116f 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -264,7 +264,7 @@ static void hvs_do_close_lock_held(struct vsock_sock *vsk,
struct sock *sk = sk_vsock(vsk);
sock_set_flag(sk, SOCK_DONE);
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
if (vsock_stream_has_data(vsk) <= 0)
sk->sk_state = TCP_CLOSING;
sk->sk_state_change(sk);
@@ -593,7 +593,9 @@ static int hvs_update_recv_data(struct hvsock *hvs)
return -EIO;
if (payload_len == 0)
- hvs->vsk->peer_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(hvs->vsk->peer_shutdown,
+ READ_ONCE(hvs->vsk->peer_shutdown) |
+ SEND_SHUTDOWN);
hvs->recv_data_len = payload_len;
hvs->recv_data_off = 0;
@@ -736,7 +738,8 @@ static s64 hvs_stream_has_data(struct vsock_sock *vsk)
return ret;
return hvs->recv_data_len;
case 0:
- vsk->peer_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(vsk->peer_shutdown,
+ READ_ONCE(vsk->peer_shutdown) | SEND_SHUTDOWN);
ret = 0;
break;
default: /* -1 */
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index ed42e08798a967..1e07d3b1a0e800 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1206,7 +1206,7 @@ static void virtio_transport_do_close(struct vsock_sock *vsk,
struct sock *sk = sk_vsock(vsk);
sock_set_flag(sk, SOCK_DONE);
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
if (vsock_stream_has_data(vsk) <= 0)
sk->sk_state = TCP_CLOSING;
sk->sk_state_change(sk);
@@ -1409,12 +1409,15 @@ virtio_transport_recv_connected(struct sock *sk,
case VIRTIO_VSOCK_OP_CREDIT_UPDATE:
sk->sk_write_space(sk);
break;
- case VIRTIO_VSOCK_OP_SHUTDOWN:
+ case VIRTIO_VSOCK_OP_SHUTDOWN: {
+ u32 peer_shutdown = READ_ONCE(vsk->peer_shutdown);
+
if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SHUTDOWN_RCV)
- vsk->peer_shutdown |= RCV_SHUTDOWN;
+ peer_shutdown |= RCV_SHUTDOWN;
if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SHUTDOWN_SEND)
- vsk->peer_shutdown |= SEND_SHUTDOWN;
- if (vsk->peer_shutdown == SHUTDOWN_MASK) {
+ peer_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(vsk->peer_shutdown, peer_shutdown);
+ if (peer_shutdown == SHUTDOWN_MASK) {
if (vsock_stream_has_data(vsk) <= 0 && !sock_flag(sk, SOCK_DONE)) {
(void)virtio_transport_reset(vsk, NULL);
virtio_transport_do_close(vsk, true);
@@ -1429,6 +1432,7 @@ virtio_transport_recv_connected(struct sock *sk,
if (le32_to_cpu(virtio_vsock_hdr(skb)->flags))
sk->sk_state_change(sk);
break;
+ }
case VIRTIO_VSOCK_OP_RST:
virtio_transport_do_close(vsk, true);
break;
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 4cd11f355e9d6b..443125e48f2481 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -811,7 +811,7 @@ static void vmci_transport_handle_detach(struct sock *sk)
/* On a detach the peer will not be sending or receiving
* anymore.
*/
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
/* We should not be sending anymore since the peer won't be
* there to receive, but we can still receive if there is data
@@ -1534,7 +1534,9 @@ static int vmci_transport_recv_connected(struct sock *sk,
if (pkt->u.mode) {
vsk = vsock_sk(sk);
- vsk->peer_shutdown |= pkt->u.mode;
+ WRITE_ONCE(vsk->peer_shutdown,
+ READ_ONCE(vsk->peer_shutdown) |
+ pkt->u.mode);
sk->sk_state_change(sk);
}
break;
@@ -1551,7 +1553,7 @@ static int vmci_transport_recv_connected(struct sock *sk,
* a clean shutdown.
*/
sock_set_flag(sk, SOCK_DONE);
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
if (vsock_stream_has_data(vsk) <= 0)
sk->sk_state = TCP_CLOSING;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 012/307] arm64: refactor aarch32_break_handler()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 011/307] arm64: debug: clean up single_step_handler logic Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 013/307] arm64: debug: call software breakpoint handlers statically Greg Kroah-Hartman
` (294 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Anshuman Khandual, Mark Rutland,
Will Deacon, Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit b1e2d95524e4d0f5b643394c739212869e95cf6a ]
`aarch32_break_handler()` is called in `do_el0_undef()` when we
are trying to handle an exception whose Exception Syndrome is unknown.
It checks if the instruction hit might be a 32-bit arm break (be it
A32 or T2), and sends a SIGTRAP to userspace if it is so that it can
be handled.
However, this is badly represented in the naming of the function, and
is not consistent with the other functions called with the same logic
in `do_el0_undef()`.
Rename it `try_handle_aarch32_break()` and change the return value to
a boolean to align with the logic of the other tentative handlers in
`do_el0_undef()`, the previous error code being ignored anyway.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250707114109.35672-3-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/debug-monitors.h | 2 +-
arch/arm64/kernel/debug-monitors.c | 10 +++++-----
arch/arm64/kernel/traps.c | 2 +-
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h
index 13d437bcbf58c2..3eeea1c9f06664 100644
--- a/arch/arm64/include/asm/debug-monitors.h
+++ b/arch/arm64/include/asm/debug-monitors.h
@@ -115,7 +115,7 @@ static inline int reinstall_suspended_bps(struct pt_regs *regs)
}
#endif
-int aarch32_break_handler(struct pt_regs *regs);
+bool try_handle_aarch32_break(struct pt_regs *regs);
void debug_traps_init(void);
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index b7a2155bca42b1..8275b7f5754626 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -335,7 +335,7 @@ static int brk_handler(unsigned long unused, unsigned long esr,
}
NOKPROBE_SYMBOL(brk_handler);
-int aarch32_break_handler(struct pt_regs *regs)
+bool try_handle_aarch32_break(struct pt_regs *regs)
{
u32 arm_instr;
u16 thumb_instr;
@@ -343,7 +343,7 @@ int aarch32_break_handler(struct pt_regs *regs)
void __user *pc = (void __user *)instruction_pointer(regs);
if (!compat_user_mode(regs))
- return -EFAULT;
+ return false;
if (compat_thumb_mode(regs)) {
/* get 16-bit Thumb instruction */
@@ -367,12 +367,12 @@ int aarch32_break_handler(struct pt_regs *regs)
}
if (!bp)
- return -EFAULT;
+ return false;
send_user_sigtrap(TRAP_BRKPT);
- return 0;
+ return true;
}
-NOKPROBE_SYMBOL(aarch32_break_handler);
+NOKPROBE_SYMBOL(try_handle_aarch32_break);
void __init debug_traps_init(void)
{
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 5e138cf5d4ade3..c38ebf715be764 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -462,7 +462,7 @@ void do_el0_undef(struct pt_regs *regs, unsigned long esr)
u32 insn;
/* check for AArch32 breakpoint instructions */
- if (!aarch32_break_handler(regs))
+ if (try_handle_aarch32_break(regs))
return;
if (user_insn_read(regs, &insn))
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 023/315] net: netlink: fix sending unassigned nsid after assigned one
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 022/315] vsock: keep poll shutdown state consistent Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 024/315] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
` (293 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Maximets, Nicolas Dichtel,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 70f8592ee90585272018a725054b6eb2ab7e99ca ]
If the current skb is not shared, it is re-used directly for all the
sockets subscribed to the notification. If we have remote all-nsid
socket receiving a message first, then the 'nsid_is_set' will be
set to 'true'. If the nsid is NOT_ASSIGNED for the next socket in
the list, the 'nsid_is_set' will remain 'true' and the negative value
is be delivered to the user space. All subsequent nsid values will be
delivered as well, since there is no code path that sets the flag
back to 'false'.
Fix that by always dropping the flag to 'false' first.
Fixes: 7212462fa6fd ("netlink: don't send unknown nsid")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-2-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 2b46c0cd752a31..0e6dfd01d9b419 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1484,6 +1484,7 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+ NETLINK_CB(p->skb2).nsid_is_set = false;
NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
NETLINK_CB(p->skb2).nsid_is_set = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 013/307] arm64: debug: call software breakpoint handlers statically
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 012/307] arm64: refactor aarch32_break_handler() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 014/307] arm64: debug: call step " Greg Kroah-Hartman
` (293 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit 6adfdc5e2ef9c71a76d8d127a2eb54f0fbe9be5e ]
Software breakpoints pass an immediate value in ESR ("comment") that can
be used to call a specialized handler (KGDB, KASAN...).
We do so in two different ways :
- During early boot, `early_brk64` statically checks against known
immediates and calls the corresponding handler,
- During init, handlers are dynamically registered into a list. When
called, the generic software breakpoint handler will iterate over
the list to find the appropriate handler.
The dynamic registration does not provide any benefit here as it is not
exported and all its uses are within the arm64 tree. It also depends on an
RCU list, whose safe access currently relies on the non-preemptible state
of `do_debug_exception`.
Replace the list iteration logic in `call_break_hooks` to call
the breakpoint handlers statically if they are enabled, like in
`early_brk64`.
Expose the handlers in their respective headers to be reachable from
`arch/arm64/kernel/debug-monitors.c` at link time.
Unify the naming of the software breakpoint handlers to XXX_brk_handler(),
making it clear they are related and to differentiate from the
hardware breakpoints.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-4-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/kgdb.h | 3 +
arch/arm64/include/asm/kprobes.h | 8 +++
arch/arm64/include/asm/traps.h | 6 ++
arch/arm64/include/asm/uprobes.h | 2 +
arch/arm64/kernel/debug-monitors.c | 53 +++++++++++++----
arch/arm64/kernel/kgdb.c | 22 ++-----
arch/arm64/kernel/probes/kprobes.c | 31 ++--------
arch/arm64/kernel/probes/kprobes_trampoline.S | 2 +-
arch/arm64/kernel/probes/uprobes.c | 9 +--
arch/arm64/kernel/traps.c | 59 ++++---------------
10 files changed, 82 insertions(+), 113 deletions(-)
diff --git a/arch/arm64/include/asm/kgdb.h b/arch/arm64/include/asm/kgdb.h
index 21fc85e9d2bed8..82a76b2102fb61 100644
--- a/arch/arm64/include/asm/kgdb.h
+++ b/arch/arm64/include/asm/kgdb.h
@@ -24,6 +24,9 @@ static inline void arch_kgdb_breakpoint(void)
extern void kgdb_handle_bus_error(void);
extern int kgdb_fault_expected;
+int kgdb_brk_handler(struct pt_regs *regs, unsigned long esr);
+int kgdb_compiled_brk_handler(struct pt_regs *regs, unsigned long esr);
+
#endif /* !__ASSEMBLY__ */
/*
diff --git a/arch/arm64/include/asm/kprobes.h b/arch/arm64/include/asm/kprobes.h
index be7a3680dadff7..f2782560647bef 100644
--- a/arch/arm64/include/asm/kprobes.h
+++ b/arch/arm64/include/asm/kprobes.h
@@ -41,4 +41,12 @@ void __kretprobe_trampoline(void);
void __kprobes *trampoline_probe_handler(struct pt_regs *regs);
#endif /* CONFIG_KPROBES */
+
+int __kprobes kprobe_brk_handler(struct pt_regs *regs,
+ unsigned long esr);
+int __kprobes kprobe_ss_brk_handler(struct pt_regs *regs,
+ unsigned long esr);
+int __kprobes kretprobe_brk_handler(struct pt_regs *regs,
+ unsigned long esr);
+
#endif /* _ARM_KPROBES_H */
diff --git a/arch/arm64/include/asm/traps.h b/arch/arm64/include/asm/traps.h
index 82cf1f879c61df..e3e8944a71c3e6 100644
--- a/arch/arm64/include/asm/traps.h
+++ b/arch/arm64/include/asm/traps.h
@@ -29,6 +29,12 @@ void arm64_force_sig_fault_pkey(unsigned long far, const char *str, int pkey);
void arm64_force_sig_mceerr(int code, unsigned long far, short lsb, const char *str);
void arm64_force_sig_ptrace_errno_trap(int errno, unsigned long far, const char *str);
+int bug_brk_handler(struct pt_regs *regs, unsigned long esr);
+int cfi_brk_handler(struct pt_regs *regs, unsigned long esr);
+int reserved_fault_brk_handler(struct pt_regs *regs, unsigned long esr);
+int kasan_brk_handler(struct pt_regs *regs, unsigned long esr);
+int ubsan_brk_handler(struct pt_regs *regs, unsigned long esr);
+
int early_brk64(unsigned long addr, unsigned long esr, struct pt_regs *regs);
/*
diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h
index 014b02897f8e22..3659a79a9f325f 100644
--- a/arch/arm64/include/asm/uprobes.h
+++ b/arch/arm64/include/asm/uprobes.h
@@ -28,4 +28,6 @@ struct arch_uprobe {
bool simulate;
};
+int uprobe_brk_handler(struct pt_regs *regs, unsigned long esr);
+
#endif
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index 8275b7f5754626..5e892448030005 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -21,8 +21,11 @@
#include <asm/cputype.h>
#include <asm/daifflags.h>
#include <asm/debug-monitors.h>
+#include <asm/kgdb.h>
+#include <asm/kprobes.h>
#include <asm/system_misc.h>
#include <asm/traps.h>
+#include <asm/uprobes.h>
/* Determine debug architecture. */
u8 debug_monitors_arch(void)
@@ -299,22 +302,48 @@ void unregister_kernel_break_hook(struct break_hook *hook)
static int call_break_hook(struct pt_regs *regs, unsigned long esr)
{
- struct break_hook *hook;
- struct list_head *list;
- int (*fn)(struct pt_regs *regs, unsigned long esr) = NULL;
+ if (user_mode(regs)) {
+ if (IS_ENABLED(CONFIG_UPROBES) &&
+ esr_brk_comment(esr) == UPROBES_BRK_IMM)
+ return uprobe_brk_handler(regs, esr);
+ return DBG_HOOK_ERROR;
+ }
- list = user_mode(regs) ? &user_break_hook : &kernel_break_hook;
+ if (esr_brk_comment(esr) == BUG_BRK_IMM)
+ return bug_brk_handler(regs, esr);
- /*
- * Since brk exception disables interrupt, this function is
- * entirely not preemptible, and we can use rcu list safely here.
- */
- list_for_each_entry_rcu(hook, list, node) {
- if ((esr_brk_comment(esr) & ~hook->mask) == hook->imm)
- fn = hook->fn;
+ if (IS_ENABLED(CONFIG_CFI_CLANG) && esr_is_cfi_brk(esr))
+ return cfi_brk_handler(regs, esr);
+
+ if (esr_brk_comment(esr) == FAULT_BRK_IMM)
+ return reserved_fault_brk_handler(regs, esr);
+
+ if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) &&
+ (esr_brk_comment(esr) & ~KASAN_BRK_MASK) == KASAN_BRK_IMM)
+ return kasan_brk_handler(regs, esr);
+
+ if (IS_ENABLED(CONFIG_UBSAN_TRAP) && esr_is_ubsan_brk(esr))
+ return ubsan_brk_handler(regs, esr);
+
+ if (IS_ENABLED(CONFIG_KGDB)) {
+ if (esr_brk_comment(esr) == KGDB_DYN_DBG_BRK_IMM)
+ return kgdb_brk_handler(regs, esr);
+ if (esr_brk_comment(esr) == KGDB_COMPILED_DBG_BRK_IMM)
+ return kgdb_compiled_brk_handler(regs, esr);
}
- return fn ? fn(regs, esr) : DBG_HOOK_ERROR;
+ if (IS_ENABLED(CONFIG_KPROBES)) {
+ if (esr_brk_comment(esr) == KPROBES_BRK_IMM)
+ return kprobe_brk_handler(regs, esr);
+ if (esr_brk_comment(esr) == KPROBES_BRK_SS_IMM)
+ return kprobe_ss_brk_handler(regs, esr);
+ }
+
+ if (IS_ENABLED(CONFIG_KRETPROBES) &&
+ esr_brk_comment(esr) == KRETPROBES_BRK_IMM)
+ return kretprobe_brk_handler(regs, esr);
+
+ return DBG_HOOK_ERROR;
}
NOKPROBE_SYMBOL(call_break_hook);
diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c
index 4e1f983df3d1c2..e3c9e6e11a318c 100644
--- a/arch/arm64/kernel/kgdb.c
+++ b/arch/arm64/kernel/kgdb.c
@@ -234,21 +234,21 @@ int kgdb_arch_handle_exception(int exception_vector, int signo,
return err;
}
-static int kgdb_brk_fn(struct pt_regs *regs, unsigned long esr)
+int kgdb_brk_handler(struct pt_regs *regs, unsigned long esr)
{
kgdb_handle_exception(1, SIGTRAP, 0, regs);
return DBG_HOOK_HANDLED;
}
-NOKPROBE_SYMBOL(kgdb_brk_fn)
+NOKPROBE_SYMBOL(kgdb_brk_handler)
-static int kgdb_compiled_brk_fn(struct pt_regs *regs, unsigned long esr)
+int kgdb_compiled_brk_handler(struct pt_regs *regs, unsigned long esr)
{
compiled_break = 1;
kgdb_handle_exception(1, SIGTRAP, 0, regs);
return DBG_HOOK_HANDLED;
}
-NOKPROBE_SYMBOL(kgdb_compiled_brk_fn);
+NOKPROBE_SYMBOL(kgdb_compiled_brk_handler);
static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned long esr)
{
@@ -260,16 +260,6 @@ static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned long esr)
}
NOKPROBE_SYMBOL(kgdb_step_brk_fn);
-static struct break_hook kgdb_brkpt_hook = {
- .fn = kgdb_brk_fn,
- .imm = KGDB_DYN_DBG_BRK_IMM,
-};
-
-static struct break_hook kgdb_compiled_brkpt_hook = {
- .fn = kgdb_compiled_brk_fn,
- .imm = KGDB_COMPILED_DBG_BRK_IMM,
-};
-
static struct step_hook kgdb_step_hook = {
.fn = kgdb_step_brk_fn
};
@@ -316,8 +306,6 @@ int kgdb_arch_init(void)
if (ret != 0)
return ret;
- register_kernel_break_hook(&kgdb_brkpt_hook);
- register_kernel_break_hook(&kgdb_compiled_brkpt_hook);
register_kernel_step_hook(&kgdb_step_hook);
return 0;
}
@@ -329,8 +317,6 @@ int kgdb_arch_init(void)
*/
void kgdb_arch_exit(void)
{
- unregister_kernel_break_hook(&kgdb_brkpt_hook);
- unregister_kernel_break_hook(&kgdb_compiled_brkpt_hook);
unregister_kernel_step_hook(&kgdb_step_hook);
unregister_die_notifier(&kgdb_notifier);
}
diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c
index b0e0f0aed748a8..8661cd4064732a 100644
--- a/arch/arm64/kernel/probes/kprobes.c
+++ b/arch/arm64/kernel/probes/kprobes.c
@@ -306,8 +306,8 @@ int __kprobes kprobe_fault_handler(struct pt_regs *regs, unsigned int fsr)
return 0;
}
-static int __kprobes
-kprobe_breakpoint_handler(struct pt_regs *regs, unsigned long esr)
+int __kprobes
+kprobe_brk_handler(struct pt_regs *regs, unsigned long esr)
{
struct kprobe *p, *cur_kprobe;
struct kprobe_ctlblk *kcb;
@@ -350,13 +350,8 @@ kprobe_breakpoint_handler(struct pt_regs *regs, unsigned long esr)
return DBG_HOOK_HANDLED;
}
-static struct break_hook kprobes_break_hook = {
- .imm = KPROBES_BRK_IMM,
- .fn = kprobe_breakpoint_handler,
-};
-
-static int __kprobes
-kprobe_breakpoint_ss_handler(struct pt_regs *regs, unsigned long esr)
+int __kprobes
+kprobe_ss_brk_handler(struct pt_regs *regs, unsigned long esr)
{
struct kprobe_ctlblk *kcb = get_kprobe_ctlblk();
unsigned long addr = instruction_pointer(regs);
@@ -374,13 +369,8 @@ kprobe_breakpoint_ss_handler(struct pt_regs *regs, unsigned long esr)
return DBG_HOOK_ERROR;
}
-static struct break_hook kprobes_break_ss_hook = {
- .imm = KPROBES_BRK_SS_IMM,
- .fn = kprobe_breakpoint_ss_handler,
-};
-
-static int __kprobes
-kretprobe_breakpoint_handler(struct pt_regs *regs, unsigned long esr)
+int __kprobes
+kretprobe_brk_handler(struct pt_regs *regs, unsigned long esr)
{
if (regs->pc != (unsigned long)__kretprobe_trampoline)
return DBG_HOOK_ERROR;
@@ -389,11 +379,6 @@ kretprobe_breakpoint_handler(struct pt_regs *regs, unsigned long esr)
return DBG_HOOK_HANDLED;
}
-static struct break_hook kretprobes_break_hook = {
- .imm = KRETPROBES_BRK_IMM,
- .fn = kretprobe_breakpoint_handler,
-};
-
/*
* Provide a blacklist of symbols identifying ranges which cannot be kprobed.
* This blacklist is exposed to userspace via debugfs (kprobes/blacklist).
@@ -436,9 +421,5 @@ int __kprobes arch_trampoline_kprobe(struct kprobe *p)
int __init arch_init_kprobes(void)
{
- register_kernel_break_hook(&kprobes_break_hook);
- register_kernel_break_hook(&kprobes_break_ss_hook);
- register_kernel_break_hook(&kretprobes_break_hook);
-
return 0;
}
diff --git a/arch/arm64/kernel/probes/kprobes_trampoline.S b/arch/arm64/kernel/probes/kprobes_trampoline.S
index a362f3dbb3d117..b60739d3983f60 100644
--- a/arch/arm64/kernel/probes/kprobes_trampoline.S
+++ b/arch/arm64/kernel/probes/kprobes_trampoline.S
@@ -12,7 +12,7 @@
SYM_CODE_START(__kretprobe_trampoline)
/*
* Trigger a breakpoint exception. The PC will be adjusted by
- * kretprobe_breakpoint_handler(), and no subsequent instructions will
+ * kretprobe_brk_handler(), and no subsequent instructions will
* be executed from the trampoline.
*/
brk #KRETPROBES_BRK_IMM
diff --git a/arch/arm64/kernel/probes/uprobes.c b/arch/arm64/kernel/probes/uprobes.c
index a2f137a595fc1c..fc1bd19c827e6f 100644
--- a/arch/arm64/kernel/probes/uprobes.c
+++ b/arch/arm64/kernel/probes/uprobes.c
@@ -165,7 +165,7 @@ int arch_uprobe_exception_notify(struct notifier_block *self,
return NOTIFY_DONE;
}
-static int uprobe_breakpoint_handler(struct pt_regs *regs,
+int uprobe_brk_handler(struct pt_regs *regs,
unsigned long esr)
{
if (uprobe_pre_sstep_notifier(regs))
@@ -186,12 +186,6 @@ static int uprobe_single_step_handler(struct pt_regs *regs,
return DBG_HOOK_ERROR;
}
-/* uprobe breakpoint handler hook */
-static struct break_hook uprobes_break_hook = {
- .imm = UPROBES_BRK_IMM,
- .fn = uprobe_breakpoint_handler,
-};
-
/* uprobe single step handler hook */
static struct step_hook uprobes_step_hook = {
.fn = uprobe_single_step_handler,
@@ -199,7 +193,6 @@ static struct step_hook uprobes_step_hook = {
static int __init arch_init_uprobes(void)
{
- register_user_break_hook(&uprobes_break_hook);
register_user_step_hook(&uprobes_step_hook);
return 0;
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index c38ebf715be764..013159bc0882ee 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -978,7 +978,7 @@ void do_serror(struct pt_regs *regs, unsigned long esr)
int is_valid_bugaddr(unsigned long addr)
{
/*
- * bug_handler() only called for BRK #BUG_BRK_IMM.
+ * bug_brk_handler() only called for BRK #BUG_BRK_IMM.
* So the answer is trivial -- any spurious instances with no
* bug table entry will be rejected by report_bug() and passed
* back to the debug-monitors code and handled as a fatal
@@ -988,7 +988,7 @@ int is_valid_bugaddr(unsigned long addr)
}
#endif
-static int bug_handler(struct pt_regs *regs, unsigned long esr)
+int bug_brk_handler(struct pt_regs *regs, unsigned long esr)
{
switch (report_bug(regs->pc, regs)) {
case BUG_TRAP_TYPE_BUG:
@@ -1008,13 +1008,8 @@ static int bug_handler(struct pt_regs *regs, unsigned long esr)
return DBG_HOOK_HANDLED;
}
-static struct break_hook bug_break_hook = {
- .fn = bug_handler,
- .imm = BUG_BRK_IMM,
-};
-
#ifdef CONFIG_CFI_CLANG
-static int cfi_handler(struct pt_regs *regs, unsigned long esr)
+int cfi_brk_handler(struct pt_regs *regs, unsigned long esr)
{
unsigned long target;
u32 type;
@@ -1037,15 +1032,9 @@ static int cfi_handler(struct pt_regs *regs, unsigned long esr)
arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE);
return DBG_HOOK_HANDLED;
}
-
-static struct break_hook cfi_break_hook = {
- .fn = cfi_handler,
- .imm = CFI_BRK_IMM_BASE,
- .mask = CFI_BRK_IMM_MASK,
-};
#endif /* CONFIG_CFI_CLANG */
-static int reserved_fault_handler(struct pt_regs *regs, unsigned long esr)
+int reserved_fault_brk_handler(struct pt_regs *regs, unsigned long esr)
{
pr_err("%s generated an invalid instruction at %pS!\n",
"Kernel text patching",
@@ -1055,11 +1044,6 @@ static int reserved_fault_handler(struct pt_regs *regs, unsigned long esr)
return DBG_HOOK_ERROR;
}
-static struct break_hook fault_break_hook = {
- .fn = reserved_fault_handler,
- .imm = FAULT_BRK_IMM,
-};
-
#ifdef CONFIG_KASAN_SW_TAGS
#define KASAN_ESR_RECOVER 0x20
@@ -1067,7 +1051,7 @@ static struct break_hook fault_break_hook = {
#define KASAN_ESR_SIZE_MASK 0x0f
#define KASAN_ESR_SIZE(esr) (1 << ((esr) & KASAN_ESR_SIZE_MASK))
-static int kasan_handler(struct pt_regs *regs, unsigned long esr)
+int kasan_brk_handler(struct pt_regs *regs, unsigned long esr)
{
bool recover = esr & KASAN_ESR_RECOVER;
bool write = esr & KASAN_ESR_WRITE;
@@ -1098,26 +1082,14 @@ static int kasan_handler(struct pt_regs *regs, unsigned long esr)
arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE);
return DBG_HOOK_HANDLED;
}
-
-static struct break_hook kasan_break_hook = {
- .fn = kasan_handler,
- .imm = KASAN_BRK_IMM,
- .mask = KASAN_BRK_MASK,
-};
#endif
#ifdef CONFIG_UBSAN_TRAP
-static int ubsan_handler(struct pt_regs *regs, unsigned long esr)
+int ubsan_brk_handler(struct pt_regs *regs, unsigned long esr)
{
die(report_ubsan_failure(regs, esr & UBSAN_BRK_MASK), regs, esr);
return DBG_HOOK_HANDLED;
}
-
-static struct break_hook ubsan_break_hook = {
- .fn = ubsan_handler,
- .imm = UBSAN_BRK_IMM,
- .mask = UBSAN_BRK_MASK,
-};
#endif
/*
@@ -1129,31 +1101,20 @@ int __init early_brk64(unsigned long addr, unsigned long esr,
{
#ifdef CONFIG_CFI_CLANG
if (esr_is_cfi_brk(esr))
- return cfi_handler(regs, esr) != DBG_HOOK_HANDLED;
+ return cfi_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
#endif
#ifdef CONFIG_KASAN_SW_TAGS
if ((esr_brk_comment(esr) & ~KASAN_BRK_MASK) == KASAN_BRK_IMM)
- return kasan_handler(regs, esr) != DBG_HOOK_HANDLED;
+ return kasan_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
#endif
#ifdef CONFIG_UBSAN_TRAP
if (esr_is_ubsan_brk(esr))
- return ubsan_handler(regs, esr) != DBG_HOOK_HANDLED;
+ return ubsan_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
#endif
- return bug_handler(regs, esr) != DBG_HOOK_HANDLED;
+ return bug_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
}
void __init trap_init(void)
{
- register_kernel_break_hook(&bug_break_hook);
-#ifdef CONFIG_CFI_CLANG
- register_kernel_break_hook(&cfi_break_hook);
-#endif
- register_kernel_break_hook(&fault_break_hook);
-#ifdef CONFIG_KASAN_SW_TAGS
- register_kernel_break_hook(&kasan_break_hook);
-#endif
-#ifdef CONFIG_UBSAN_TRAP
- register_kernel_break_hook(&ubsan_break_hook);
-#endif
debug_traps_init();
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 024/315] net: netlink: dont set nsid on local notifications
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 023/315] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 025/315] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
` (292 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Perin, Ilya Maximets,
Nicolas Dichtel, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 88b126b39f9757e9debc322d4679239e9af089c7 ]
In most cases, notifications on sockets with NETLINK_LISTEN_ALL_NSID
do not contain NSID in their ancillary data in case the event is local
to the listener.
However, when a self-referential NSID is allocated for a namespace,
every local notification starts sending this ID to the user space.
This is problematic, because the listener cannot tell if those
notifications are local or not anymore without making extra requests
to figure out if the provided NSID is local or not. The listener
can also not figure out the local NSID beforehand as it can be
allocated at any point in time by other processes, changing the
structure of the future notifications for everyone.
The value is practically not useful, since it's the namespace's own
ID that the application has to obtain from other sources in order to
figure out if it's the same or not. So, for the application it's
just an extra busy work with no benefits. Moreover, applications
that do not know about this quirk may be mishandling notifications
with NSID set as notifications from remote namespaces. This is the
case for ovs-vswitchd and the iproute2's 'ip monitor' that stops
printing 'current' and starts printing the nsid number mid-session.
Lack of clear documentation for this behavior is also not helping.
A search though open-source projects doesn't reveal any projects
that use NETNSA_NSID_NOT_ASSIGNED and rely on metadata to contain
self-referential NSIDs (expected, since the value is not useful).
Quite the opposite, as already mentioned, there are few applications
that rely on NSID to not be present in local events.
Since the value is not useful and actively harmful in some cases,
let's not report it for local events, making the notifications more
consistent.
Also adding some blank lines for readability.
Fixes: 59324cf35aba ("netlink: allow to listen "all" netns")
Reported-by: Matteo Perin <matteo.perin@canonical.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-3-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 0e6dfd01d9b419..1d1b3bd54a916b 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1484,10 +1484,14 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+
NETLINK_CB(p->skb2).nsid_is_set = false;
- NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
- if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
- NETLINK_CB(p->skb2).nsid_is_set = true;
+ if (!net_eq(sock_net(sk), p->net)) {
+ NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
+ if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
+ NETLINK_CB(p->skb2).nsid_is_set = true;
+ }
+
val = netlink_broadcast_deliver(sk, p->skb2);
if (val < 0) {
netlink_overrun(sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 014/307] arm64: debug: call step handlers statically
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 013/307] arm64: debug: call software breakpoint handlers statically Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 015/307] arm64: debug: remove break/step handler registration infrastructure Greg Kroah-Hartman
` (292 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit 403b48aad5b3e857b8c2576ce6a421f3d23dd6a6 ]
Software stepping checks for the correct handler by iterating over a list
of dynamically registered handlers and calling all of them until one
handles the exception.
This is the only generic way to handle software stepping handlers in arm64
as the exception does not provide an immediate that could be checked,
contrary to software breakpoints.
However, the registration mechanism is not exported and has only
two current users : the KGDB stepping handler, and the uprobe single step
handler.
Given that one comes from user mode and the other from kernel mode, call
the appropriate one by checking the source EL of the exception.
Add a stand-in that returns DBG_HOOK_ERROR when the configuration
options are not enabled.
Remove `arch_init_uprobes()` as it is not useful anymore and is
specific to arm64.
Unify the naming of the handler to XXX_single_step_handler(), making it
clear they are related.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-5-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/kgdb.h | 9 +++++++++
arch/arm64/include/asm/uprobes.h | 9 +++++++++
arch/arm64/kernel/debug-monitors.c | 25 ++++++-------------------
arch/arm64/kernel/kgdb.c | 17 +++--------------
arch/arm64/kernel/probes/uprobes.c | 15 +--------------
5 files changed, 28 insertions(+), 47 deletions(-)
diff --git a/arch/arm64/include/asm/kgdb.h b/arch/arm64/include/asm/kgdb.h
index 82a76b2102fb61..3184f5d1e3ae49 100644
--- a/arch/arm64/include/asm/kgdb.h
+++ b/arch/arm64/include/asm/kgdb.h
@@ -26,6 +26,15 @@ extern int kgdb_fault_expected;
int kgdb_brk_handler(struct pt_regs *regs, unsigned long esr);
int kgdb_compiled_brk_handler(struct pt_regs *regs, unsigned long esr);
+#ifdef CONFIG_KGDB
+int kgdb_single_step_handler(struct pt_regs *regs, unsigned long esr);
+#else
+static inline int kgdb_single_step_handler(struct pt_regs *regs,
+ unsigned long esr)
+{
+ return DBG_HOOK_ERROR;
+}
+#endif
#endif /* !__ASSEMBLY__ */
diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h
index 3659a79a9f325f..89bfb0213a500c 100644
--- a/arch/arm64/include/asm/uprobes.h
+++ b/arch/arm64/include/asm/uprobes.h
@@ -29,5 +29,14 @@ struct arch_uprobe {
};
int uprobe_brk_handler(struct pt_regs *regs, unsigned long esr);
+#ifdef CONFIG_UPROBES
+int uprobe_single_step_handler(struct pt_regs *regs, unsigned long esr);
+#else
+static inline int uprobe_single_step_handler(struct pt_regs *regs,
+ unsigned long esr)
+{
+ return DBG_HOOK_ERROR;
+}
+#endif
#endif
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index 5e892448030005..f929b107840de6 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -200,30 +200,17 @@ void unregister_kernel_step_hook(struct step_hook *hook)
}
/*
- * Call registered single step handlers
+ * Call single step handlers
* There is no Syndrome info to check for determining the handler.
- * So we call all the registered handlers, until the right handler is
- * found which returns zero.
+ * However, there is only one possible handler for user and kernel modes, so
+ * check and call the appropriate one.
*/
static int call_step_hook(struct pt_regs *regs, unsigned long esr)
{
- struct step_hook *hook;
- struct list_head *list;
- int retval = DBG_HOOK_ERROR;
+ if (user_mode(regs))
+ return uprobe_single_step_handler(regs, esr);
- list = user_mode(regs) ? &user_step_hook : &kernel_step_hook;
-
- /*
- * Since single-step exception disables interrupt, this function is
- * entirely not preemptible, and we can use rcu list safely here.
- */
- list_for_each_entry_rcu(hook, list, node) {
- retval = hook->fn(regs, esr);
- if (retval == DBG_HOOK_HANDLED)
- break;
- }
-
- return retval;
+ return kgdb_single_step_handler(regs, esr);
}
NOKPROBE_SYMBOL(call_step_hook);
diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c
index e3c9e6e11a318c..f8eaf6084c3d5a 100644
--- a/arch/arm64/kernel/kgdb.c
+++ b/arch/arm64/kernel/kgdb.c
@@ -250,7 +250,7 @@ int kgdb_compiled_brk_handler(struct pt_regs *regs, unsigned long esr)
}
NOKPROBE_SYMBOL(kgdb_compiled_brk_handler);
-static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned long esr)
+int kgdb_single_step_handler(struct pt_regs *regs, unsigned long esr)
{
if (!kgdb_single_step)
return DBG_HOOK_ERROR;
@@ -258,11 +258,7 @@ static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned long esr)
kgdb_handle_exception(0, SIGTRAP, 0, regs);
return DBG_HOOK_HANDLED;
}
-NOKPROBE_SYMBOL(kgdb_step_brk_fn);
-
-static struct step_hook kgdb_step_hook = {
- .fn = kgdb_step_brk_fn
-};
+NOKPROBE_SYMBOL(kgdb_single_step_handler);
static int __kgdb_notify(struct die_args *args, unsigned long cmd)
{
@@ -301,13 +297,7 @@ static struct notifier_block kgdb_notifier = {
*/
int kgdb_arch_init(void)
{
- int ret = register_die_notifier(&kgdb_notifier);
-
- if (ret != 0)
- return ret;
-
- register_kernel_step_hook(&kgdb_step_hook);
- return 0;
+ return register_die_notifier(&kgdb_notifier);
}
/*
@@ -317,7 +307,6 @@ int kgdb_arch_init(void)
*/
void kgdb_arch_exit(void)
{
- unregister_kernel_step_hook(&kgdb_step_hook);
unregister_die_notifier(&kgdb_notifier);
}
diff --git a/arch/arm64/kernel/probes/uprobes.c b/arch/arm64/kernel/probes/uprobes.c
index fc1bd19c827e6f..6ae4396577d4a6 100644
--- a/arch/arm64/kernel/probes/uprobes.c
+++ b/arch/arm64/kernel/probes/uprobes.c
@@ -174,7 +174,7 @@ int uprobe_brk_handler(struct pt_regs *regs,
return DBG_HOOK_ERROR;
}
-static int uprobe_single_step_handler(struct pt_regs *regs,
+int uprobe_single_step_handler(struct pt_regs *regs,
unsigned long esr)
{
struct uprobe_task *utask = current->utask;
@@ -186,16 +186,3 @@ static int uprobe_single_step_handler(struct pt_regs *regs,
return DBG_HOOK_ERROR;
}
-/* uprobe single step handler hook */
-static struct step_hook uprobes_step_hook = {
- .fn = uprobe_single_step_handler,
-};
-
-static int __init arch_init_uprobes(void)
-{
- register_user_step_hook(&uprobes_step_hook);
-
- return 0;
-}
-
-device_initcall(arch_init_uprobes);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 025/315] net/smc: Do not re-initialize smc hashtables
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 024/315] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 026/315] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
` (291 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Halil Pasic, Alexandra Winter,
Mahanta Jambigi, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Winter <wintera@linux.ibm.com>
[ Upstream commit 9e4389b0038781f19f97895186ed941ff8ac1678 ]
INIT_HLIST_HEAD(&smc_v*_hashinfo.ht) are called after smc_nl_init(),
proto_register() and sock_register(). This can lead to smc_v*_hashinfo.ht
being reset even though hash entries already exist and are being used,
possibly resulting in a corrupted list.
Remove unnecessary and dangerous re-initialisation of smc_v*_hashinfo.ht in
smc_init(); it is implicitly initialised to zero anyhow. Add
HLIST_HEAD_INIT to the definitions for clarity.
Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets")
Suggested-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
Link: https://patch.msgid.link/20260521145639.10317-1-wintera@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 5915fcdef743d2..21d0c62bcf4644 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -188,10 +188,12 @@ static bool smc_hs_congested(const struct sock *sk)
struct smc_hashinfo smc_v4_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v4_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
struct smc_hashinfo smc_v6_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v6_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
int smc_hash_sk(struct sock *sk)
@@ -3595,8 +3597,6 @@ static int __init smc_init(void)
pr_err("%s: sock_register fails with %d\n", __func__, rc);
goto out_proto6;
}
- INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
- INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
rc = smc_ib_register_client();
if (rc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 015/307] arm64: debug: remove break/step handler registration infrastructure
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 014/307] arm64: debug: call step " Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 016/307] arm64: entry: Add entry and exit functions for debug exceptions Greg Kroah-Hartman
` (291 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Anshuman Khandual, Will Deacon,
Mark Rutland, Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit d4e0b12620946a4011ad695490211fc38bf5cb42 ]
Remove all infrastructure for the dynamic registration previously used by
software breakpoints and stepping handlers.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-6-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/debug-monitors.h | 24 ----------
arch/arm64/kernel/debug-monitors.c | 63 -------------------------
2 files changed, 87 deletions(-)
diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h
index 3eeea1c9f06664..5319da0f0ca4ea 100644
--- a/arch/arm64/include/asm/debug-monitors.h
+++ b/arch/arm64/include/asm/debug-monitors.h
@@ -62,30 +62,6 @@ struct task_struct;
#define DBG_HOOK_HANDLED 0
#define DBG_HOOK_ERROR 1
-struct step_hook {
- struct list_head node;
- int (*fn)(struct pt_regs *regs, unsigned long esr);
-};
-
-void register_user_step_hook(struct step_hook *hook);
-void unregister_user_step_hook(struct step_hook *hook);
-
-void register_kernel_step_hook(struct step_hook *hook);
-void unregister_kernel_step_hook(struct step_hook *hook);
-
-struct break_hook {
- struct list_head node;
- int (*fn)(struct pt_regs *regs, unsigned long esr);
- u16 imm;
- u16 mask; /* These bits are ignored when comparing with imm */
-};
-
-void register_user_break_hook(struct break_hook *hook);
-void unregister_user_break_hook(struct break_hook *hook);
-
-void register_kernel_break_hook(struct break_hook *hook);
-void unregister_kernel_break_hook(struct break_hook *hook);
-
u8 debug_monitors_arch(void);
enum dbg_active_el {
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index f929b107840de6..a28482e25c4c31 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -159,46 +159,6 @@ NOKPROBE_SYMBOL(clear_user_regs_spsr_ss);
#define set_regs_spsr_ss(r) set_user_regs_spsr_ss(&(r)->user_regs)
#define clear_regs_spsr_ss(r) clear_user_regs_spsr_ss(&(r)->user_regs)
-static DEFINE_SPINLOCK(debug_hook_lock);
-static LIST_HEAD(user_step_hook);
-static LIST_HEAD(kernel_step_hook);
-
-static void register_debug_hook(struct list_head *node, struct list_head *list)
-{
- spin_lock(&debug_hook_lock);
- list_add_rcu(node, list);
- spin_unlock(&debug_hook_lock);
-
-}
-
-static void unregister_debug_hook(struct list_head *node)
-{
- spin_lock(&debug_hook_lock);
- list_del_rcu(node);
- spin_unlock(&debug_hook_lock);
- synchronize_rcu();
-}
-
-void register_user_step_hook(struct step_hook *hook)
-{
- register_debug_hook(&hook->node, &user_step_hook);
-}
-
-void unregister_user_step_hook(struct step_hook *hook)
-{
- unregister_debug_hook(&hook->node);
-}
-
-void register_kernel_step_hook(struct step_hook *hook)
-{
- register_debug_hook(&hook->node, &kernel_step_hook);
-}
-
-void unregister_kernel_step_hook(struct step_hook *hook)
-{
- unregister_debug_hook(&hook->node);
-}
-
/*
* Call single step handlers
* There is no Syndrome info to check for determining the handler.
@@ -264,29 +224,6 @@ static int single_step_handler(unsigned long unused, unsigned long esr,
}
NOKPROBE_SYMBOL(single_step_handler);
-static LIST_HEAD(user_break_hook);
-static LIST_HEAD(kernel_break_hook);
-
-void register_user_break_hook(struct break_hook *hook)
-{
- register_debug_hook(&hook->node, &user_break_hook);
-}
-
-void unregister_user_break_hook(struct break_hook *hook)
-{
- unregister_debug_hook(&hook->node);
-}
-
-void register_kernel_break_hook(struct break_hook *hook)
-{
- register_debug_hook(&hook->node, &kernel_break_hook);
-}
-
-void unregister_kernel_break_hook(struct break_hook *hook)
-{
- unregister_debug_hook(&hook->node);
-}
-
static int call_break_hook(struct pt_regs *regs, unsigned long esr)
{
if (user_mode(regs)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 026/315] net/iucv: fix locking in .getsockopt
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 025/315] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 027/315] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues Greg Kroah-Hartman
` (290 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanislav Fomichev, Breno Leitao,
Alexandra Winter, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3589d20a666caf30ad100c960a2de7de390fce88 ]
Mirror iucv_sock_setsockopt() and wrap the whole switch in
lock_sock()/release_sock(). The pre-existing SO_MSGLIMIT-only lock
becomes redundant and is removed.
Any AF_IUCV HIPER user can potentially crash the kernel by racing
recvmsg() with getsockopt(SO_MSGSIZE): the SO_MSGSIZE arm dereferences
iucv->hs_dev->mtu after iucv_sock_close() (called from the racing
recvmsg()) has set hs_dev to NULL, producing a NULL pointer dereference
oops.
Suggested-by: Stanislav Fomichev <sdf.kernel@gmail.com>
Fixes: 51363b8751a6 ("af_iucv: allow retrieval of maximum message size")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Tested-by: Alexandra Winter <wintera@linux.ibm.com>
Link: https://patch.msgid.link/20260521-af_iucv_fix2-v1-1-f16b1c510aa9@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/iucv/af_iucv.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 6c717a7ef29283..c66b90c912e78e 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -1538,7 +1538,7 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
struct sock *sk = sock->sk;
struct iucv_sock *iucv = iucv_sk(sk);
unsigned int val;
- int len;
+ int len, rc;
if (level != SOL_IUCV)
return -ENOPROTOOPT;
@@ -1551,26 +1551,34 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
len = min_t(unsigned int, len, sizeof(int));
+ rc = 0;
+
+ lock_sock(sk);
switch (optname) {
case SO_IPRMDATA_MSG:
val = (iucv->flags & IUCV_IPRMDATA) ? 1 : 0;
break;
case SO_MSGLIMIT:
- lock_sock(sk);
val = (iucv->path != NULL) ? iucv->path->msglim /* connected */
: iucv->msglimit; /* default */
- release_sock(sk);
break;
case SO_MSGSIZE:
- if (sk->sk_state == IUCV_OPEN)
- return -EBADFD;
+ if (sk->sk_state == IUCV_OPEN) {
+ rc = -EBADFD;
+ break;
+ }
val = (iucv->hs_dev) ? iucv->hs_dev->mtu -
sizeof(struct af_iucv_trans_hdr) - ETH_HLEN :
0x7fffffff;
break;
default:
- return -ENOPROTOOPT;
+ rc = -ENOPROTOOPT;
+ break;
}
+ release_sock(sk);
+
+ if (rc)
+ return rc;
if (put_user(len, optlen))
return -EFAULT;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 016/307] arm64: entry: Add entry and exit functions for debug exceptions
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 015/307] arm64: debug: remove break/step handler registration infrastructure Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 017/307] arm64: debug: split hardware breakpoint exception entry Greg Kroah-Hartman
` (290 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Anshuman Khandual, Will Deacon,
Mark Rutland, Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit eaff68b3286116d499a3d4e513a36d772faba587 ]
Move the `debug_exception_enter()` and `debug_exception_exit()`
functions from mm/fault.c, as they are needed to split
the debug exceptions entry paths from the current unified one.
Make them externally visible in include/asm/exception.h until
the caller in mm/fault.c is cleaned up.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-7-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/exception.h | 4 ++++
arch/arm64/kernel/entry-common.c | 22 ++++++++++++++++++++++
arch/arm64/mm/fault.c | 22 ----------------------
3 files changed, 26 insertions(+), 22 deletions(-)
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index f296662590c7f8..b1d6a65f6d2256 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -77,4 +77,8 @@ void do_serror(struct pt_regs *regs, unsigned long esr);
void do_signal(struct pt_regs *regs);
void __noreturn panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigned long far);
+
+void debug_exception_enter(struct pt_regs *regs);
+void debug_exception_exit(struct pt_regs *regs);
+
#endif /* __ASM_EXCEPTION_H */
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index d23315ef7b679b..2e04e04aaf2ad6 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -441,6 +441,28 @@ static __always_inline void fpsimd_syscall_exit(void)
__this_cpu_write(fpsimd_last_state.to_save, FP_STATE_CURRENT);
}
+/*
+ * In debug exception context, we explicitly disable preemption despite
+ * having interrupts disabled.
+ * This serves two purposes: it makes it much less likely that we would
+ * accidentally schedule in exception context and it will force a warning
+ * if we somehow manage to schedule by accident.
+ */
+void debug_exception_enter(struct pt_regs *regs)
+{
+ preempt_disable();
+
+ /* This code is a bit fragile. Test it. */
+ RCU_LOCKDEP_WARN(!rcu_is_watching(), "exception_enter didn't work");
+}
+NOKPROBE_SYMBOL(debug_exception_enter);
+
+void debug_exception_exit(struct pt_regs *regs)
+{
+ preempt_enable_no_resched();
+}
+NOKPROBE_SYMBOL(debug_exception_exit);
+
UNHANDLED(el1t, 64, sync)
UNHANDLED(el1t, 64, irq)
UNHANDLED(el1t, 64, fiq)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 2d1ebc0c3437f2..7c87d2b3b06eaa 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -939,28 +939,6 @@ void __init hook_debug_fault_code(int nr,
debug_fault_info[nr].name = name;
}
-/*
- * In debug exception context, we explicitly disable preemption despite
- * having interrupts disabled.
- * This serves two purposes: it makes it much less likely that we would
- * accidentally schedule in exception context and it will force a warning
- * if we somehow manage to schedule by accident.
- */
-static void debug_exception_enter(struct pt_regs *regs)
-{
- preempt_disable();
-
- /* This code is a bit fragile. Test it. */
- RCU_LOCKDEP_WARN(!rcu_is_watching(), "exception_enter didn't work");
-}
-NOKPROBE_SYMBOL(debug_exception_enter);
-
-static void debug_exception_exit(struct pt_regs *regs)
-{
- preempt_enable_no_resched();
-}
-NOKPROBE_SYMBOL(debug_exception_exit);
-
void do_debug_exception(unsigned long addr_if_watchpoint, unsigned long esr,
struct pt_regs *regs)
{
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 027/315] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 026/315] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 028/315] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
` (289 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Jeffery, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Jeffery <djeffery@redhat.com>
[ Upstream commit 7205b58702273baf21d6ba7992e6ba15852325f7 ]
While a SCSI host is in a recovery state, scsi_mq_requeue_cmd() will not
set the requeue list for a requeued command to be kicked in the future.
The expectation is a call to scsi_run_host_queues() will kick all SCSI
devices once the recovery state is cleared.
However, scsi_run_host_queues() uses shost_for_each_device() which uses
scsi_device_get() and so will ignore devices in a partially removed
state like SDEV_CANCEL. But these devices may also have requeued
requests, leaving their requests stuck from not being kicked and causing
the removal process of the device to hang.
scsi_run_host_queues() needs to run against more devices than the macro
shost_for_each_device() allows. Instead of using the too limiting
scsi_device_get() state checks, only ignore devices in SDEV_DEL state or
when unable to acquire a reference. Attempt to run the queues for all
other devices when scsi_run_host_queues() is called.
Fixes: 8b566edbdbfb ("scsi: core: Only kick the requeue list if necessary")
Signed-off-by: David Jeffery <djeffery@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260515180941.9698-1-djeffery@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_lib.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 7ddb73cd6d9fe5..3f7ba6d3987f15 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -572,10 +572,33 @@ void scsi_requeue_run_queue(struct work_struct *work)
void scsi_run_host_queues(struct Scsi_Host *shost)
{
- struct scsi_device *sdev;
+ struct scsi_device *sdev, *prev = NULL;
+ unsigned long flags;
- shost_for_each_device(sdev, shost)
+ spin_lock_irqsave(shost->host_lock, flags);
+ __shost_for_each_device(sdev, shost) {
+ /*
+ * Only skip devices so deep into removal they will never need
+ * another kick to their queues. Thus scsi_device_get() cannot
+ * be used as it would skip devices in SDEV_CANCEL state which
+ * may need a queue kick.
+ */
+ if (sdev->sdev_state == SDEV_DEL ||
+ !get_device(&sdev->sdev_gendev))
+ continue;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+
+ if (prev)
+ put_device(&prev->sdev_gendev);
scsi_run_queue(sdev->request_queue);
+
+ prev = sdev;
+
+ spin_lock_irqsave(shost->host_lock, flags);
+ }
+ spin_unlock_irqrestore(shost->host_lock, flags);
+ if (prev)
+ put_device(&prev->sdev_gendev);
}
static void scsi_uninit_cmd(struct scsi_cmnd *cmd)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 017/307] arm64: debug: split hardware breakpoint exception entry
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 016/307] arm64: entry: Add entry and exit functions for debug exceptions Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 018/307] arm64: debug: refactor reinstall_suspended_bps() Greg Kroah-Hartman
` (289 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit 43e2ae77fcab8a01101a2e5da528b5222b338e5f ]
Currently all debug exceptions share common entry code and are routed
to `do_debug_exception()`, which calls dynamically-registered
handlers for each specific debug exception. This is unfortunate as
different debug exceptions have different entry handling requirements,
and it would be better to handle these distinct requirements earlier.
Hardware breakpoints exceptions are generated by the hardware after user
configuration. As such, they can be exploited when training branch
predictors outside of the userspace VA range: they still need to call
`arm64_apply_bp_hardening()` if needed to mitigate against this attack.
However, they do not need to handle the Cortex-A76 erratum #1463225 as
it only applies to single stepping exceptions.
It does not set an address in FAR_EL1 either, only the hardware
watchpoint does.
As the hardware breakpoint handler only returns 0 and never triggers
the call to `arm64_notify_die()`, we can call it directly from
`entry-common.c`.
Split the hardware breakpoint exception entry, adjust
the function signature, and handling of the Cortex-A76 erratum to fit
the behaviour of the exception.
Move the call to `arm64_apply_bp_hardening()` to `entry-common.c` so that
we can do it as early as possible, and only for the exceptions coming
from EL0, where it is needed.
This is safe to do as it is `noinstr`, as are all the functions it
may call. `el0_ia()` and `el0_pc()` already call it this way.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-8-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/exception.h | 5 +++++
arch/arm64/kernel/entry-common.c | 28 ++++++++++++++++++++++++++++
arch/arm64/kernel/hw_breakpoint.c | 16 ++++++----------
3 files changed, 39 insertions(+), 10 deletions(-)
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index b1d6a65f6d2256..94f46e96515160 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -59,6 +59,11 @@ void do_el0_bti(struct pt_regs *regs);
void do_el1_bti(struct pt_regs *regs, unsigned long esr);
void do_debug_exception(unsigned long addr_if_watchpoint, unsigned long esr,
struct pt_regs *regs);
+#ifdef CONFIG_HAVE_HW_BREAKPOINT
+void do_breakpoint(unsigned long esr, struct pt_regs *regs);
+#else
+static inline void do_breakpoint(unsigned long esr, struct pt_regs *regs) {}
+#endif /* CONFIG_HAVE_HW_BREAKPOINT */
void do_fpsimd_acc(unsigned long esr, struct pt_regs *regs);
void do_sve_acc(unsigned long esr, struct pt_regs *regs);
void do_sme_acc(unsigned long esr, struct pt_regs *regs);
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index 2e04e04aaf2ad6..af0d7575dcfd92 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -508,6 +508,15 @@ static void noinstr el1_bti(struct pt_regs *regs, unsigned long esr)
exit_to_kernel_mode(regs);
}
+static void noinstr el1_breakpt(struct pt_regs *regs, unsigned long esr)
+{
+ arm64_enter_el1_dbg(regs);
+ debug_exception_enter(regs);
+ do_breakpoint(esr, regs);
+ debug_exception_exit(regs);
+ arm64_exit_el1_dbg(regs);
+}
+
static void noinstr el1_dbg(struct pt_regs *regs, unsigned long esr)
{
unsigned long far = read_sysreg(far_el1);
@@ -551,6 +560,8 @@ asmlinkage void noinstr el1h_64_sync_handler(struct pt_regs *regs)
el1_bti(regs, esr);
break;
case ESR_ELx_EC_BREAKPT_CUR:
+ el1_breakpt(regs, esr);
+ break;
case ESR_ELx_EC_SOFTSTP_CUR:
case ESR_ELx_EC_WATCHPT_CUR:
case ESR_ELx_EC_BRK64:
@@ -737,6 +748,19 @@ static void noinstr el0_inv(struct pt_regs *regs, unsigned long esr)
exit_to_user_mode(regs);
}
+static void noinstr el0_breakpt(struct pt_regs *regs, unsigned long esr)
+{
+ if (!is_ttbr0_addr(regs->pc))
+ arm64_apply_bp_hardening();
+
+ enter_from_user_mode(regs);
+ debug_exception_enter(regs);
+ do_breakpoint(esr, regs);
+ debug_exception_exit(regs);
+ local_daif_restore(DAIF_PROCCTX);
+ exit_to_user_mode(regs);
+}
+
static void noinstr el0_dbg(struct pt_regs *regs, unsigned long esr)
{
/* Only watchpoints write FAR_EL1, otherwise its UNKNOWN */
@@ -813,6 +837,8 @@ asmlinkage void noinstr el0t_64_sync_handler(struct pt_regs *regs)
el0_mops(regs, esr);
break;
case ESR_ELx_EC_BREAKPT_LOW:
+ el0_breakpt(regs, esr);
+ break;
case ESR_ELx_EC_SOFTSTP_LOW:
case ESR_ELx_EC_WATCHPT_LOW:
case ESR_ELx_EC_BRK64:
@@ -933,6 +959,8 @@ asmlinkage void noinstr el0t_32_sync_handler(struct pt_regs *regs)
el0_cp15(regs, esr);
break;
case ESR_ELx_EC_BREAKPT_LOW:
+ el0_breakpt(regs, esr);
+ break;
case ESR_ELx_EC_SOFTSTP_LOW:
case ESR_ELx_EC_WATCHPT_LOW:
case ESR_ELx_EC_BKPT32:
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index 722ac45f9f7b16..d7eede5d869c2b 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -22,6 +22,7 @@
#include <asm/current.h>
#include <asm/debug-monitors.h>
#include <asm/esr.h>
+#include <asm/exception.h>
#include <asm/hw_breakpoint.h>
#include <asm/traps.h>
#include <asm/cputype.h>
@@ -618,8 +619,7 @@ NOKPROBE_SYMBOL(toggle_bp_registers);
/*
* Debug exception handlers.
*/
-static int breakpoint_handler(unsigned long unused, unsigned long esr,
- struct pt_regs *regs)
+void do_breakpoint(unsigned long esr, struct pt_regs *regs)
{
int i, step = 0, *kernel_step;
u32 ctrl_reg;
@@ -662,7 +662,7 @@ static int breakpoint_handler(unsigned long unused, unsigned long esr,
}
if (!step)
- return 0;
+ return;
if (user_mode(regs)) {
debug_info->bps_disabled = 1;
@@ -670,7 +670,7 @@ static int breakpoint_handler(unsigned long unused, unsigned long esr,
/* If we're already stepping a watchpoint, just return. */
if (debug_info->wps_disabled)
- return 0;
+ return;
if (test_thread_flag(TIF_SINGLESTEP))
debug_info->suspended_step = 1;
@@ -681,7 +681,7 @@ static int breakpoint_handler(unsigned long unused, unsigned long esr,
kernel_step = this_cpu_ptr(&stepping_kernel_bp);
if (*kernel_step != ARM_KERNEL_STEP_NONE)
- return 0;
+ return;
if (kernel_active_single_step()) {
*kernel_step = ARM_KERNEL_STEP_SUSPEND;
@@ -690,10 +690,8 @@ static int breakpoint_handler(unsigned long unused, unsigned long esr,
kernel_enable_single_step(regs);
}
}
-
- return 0;
}
-NOKPROBE_SYMBOL(breakpoint_handler);
+NOKPROBE_SYMBOL(do_breakpoint);
/*
* Arm64 hardware does not always report a watchpoint hit address that matches
@@ -988,8 +986,6 @@ static int __init arch_hw_breakpoint_init(void)
core_num_brps, core_num_wrps);
/* Register debug fault handlers. */
- hook_debug_fault_code(DBG_ESR_EVT_HWBP, breakpoint_handler, SIGTRAP,
- TRAP_HWBKPT, "hw-breakpoint handler");
hook_debug_fault_code(DBG_ESR_EVT_HWWP, watchpoint_handler, SIGTRAP,
TRAP_HWBKPT, "hw-watchpoint handler");
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 018/307] arm64: debug: refactor reinstall_suspended_bps()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 017/307] arm64: debug: split hardware breakpoint exception entry Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 019/307] arm64: debug: split single stepping exception entry Greg Kroah-Hartman
` (288 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Anshuman Khandual, Will Deacon,
Mark Rutland, Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit 80691d35523de3292b64c2ffa444aab3d55e51ba ]
`reinstall_suspended_bps()` plays a key part in the stepping process
when we have hardware breakpoints and watchpoints enabled.
It checks if we need to step one, will re-enable it if it has
been handled and will return whether or not we need to proceed with
a single-step.
However, the current naming and return values make it harder to understand
the logic and goal of the function.
Rename it `try_step_suspended_breakpoints()` and change the return value
to a boolean, aligning it with similar functions used in
`do_el0_undef()` like `try_emulate_mrs()`, and making its behaviour
more obvious.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-9-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/debug-monitors.h | 6 +++---
arch/arm64/kernel/debug-monitors.c | 2 +-
arch/arm64/kernel/hw_breakpoint.c | 25 ++++++++++++-------------
3 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h
index 5319da0f0ca4ea..24c7981abeb0b9 100644
--- a/arch/arm64/include/asm/debug-monitors.h
+++ b/arch/arm64/include/asm/debug-monitors.h
@@ -83,11 +83,11 @@ int kernel_active_single_step(void);
void kernel_rewind_single_step(struct pt_regs *regs);
#ifdef CONFIG_HAVE_HW_BREAKPOINT
-int reinstall_suspended_bps(struct pt_regs *regs);
+bool try_step_suspended_breakpoints(struct pt_regs *regs);
#else
-static inline int reinstall_suspended_bps(struct pt_regs *regs)
+static inline bool try_step_suspended_breakpoints(struct pt_regs *regs)
{
- return -ENODEV;
+ return false;
}
#endif
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index a28482e25c4c31..b95a135ef10a99 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -195,7 +195,7 @@ static int single_step_handler(unsigned long unused, unsigned long esr,
* If we are stepping a pending breakpoint, call the hw_breakpoint
* handler first.
*/
- if (!reinstall_suspended_bps(regs))
+ if (try_step_suspended_breakpoints(regs))
return 0;
if (call_step_hook(regs, esr) == DBG_HOOK_HANDLED)
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index d7eede5d869c2b..309ae24d454805 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -847,36 +847,35 @@ NOKPROBE_SYMBOL(watchpoint_handler);
/*
* Handle single-step exception.
*/
-int reinstall_suspended_bps(struct pt_regs *regs)
+bool try_step_suspended_breakpoints(struct pt_regs *regs)
{
struct debug_info *debug_info = ¤t->thread.debug;
- int handled_exception = 0, *kernel_step;
-
- kernel_step = this_cpu_ptr(&stepping_kernel_bp);
+ int *kernel_step = this_cpu_ptr(&stepping_kernel_bp);
+ bool handled_exception = false;
/*
* Called from single-step exception handler.
- * Return 0 if execution can resume, 1 if a SIGTRAP should be
- * reported.
+ * Return true if we stepped a breakpoint and can resume execution,
+ * false if we need to handle a single-step.
*/
if (user_mode(regs)) {
if (debug_info->bps_disabled) {
debug_info->bps_disabled = 0;
toggle_bp_registers(AARCH64_DBG_REG_BCR, DBG_ACTIVE_EL0, 1);
- handled_exception = 1;
+ handled_exception = true;
}
if (debug_info->wps_disabled) {
debug_info->wps_disabled = 0;
toggle_bp_registers(AARCH64_DBG_REG_WCR, DBG_ACTIVE_EL0, 1);
- handled_exception = 1;
+ handled_exception = true;
}
if (handled_exception) {
if (debug_info->suspended_step) {
debug_info->suspended_step = 0;
/* Allow exception handling to fall-through. */
- handled_exception = 0;
+ handled_exception = false;
} else {
user_disable_single_step(current);
}
@@ -890,17 +889,17 @@ int reinstall_suspended_bps(struct pt_regs *regs)
if (*kernel_step != ARM_KERNEL_STEP_SUSPEND) {
kernel_disable_single_step();
- handled_exception = 1;
+ handled_exception = true;
} else {
- handled_exception = 0;
+ handled_exception = false;
}
*kernel_step = ARM_KERNEL_STEP_NONE;
}
- return !handled_exception;
+ return handled_exception;
}
-NOKPROBE_SYMBOL(reinstall_suspended_bps);
+NOKPROBE_SYMBOL(try_step_suspended_breakpoints);
/*
* Context-switcher for restoring suspended breakpoints.
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 028/315] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 027/315] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 029/315] ALSA: pcm: oss: Fix setup list UAF on proc write error Greg Kroah-Hartman
` (288 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Eric Dumazet, Cong Wang,
Jason Xing, Jiayuan Chen, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 87a1e0fe7776da7ab411be332b4be58ac8840d10 ]
ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
too soon.
Only after unregister_net_sysctl_table() we can be sure no threads can possibly
use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260521122147.3584624-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/sysctl_net_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 0f1dd75dbf37bf..ce9b077343cac2 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -1669,10 +1669,10 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
{
const struct ctl_table *table;
- kfree(net->ipv4.sysctl_local_reserved_ports);
table = net->ipv4.ipv4_hdr->ctl_table_arg;
unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
kfree(table);
+ kfree(net->ipv4.sysctl_local_reserved_ports);
}
static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 019/307] arm64: debug: split single stepping exception entry
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 018/307] arm64: debug: refactor reinstall_suspended_bps() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 020/307] arm64: debug: split hardware watchpoint " Greg Kroah-Hartman
` (287 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit 0ac7584c08ceff13fc1e3082a0104548688d6b00 ]
Currently all debug exceptions share common entry code and are routed
to `do_debug_exception()`, which calls dynamically-registered
handlers for each specific debug exception. This is unfortunate as
different debug exceptions have different entry handling requirements,
and it would be better to handle these distinct requirements earlier.
The single stepping exception has the most constraints : it can be
exploited to train branch predictors and it needs special handling at EL1
for the Cortex-A76 erratum #1463225. We need to conserve all those
mitigations.
However, it does not write an address at FAR_EL1, as only hardware
watchpoints do so.
The single-step handler does its own signaling if it needs to and only
returns 0, so we can call it directly from `entry-common.c`.
Split the single stepping exception entry, adjust the function signature,
keep the security mitigation and erratum handling.
Further, as the EL0 and EL1 code paths are cleanly separated, we can split
`do_softstep()` into `do_el0_softstep()` and `do_el1_softstep()` and
call them directly from the relevant entry paths.
We can also remove `NOKPROBE_SYMBOL` for the EL0 path, as it cannot
lead to a kprobe recursion.
Move the call to `arm64_apply_bp_hardening()` to `entry-common.c` so that
we can do it as early as possible, and only for the exceptions coming
from EL0, where it is needed.
This is safe to do as it is `noinstr`, as are all the functions it
may call. `el0_ia()` and `el0_pc()` already call it this way.
When taking a soft-step exception from EL0, most of the single stepping
handling is safely preemptible : the only possible handler is
`uprobe_single_step_handler()`. It only operates on task-local data and
properly checks its validity, then raises a Thread Information Flag,
processed before returning to userspace in `do_notify_resume()`, which
is already preemptible.
However, the soft-step handler first calls `reinstall_suspended_bps()`
to check if there is any hardware breakpoint or watchpoint pending
or already stepped through.
This cannot be preempted as it manipulates the hardware breakpoint and
watchpoint registers.
Move the call to `try_step_suspended_breakpoints()` to `entry-common.c`
and adjust the relevant comments.
We can now safely unmask interrupts before handling the step itself,
fixing a PREEMPT_RT issue where the handler could call a sleeping function
with preemption disabled.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Closes: https://lore.kernel.org/linux-arm-kernel/Z6YW_Kx4S2tmj2BP@uudg.org/
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-10-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/exception.h | 2 +
arch/arm64/kernel/debug-monitors.c | 73 +++++++++++-------------------
arch/arm64/kernel/entry-common.c | 43 ++++++++++++++++++
arch/arm64/kernel/hw_breakpoint.c | 2 +-
4 files changed, 73 insertions(+), 47 deletions(-)
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index 94f46e96515160..6d40efc28be401 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -64,6 +64,8 @@ void do_breakpoint(unsigned long esr, struct pt_regs *regs);
#else
static inline void do_breakpoint(unsigned long esr, struct pt_regs *regs) {}
#endif /* CONFIG_HAVE_HW_BREAKPOINT */
+void do_el0_softstep(unsigned long esr, struct pt_regs *regs);
+void do_el1_softstep(unsigned long esr, struct pt_regs *regs);
void do_fpsimd_acc(unsigned long esr, struct pt_regs *regs);
void do_sve_acc(unsigned long esr, struct pt_regs *regs);
void do_sme_acc(unsigned long esr, struct pt_regs *regs);
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index b95a135ef10a99..10d2bc51a32f7c 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -21,6 +21,7 @@
#include <asm/cputype.h>
#include <asm/daifflags.h>
#include <asm/debug-monitors.h>
+#include <asm/exception.h>
#include <asm/kgdb.h>
#include <asm/kprobes.h>
#include <asm/system_misc.h>
@@ -159,21 +160,6 @@ NOKPROBE_SYMBOL(clear_user_regs_spsr_ss);
#define set_regs_spsr_ss(r) set_user_regs_spsr_ss(&(r)->user_regs)
#define clear_regs_spsr_ss(r) clear_user_regs_spsr_ss(&(r)->user_regs)
-/*
- * Call single step handlers
- * There is no Syndrome info to check for determining the handler.
- * However, there is only one possible handler for user and kernel modes, so
- * check and call the appropriate one.
- */
-static int call_step_hook(struct pt_regs *regs, unsigned long esr)
-{
- if (user_mode(regs))
- return uprobe_single_step_handler(regs, esr);
-
- return kgdb_single_step_handler(regs, esr);
-}
-NOKPROBE_SYMBOL(call_step_hook);
-
static void send_user_sigtrap(int si_code)
{
struct pt_regs *regs = current_pt_regs();
@@ -188,41 +174,38 @@ static void send_user_sigtrap(int si_code)
"User debug trap");
}
-static int single_step_handler(unsigned long unused, unsigned long esr,
- struct pt_regs *regs)
+/*
+ * We have already unmasked interrupts and enabled preemption
+ * when calling do_el0_softstep() from entry-common.c.
+ */
+void do_el0_softstep(unsigned long esr, struct pt_regs *regs)
{
+ if (uprobe_single_step_handler(regs, esr) == DBG_HOOK_HANDLED)
+ return;
+
+ send_user_sigtrap(TRAP_TRACE);
/*
- * If we are stepping a pending breakpoint, call the hw_breakpoint
- * handler first.
+ * ptrace will disable single step unless explicitly
+ * asked to re-enable it. For other clients, it makes
+ * sense to leave it enabled (i.e. rewind the controls
+ * to the active-not-pending state).
*/
- if (try_step_suspended_breakpoints(regs))
- return 0;
-
- if (call_step_hook(regs, esr) == DBG_HOOK_HANDLED)
- return 0;
+ user_rewind_single_step(current);
+}
- if (user_mode(regs)) {
- send_user_sigtrap(TRAP_TRACE);
-
- /*
- * ptrace will disable single step unless explicitly
- * asked to re-enable it. For other clients, it makes
- * sense to leave it enabled (i.e. rewind the controls
- * to the active-not-pending state).
- */
- user_rewind_single_step(current);
- } else {
- pr_warn("Unexpected kernel single-step exception at EL1\n");
- /*
- * Re-enable stepping since we know that we will be
- * returning to regs.
- */
- set_regs_spsr_ss(regs);
- }
+void do_el1_softstep(unsigned long esr, struct pt_regs *regs)
+{
+ if (kgdb_single_step_handler(regs, esr) == DBG_HOOK_HANDLED)
+ return;
- return 0;
+ pr_warn("Unexpected kernel single-step exception at EL1\n");
+ /*
+ * Re-enable stepping since we know that we will be
+ * returning to regs.
+ */
+ set_regs_spsr_ss(regs);
}
-NOKPROBE_SYMBOL(single_step_handler);
+NOKPROBE_SYMBOL(do_el1_softstep);
static int call_break_hook(struct pt_regs *regs, unsigned long esr)
{
@@ -329,8 +312,6 @@ NOKPROBE_SYMBOL(try_handle_aarch32_break);
void __init debug_traps_init(void)
{
- hook_debug_fault_code(DBG_ESR_EVT_HWSS, single_step_handler, SIGTRAP,
- TRAP_TRACE, "single-step handler");
hook_debug_fault_code(DBG_ESR_EVT_BRK, brk_handler, SIGTRAP,
TRAP_BRKPT, "BRK handler");
}
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index af0d7575dcfd92..c22cc4d0052d54 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -517,6 +517,24 @@ static void noinstr el1_breakpt(struct pt_regs *regs, unsigned long esr)
arm64_exit_el1_dbg(regs);
}
+static void noinstr el1_softstp(struct pt_regs *regs, unsigned long esr)
+{
+ arm64_enter_el1_dbg(regs);
+ if (!cortex_a76_erratum_1463225_debug_handler(regs)) {
+ debug_exception_enter(regs);
+ /*
+ * After handling a breakpoint, we suspend the breakpoint
+ * and use single-step to move to the next instruction.
+ * If we are stepping a suspended breakpoint there's nothing more to do:
+ * the single-step is complete.
+ */
+ if (!try_step_suspended_breakpoints(regs))
+ do_el1_softstep(esr, regs);
+ debug_exception_exit(regs);
+ }
+ arm64_exit_el1_dbg(regs);
+}
+
static void noinstr el1_dbg(struct pt_regs *regs, unsigned long esr)
{
unsigned long far = read_sysreg(far_el1);
@@ -563,6 +581,8 @@ asmlinkage void noinstr el1h_64_sync_handler(struct pt_regs *regs)
el1_breakpt(regs, esr);
break;
case ESR_ELx_EC_SOFTSTP_CUR:
+ el1_softstp(regs, esr);
+ break;
case ESR_ELx_EC_WATCHPT_CUR:
case ESR_ELx_EC_BRK64:
el1_dbg(regs, esr);
@@ -761,6 +781,25 @@ static void noinstr el0_breakpt(struct pt_regs *regs, unsigned long esr)
exit_to_user_mode(regs);
}
+static void noinstr el0_softstp(struct pt_regs *regs, unsigned long esr)
+{
+ if (!is_ttbr0_addr(regs->pc))
+ arm64_apply_bp_hardening();
+
+ enter_from_user_mode(regs);
+ /*
+ * After handling a breakpoint, we suspend the breakpoint
+ * and use single-step to move to the next instruction.
+ * If we are stepping a suspended breakpoint there's nothing more to do:
+ * the single-step is complete.
+ */
+ if (!try_step_suspended_breakpoints(regs)) {
+ local_daif_restore(DAIF_PROCCTX);
+ do_el0_softstep(esr, regs);
+ }
+ exit_to_user_mode(regs);
+}
+
static void noinstr el0_dbg(struct pt_regs *regs, unsigned long esr)
{
/* Only watchpoints write FAR_EL1, otherwise its UNKNOWN */
@@ -840,6 +879,8 @@ asmlinkage void noinstr el0t_64_sync_handler(struct pt_regs *regs)
el0_breakpt(regs, esr);
break;
case ESR_ELx_EC_SOFTSTP_LOW:
+ el0_softstp(regs, esr);
+ break;
case ESR_ELx_EC_WATCHPT_LOW:
case ESR_ELx_EC_BRK64:
el0_dbg(regs, esr);
@@ -962,6 +1003,8 @@ asmlinkage void noinstr el0t_32_sync_handler(struct pt_regs *regs)
el0_breakpt(regs, esr);
break;
case ESR_ELx_EC_SOFTSTP_LOW:
+ el0_softstp(regs, esr);
+ break;
case ESR_ELx_EC_WATCHPT_LOW:
case ESR_ELx_EC_BKPT32:
el0_dbg(regs, esr);
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index 309ae24d454805..8a80e13347c88f 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -854,7 +854,7 @@ bool try_step_suspended_breakpoints(struct pt_regs *regs)
bool handled_exception = false;
/*
- * Called from single-step exception handler.
+ * Called from single-step exception entry.
* Return true if we stepped a breakpoint and can resume execution,
* false if we need to handle a single-step.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 029/315] ALSA: pcm: oss: Fix setup list UAF on proc write error
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 028/315] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 030/315] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
` (287 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8e498074a794999eb41c,
Cássio Gabriel, Takashi Iwai, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 4cc54bdd54b337e77115be5b55577d1c58608eae ]
snd_pcm_oss_proc_write() links a newly allocated setup entry into the
OSS setup list before duplicating the task name. If the task-name
allocation fails, the error path frees the already linked entry and
leaves setup_list pointing at freed memory.
A later OSS device open can then walk the stale list entry in
snd_pcm_oss_look_for_setup() and dereference freed memory.
Allocate the task name and initialize the setup entry before publishing
the entry on setup_list. Also fetch the initial proc read iterator only
after taking setup_mutex, so all setup_list traversal follows the same
list lifetime rules.
Reported-by: syzbot+8e498074a794999eb41c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6a1062b7.170a0220.35b2b7.0003.GAE@google.com
Closes: https://syzkaller.appspot.com/bug?extid=8e498074a794999eb41c
Fixes: 060d77b9c04a ("[ALSA] Fix / clean up PCM-OSS setup hooks")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260522-alsa-pcm-oss-setup-uaf-v1-1-40bdcc4d17e8@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/oss/pcm_oss.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
index 9b5a3def8d2ce9..59d5153d111329 100644
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -2965,8 +2965,10 @@ static void snd_pcm_oss_proc_read(struct snd_info_entry *entry,
struct snd_info_buffer *buffer)
{
struct snd_pcm_str *pstr = entry->private_data;
- struct snd_pcm_oss_setup *setup = pstr->oss.setup_list;
+ struct snd_pcm_oss_setup *setup;
+
guard(mutex)(&pstr->oss.setup_mutex);
+ setup = pstr->oss.setup_list;
while (setup) {
snd_iprintf(buffer, "%s %u %u%s%s%s%s%s%s\n",
setup->task_name,
@@ -3051,6 +3053,13 @@ static void snd_pcm_oss_proc_write(struct snd_info_entry *entry,
buffer->error = -ENOMEM;
return;
}
+ template.task_name = kstrdup(task_name, GFP_KERNEL);
+ if (!template.task_name) {
+ kfree(setup);
+ buffer->error = -ENOMEM;
+ return;
+ }
+ *setup = template;
if (pstr->oss.setup_list == NULL)
pstr->oss.setup_list = setup;
else {
@@ -3058,12 +3067,7 @@ static void snd_pcm_oss_proc_write(struct snd_info_entry *entry,
setup1->next; setup1 = setup1->next);
setup1->next = setup;
}
- template.task_name = kstrdup(task_name, GFP_KERNEL);
- if (! template.task_name) {
- kfree(setup);
- buffer->error = -ENOMEM;
- return;
- }
+ continue;
}
*setup = template;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 020/307] arm64: debug: split hardware watchpoint exception entry
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 019/307] arm64: debug: split single stepping exception entry Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 021/307] arm64: debug: split brk64 " Greg Kroah-Hartman
` (286 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit 413f0bba005dacf2484bb8ecce212fab9be79d81 ]
Currently all debug exceptions share common entry code and are routed
to `do_debug_exception()`, which calls dynamically-registered
handlers for each specific debug exception. This is unfortunate as
different debug exceptions have different entry handling requirements,
and it would be better to handle these distinct requirements earlier.
Hardware watchpoints are the only debug exceptions that will write
FAR_EL1, so we need to preserve it and pass it down.
However, they cannot be used to maliciously train branch predictors, so
we can omit calling `arm64_bp_hardening()`, nor do they need to handle
the Cortex-A76 erratum #1463225, as it only applies to single stepping
exceptions.
As the hardware watchpoint handler only returns 0 and never triggers
the call to `arm64_notify_die()`, we can call it directly from
`entry-common.c`.
Split the hardware watchpoint exception entry and adjust the behaviour
to match the lack of needed mitigations.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-11-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/exception.h | 4 ++++
arch/arm64/kernel/entry-common.c | 31 ++++++++++++++++++++++++++++++
arch/arm64/kernel/hw_breakpoint.c | 17 +++++-----------
3 files changed, 40 insertions(+), 12 deletions(-)
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index 6d40efc28be401..594350e552e112 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -61,8 +61,12 @@ void do_debug_exception(unsigned long addr_if_watchpoint, unsigned long esr,
struct pt_regs *regs);
#ifdef CONFIG_HAVE_HW_BREAKPOINT
void do_breakpoint(unsigned long esr, struct pt_regs *regs);
+void do_watchpoint(unsigned long addr, unsigned long esr,
+ struct pt_regs *regs);
#else
static inline void do_breakpoint(unsigned long esr, struct pt_regs *regs) {}
+static inline void do_watchpoint(unsigned long addr, unsigned long esr,
+ struct pt_regs *regs) {}
#endif /* CONFIG_HAVE_HW_BREAKPOINT */
void do_el0_softstep(unsigned long esr, struct pt_regs *regs);
void do_el1_softstep(unsigned long esr, struct pt_regs *regs);
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index c22cc4d0052d54..b90babcf2e2b10 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -535,6 +535,18 @@ static void noinstr el1_softstp(struct pt_regs *regs, unsigned long esr)
arm64_exit_el1_dbg(regs);
}
+static void noinstr el1_watchpt(struct pt_regs *regs, unsigned long esr)
+{
+ /* Watchpoints are the only debug exception to write FAR_EL1 */
+ unsigned long far = read_sysreg(far_el1);
+
+ arm64_enter_el1_dbg(regs);
+ debug_exception_enter(regs);
+ do_watchpoint(far, esr, regs);
+ debug_exception_exit(regs);
+ arm64_exit_el1_dbg(regs);
+}
+
static void noinstr el1_dbg(struct pt_regs *regs, unsigned long esr)
{
unsigned long far = read_sysreg(far_el1);
@@ -584,6 +596,8 @@ asmlinkage void noinstr el1h_64_sync_handler(struct pt_regs *regs)
el1_softstp(regs, esr);
break;
case ESR_ELx_EC_WATCHPT_CUR:
+ el1_watchpt(regs, esr);
+ break;
case ESR_ELx_EC_BRK64:
el1_dbg(regs, esr);
break;
@@ -800,6 +814,19 @@ static void noinstr el0_softstp(struct pt_regs *regs, unsigned long esr)
exit_to_user_mode(regs);
}
+static void noinstr el0_watchpt(struct pt_regs *regs, unsigned long esr)
+{
+ /* Watchpoints are the only debug exception to write FAR_EL1 */
+ unsigned long far = read_sysreg(far_el1);
+
+ enter_from_user_mode(regs);
+ debug_exception_enter(regs);
+ do_watchpoint(far, esr, regs);
+ debug_exception_exit(regs);
+ local_daif_restore(DAIF_PROCCTX);
+ exit_to_user_mode(regs);
+}
+
static void noinstr el0_dbg(struct pt_regs *regs, unsigned long esr)
{
/* Only watchpoints write FAR_EL1, otherwise its UNKNOWN */
@@ -882,6 +909,8 @@ asmlinkage void noinstr el0t_64_sync_handler(struct pt_regs *regs)
el0_softstp(regs, esr);
break;
case ESR_ELx_EC_WATCHPT_LOW:
+ el0_watchpt(regs, esr);
+ break;
case ESR_ELx_EC_BRK64:
el0_dbg(regs, esr);
break;
@@ -1006,6 +1035,8 @@ asmlinkage void noinstr el0t_32_sync_handler(struct pt_regs *regs)
el0_softstp(regs, esr);
break;
case ESR_ELx_EC_WATCHPT_LOW:
+ el0_watchpt(regs, esr);
+ break;
case ESR_ELx_EC_BKPT32:
el0_dbg(regs, esr);
break;
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index 8a80e13347c88f..ab76b36dce820b 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -750,8 +750,7 @@ static int watchpoint_report(struct perf_event *wp, unsigned long addr,
return step;
}
-static int watchpoint_handler(unsigned long addr, unsigned long esr,
- struct pt_regs *regs)
+void do_watchpoint(unsigned long addr, unsigned long esr, struct pt_regs *regs)
{
int i, step = 0, *kernel_step, access, closest_match = 0;
u64 min_dist = -1, dist;
@@ -806,7 +805,7 @@ static int watchpoint_handler(unsigned long addr, unsigned long esr,
rcu_read_unlock();
if (!step)
- return 0;
+ return;
/*
* We always disable EL0 watchpoints because the kernel can
@@ -819,7 +818,7 @@ static int watchpoint_handler(unsigned long addr, unsigned long esr,
/* If we're already stepping a breakpoint, just return. */
if (debug_info->bps_disabled)
- return 0;
+ return;
if (test_thread_flag(TIF_SINGLESTEP))
debug_info->suspended_step = 1;
@@ -830,7 +829,7 @@ static int watchpoint_handler(unsigned long addr, unsigned long esr,
kernel_step = this_cpu_ptr(&stepping_kernel_bp);
if (*kernel_step != ARM_KERNEL_STEP_NONE)
- return 0;
+ return;
if (kernel_active_single_step()) {
*kernel_step = ARM_KERNEL_STEP_SUSPEND;
@@ -839,10 +838,8 @@ static int watchpoint_handler(unsigned long addr, unsigned long esr,
kernel_enable_single_step(regs);
}
}
-
- return 0;
}
-NOKPROBE_SYMBOL(watchpoint_handler);
+NOKPROBE_SYMBOL(do_watchpoint);
/*
* Handle single-step exception.
@@ -984,10 +981,6 @@ static int __init arch_hw_breakpoint_init(void)
pr_info("found %d breakpoint and %d watchpoint registers.\n",
core_num_brps, core_num_wrps);
- /* Register debug fault handlers. */
- hook_debug_fault_code(DBG_ESR_EVT_HWWP, watchpoint_handler, SIGTRAP,
- TRAP_HWBKPT, "hw-watchpoint handler");
-
/*
* Reset the breakpoint resources. We assume that a halting
* debugger will leave the world in a nice state for us.
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 030/315] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 029/315] ALSA: pcm: oss: Fix setup list UAF on proc write error Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 031/315] net/mlx5: HWS: Reject unsupported remove-header action Greg Kroah-Hartman
` (286 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit afb2a3a9d8369d18122a0d7cd294eba9a98259c6 ]
byt_cht_es8316_init() enables MCLK before configuring the codec sysclk
and creating the headset jack. If either of those later steps fails, the
function returns without disabling MCLK, leaving the clock enabled after
card registration fails.
Track whether this driver enabled MCLK and disable it on the init error
paths. Add the matching DAI link exit callback so the same clock enable
is also balanced when ASoC cleans up a successfully initialized link.
Fixes: a03bdaa565cb ("ASoC: Intel: add machine driver for BYT/CHT + ES8316")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-asoc-bytcht-es8316-mclk-leak-v1-1-b4a11cdc2afd@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcht_es8316.c | 29 ++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c
index 3b5f63112237ea..25044c0f4703b0 100644
--- a/sound/soc/intel/boards/bytcht_es8316.c
+++ b/sound/soc/intel/boards/bytcht_es8316.c
@@ -40,6 +40,7 @@ struct byt_cht_es8316_private {
struct gpio_desc *speaker_en_gpio;
struct device *codec_dev;
bool speaker_en;
+ bool mclk_enabled;
};
enum {
@@ -170,6 +171,15 @@ static struct snd_soc_jack_pin byt_cht_es8316_jack_pins[] = {
},
};
+static void byt_cht_es8316_disable_mclk(struct byt_cht_es8316_private *priv)
+{
+ if (!priv->mclk_enabled)
+ return;
+
+ clk_disable_unprepare(priv->mclk);
+ priv->mclk_enabled = false;
+}
+
static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
{
struct snd_soc_component *codec = snd_soc_rtd_to_codec(runtime, 0)->component;
@@ -226,12 +236,14 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ret = clk_prepare_enable(priv->mclk);
if (ret)
dev_err(card->dev, "unable to enable MCLK\n");
+ else
+ priv->mclk_enabled = true;
ret = snd_soc_dai_set_sysclk(snd_soc_rtd_to_codec(runtime, 0), 0, 19200000,
SND_SOC_CLOCK_IN);
if (ret < 0) {
dev_err(card->dev, "can't set codec clock %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
ret = snd_soc_card_jack_new_pins(card, "Headset",
@@ -240,13 +252,25 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ARRAY_SIZE(byt_cht_es8316_jack_pins));
if (ret) {
dev_err(card->dev, "jack creation failed %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
snd_jack_set_key(priv->jack.jack, SND_JACK_BTN_0, KEY_PLAYPAUSE);
snd_soc_component_set_jack(codec, &priv->jack, NULL);
return 0;
+
+err_disable_mclk:
+ byt_cht_es8316_disable_mclk(priv);
+ return ret;
+}
+
+static void byt_cht_es8316_exit(struct snd_soc_pcm_runtime *runtime)
+{
+ struct snd_soc_card *card = runtime->card;
+ struct byt_cht_es8316_private *priv = snd_soc_card_get_drvdata(card);
+
+ byt_cht_es8316_disable_mclk(priv);
}
static int byt_cht_es8316_codec_fixup(struct snd_soc_pcm_runtime *rtd,
@@ -352,6 +376,7 @@ static struct snd_soc_dai_link byt_cht_es8316_dais[] = {
| SND_SOC_DAIFMT_CBC_CFC,
.be_hw_params_fixup = byt_cht_es8316_codec_fixup,
.init = byt_cht_es8316_init,
+ .exit = byt_cht_es8316_exit,
SND_SOC_DAILINK_REG(ssp2_port, ssp2_codec, platform),
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 031/315] net/mlx5: HWS: Reject unsupported remove-header action
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 030/315] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 032/315] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
` (285 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prathamesh Deshpande, Simon Horman,
Yevgeny Kliteynik, Tariq Toukan, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
[ Upstream commit 86f1d0f063e423a5c1982db1e5e7a8eac511e603 ]
mlx5_cmd_hws_packet_reformat_alloc() handles
MLX5_REFORMAT_TYPE_REMOVE_HDR by looking up a matching HWS remove-header
action.
If mlx5_fs_get_action_remove_header_vlan() returns NULL, the code only
logs an error and continues. The function then returns success with a NULL
HWS action stored in the packet-reformat object.
Return an error when no matching remove-header action is available.
Fixes: aecd9d1020e3 ("net/mlx5: fs, add HWS packet reformat API function")
Signed-off-by: Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
Acked-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260506000054.51797-1-prathameshdeshpande7@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws.c
index 6a4c4cccd64342..c45a7ca66ad8ed 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws.c
@@ -1323,8 +1323,10 @@ mlx5_cmd_hws_packet_reformat_alloc(struct mlx5_flow_root_namespace *ns,
break;
case MLX5_REFORMAT_TYPE_REMOVE_HDR:
hws_action = mlx5_fs_get_action_remove_header_vlan(fs_ctx, params);
- if (!hws_action)
+ if (!hws_action) {
mlx5_core_err(dev, "Only vlan remove header supported\n");
+ return -EOPNOTSUPP;
+ }
break;
default:
mlx5_core_err(ns->dev, "Packet-reformat not supported(%d)\n",
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 021/307] arm64: debug: split brk64 exception entry
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 020/307] arm64: debug: split hardware watchpoint " Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 022/307] arm64: debug: split bkpt32 " Greg Kroah-Hartman
` (285 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit 31575e11ecf7e44face72d1e624cb147a9283733 ]
Currently all debug exceptions share common entry code and are routed
to `do_debug_exception()`, which calls dynamically-registered
handlers for each specific debug exception. This is unfortunate as
different debug exceptions have different entry handling requirements,
and it would be better to handle these distinct requirements earlier.
The BRK64 instruction can only be triggered by a BRK instruction. Thus,
we know that the PC is a legitimate address and isn't being used to train
a branch predictor with a bogus address : we don't need to call
`arm64_apply_bp_hardening()`.
We do not need to handle the Cortex-A76 erratum #1463225 either, as it
only relevant for single stepping at EL1.
BRK64 does not write FAR_EL1 either, as only hardware watchpoints do so.
Split the BRK64 exception entry, adjust the function signature, and its
behaviour to match the lack of needed mitigations.
Further, as the EL0 and EL1 code paths are cleanly separated, we can split
`do_brk64()` into `do_el0_brk64()` and `do_el1_brk64()`, and call them
directly from the relevant entry paths.
Use `die()` directly for the EL1 error path, as in `do_el1_bti()` and
`do_el1_undef()`.
We can also remove `NOKRPOBE_SYMBOL` for the EL0 path, as it cannot
lead to a kprobe recursion.
When taking a BRK64 exception from EL0, the exception handling is safely
preemptible : the only possible handler is `uprobe_brk_handler()`.
It only operates on task-local data and properly checks its validity,
then raises a Thread Information Flag, processed before returning
to userspace in `do_notify_resume()`, which is already preemptible.
Thus we can safely unmask interrupts and enable preemption before
handling the break itself, fixing a PREEMPT_RT issue where the handler
could call a sleeping function with preemption disabled.
Given that the break hook registration is handled statically in
`call_break_hook` since
(arm64: debug: call software break handlers statically)
and that we now bypass the exception handler registration, this change
renders `early_brk64` redundant : its functionality is now handled through
the post-init path.
This also removes the last usage of `el1_dbg()`.
This also removes the last usage of `el0_dbg()` without `CONFIG_COMPAT`.
Mark it `__maybe_unused`, to prevent a warning when building this patch
without `CONFIG_COMPAT`, as the following patch removes `el0_dbg()`.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-12-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/exception.h | 2 ++
arch/arm64/kernel/debug-monitors.c | 46 ++++++++++++++----------------
arch/arm64/kernel/entry-common.c | 24 ++++++++++------
3 files changed, 39 insertions(+), 33 deletions(-)
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index 594350e552e112..7bc79602840fd0 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -70,6 +70,8 @@ static inline void do_watchpoint(unsigned long addr, unsigned long esr,
#endif /* CONFIG_HAVE_HW_BREAKPOINT */
void do_el0_softstep(unsigned long esr, struct pt_regs *regs);
void do_el1_softstep(unsigned long esr, struct pt_regs *regs);
+void do_el0_brk64(unsigned long esr, struct pt_regs *regs);
+void do_el1_brk64(unsigned long esr, struct pt_regs *regs);
void do_fpsimd_acc(unsigned long esr, struct pt_regs *regs);
void do_sve_acc(unsigned long esr, struct pt_regs *regs);
void do_sme_acc(unsigned long esr, struct pt_regs *regs);
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index 10d2bc51a32f7c..45e0dbe17c82fd 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -207,15 +207,8 @@ void do_el1_softstep(unsigned long esr, struct pt_regs *regs)
}
NOKPROBE_SYMBOL(do_el1_softstep);
-static int call_break_hook(struct pt_regs *regs, unsigned long esr)
+static int call_el1_break_hook(struct pt_regs *regs, unsigned long esr)
{
- if (user_mode(regs)) {
- if (IS_ENABLED(CONFIG_UPROBES) &&
- esr_brk_comment(esr) == UPROBES_BRK_IMM)
- return uprobe_brk_handler(regs, esr);
- return DBG_HOOK_ERROR;
- }
-
if (esr_brk_comment(esr) == BUG_BRK_IMM)
return bug_brk_handler(regs, esr);
@@ -252,24 +245,30 @@ static int call_break_hook(struct pt_regs *regs, unsigned long esr)
return DBG_HOOK_ERROR;
}
-NOKPROBE_SYMBOL(call_break_hook);
+NOKPROBE_SYMBOL(call_el1_break_hook);
-static int brk_handler(unsigned long unused, unsigned long esr,
- struct pt_regs *regs)
+/*
+ * We have already unmasked interrupts and enabled preemption
+ * when calling do_el0_brk64() from entry-common.c.
+ */
+void do_el0_brk64(unsigned long esr, struct pt_regs *regs)
{
- if (call_break_hook(regs, esr) == DBG_HOOK_HANDLED)
- return 0;
+ if (IS_ENABLED(CONFIG_UPROBES) &&
+ esr_brk_comment(esr) == UPROBES_BRK_IMM &&
+ uprobe_brk_handler(regs, esr) == DBG_HOOK_HANDLED)
+ return;
- if (user_mode(regs)) {
- send_user_sigtrap(TRAP_BRKPT);
- } else {
- pr_warn("Unexpected kernel BRK exception at EL1\n");
- return -EFAULT;
- }
+ send_user_sigtrap(TRAP_BRKPT);
+}
- return 0;
+void do_el1_brk64(unsigned long esr, struct pt_regs *regs)
+{
+ if (call_el1_break_hook(regs, esr) == DBG_HOOK_HANDLED)
+ return;
+
+ die("Oops - BRK", regs, esr);
}
-NOKPROBE_SYMBOL(brk_handler);
+NOKPROBE_SYMBOL(do_el1_brk64);
bool try_handle_aarch32_break(struct pt_regs *regs)
{
@@ -311,10 +310,7 @@ bool try_handle_aarch32_break(struct pt_regs *regs)
NOKPROBE_SYMBOL(try_handle_aarch32_break);
void __init debug_traps_init(void)
-{
- hook_debug_fault_code(DBG_ESR_EVT_BRK, brk_handler, SIGTRAP,
- TRAP_BRKPT, "BRK handler");
-}
+{}
/* Re-enable single step for syscall restarting. */
void user_rewind_single_step(struct task_struct *task)
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index b90babcf2e2b10..ba114bfdb32b5a 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -547,13 +547,12 @@ static void noinstr el1_watchpt(struct pt_regs *regs, unsigned long esr)
arm64_exit_el1_dbg(regs);
}
-static void noinstr el1_dbg(struct pt_regs *regs, unsigned long esr)
+static void noinstr el1_brk64(struct pt_regs *regs, unsigned long esr)
{
- unsigned long far = read_sysreg(far_el1);
-
arm64_enter_el1_dbg(regs);
- if (!cortex_a76_erratum_1463225_debug_handler(regs))
- do_debug_exception(far, esr, regs);
+ debug_exception_enter(regs);
+ do_el1_brk64(esr, regs);
+ debug_exception_exit(regs);
arm64_exit_el1_dbg(regs);
}
@@ -599,7 +598,7 @@ asmlinkage void noinstr el1h_64_sync_handler(struct pt_regs *regs)
el1_watchpt(regs, esr);
break;
case ESR_ELx_EC_BRK64:
- el1_dbg(regs, esr);
+ el1_brk64(regs, esr);
break;
case ESR_ELx_EC_FPAC:
el1_fpac(regs, esr);
@@ -827,7 +826,16 @@ static void noinstr el0_watchpt(struct pt_regs *regs, unsigned long esr)
exit_to_user_mode(regs);
}
-static void noinstr el0_dbg(struct pt_regs *regs, unsigned long esr)
+static void noinstr el0_brk64(struct pt_regs *regs, unsigned long esr)
+{
+ enter_from_user_mode(regs);
+ local_daif_restore(DAIF_PROCCTX);
+ do_el0_brk64(esr, regs);
+ exit_to_user_mode(regs);
+}
+
+static void noinstr __maybe_unused
+el0_dbg(struct pt_regs *regs, unsigned long esr)
{
/* Only watchpoints write FAR_EL1, otherwise its UNKNOWN */
unsigned long far = read_sysreg(far_el1);
@@ -912,7 +920,7 @@ asmlinkage void noinstr el0t_64_sync_handler(struct pt_regs *regs)
el0_watchpt(regs, esr);
break;
case ESR_ELx_EC_BRK64:
- el0_dbg(regs, esr);
+ el0_brk64(regs, esr);
break;
case ESR_ELx_EC_FPAC:
el0_fpac(regs, esr);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 032/315] net: hsr: fix potential OOB access in supervision frame handling
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 031/315] net/mlx5: HWS: Reject unsupported remove-header action Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 033/315] gpio: mxc: fix irq_high handling Greg Kroah-Hartman
` (284 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luka Gejak,
Fernando Fernandez Mancera, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
[ Upstream commit f229426072fc865654a60978bb7fda790a051ff3 ]
Ensure the entire TLV header is linearized before access by adding
sizeof(struct hsr_sup_tlv) to the pskb_may_pull() calls. Without this,
a truncated frame could cause an out-of-bounds access.
Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames")
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260523130330.61880-1-luka.gejak@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_forward.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index aefc9b6936ba0c..299de290ddaa5c 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -84,7 +84,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
/* Get next tlv */
total_length += hsr_sup_tag->tlv.HSR_TLV_length;
- if (!pskb_may_pull(skb, total_length))
+ if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
return false;
skb_pull(skb, total_length);
hsr_sup_tlv = (struct hsr_sup_tlv *)skb->data;
@@ -100,7 +100,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
/* make sure another tlv follows */
total_length += sizeof(struct hsr_sup_tlv) + hsr_sup_tlv->HSR_TLV_length;
- if (!pskb_may_pull(skb, total_length))
+ if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
return false;
/* get next tlv */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 022/307] arm64: debug: split bkpt32 exception entry
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 021/307] arm64: debug: split brk64 " Greg Kroah-Hartman
@ 2026-06-07 9:56 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 023/307] arm64: debug: remove debug exception registration infrastructure Greg Kroah-Hartman
` (284 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit fc5e5d0477c532054ce8692fd16fdaab2cb8946f ]
Currently all debug exceptions share common entry code and are routed
to `do_debug_exception()`, which calls dynamically-registered
handlers for each specific debug exception. This is unfortunate as
different debug exceptions have different entry handling requirements,
and it would be better to handle these distinct requirements earlier.
The BKPT32 exception can only be triggered by a BKPT instruction. Thus,
we know that the PC is a legitimate address and isn't being used to train
a branch predictor with a bogus address : we don't need to call
`arm64_apply_bp_hardening()`.
The handler for this exception only pends a signal and doesn't depend
on any per-CPU state : we don't need to inhibit preemption, nor do we
need to keep the DAIF exceptions masked, so we can unmask them earlier.
Split the BKPT32 exception entry and adjust function signatures and its
behaviour to match its relaxed constraints compared to other
debug exceptions.
We can also remove `NOKRPOBE_SYMBOL`, as this cannot lead to a kprobe
recursion.
This replaces the last usage of `el0_dbg()`, so remove it.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-13-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/exception.h | 1 +
arch/arm64/kernel/debug-monitors.c | 7 +++++++
arch/arm64/kernel/entry-common.c | 22 +++++++++-------------
3 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index 7bc79602840fd0..9b05c6f487ccf1 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -72,6 +72,7 @@ void do_el0_softstep(unsigned long esr, struct pt_regs *regs);
void do_el1_softstep(unsigned long esr, struct pt_regs *regs);
void do_el0_brk64(unsigned long esr, struct pt_regs *regs);
void do_el1_brk64(unsigned long esr, struct pt_regs *regs);
+void do_bkpt32(unsigned long esr, struct pt_regs *regs);
void do_fpsimd_acc(unsigned long esr, struct pt_regs *regs);
void do_sve_acc(unsigned long esr, struct pt_regs *regs);
void do_sme_acc(unsigned long esr, struct pt_regs *regs);
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index 45e0dbe17c82fd..ed03270fa34375 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -270,6 +270,13 @@ void do_el1_brk64(unsigned long esr, struct pt_regs *regs)
}
NOKPROBE_SYMBOL(do_el1_brk64);
+#ifdef CONFIG_COMPAT
+void do_bkpt32(unsigned long esr, struct pt_regs *regs)
+{
+ arm64_notify_die("aarch32 BKPT", regs, SIGTRAP, TRAP_BRKPT, regs->pc, esr);
+}
+#endif /* CONFIG_COMPAT */
+
bool try_handle_aarch32_break(struct pt_regs *regs)
{
u32 arm_instr;
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index ba114bfdb32b5a..9a1ea5a6e6b72a 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -834,18 +834,6 @@ static void noinstr el0_brk64(struct pt_regs *regs, unsigned long esr)
exit_to_user_mode(regs);
}
-static void noinstr __maybe_unused
-el0_dbg(struct pt_regs *regs, unsigned long esr)
-{
- /* Only watchpoints write FAR_EL1, otherwise its UNKNOWN */
- unsigned long far = read_sysreg(far_el1);
-
- enter_from_user_mode(regs);
- do_debug_exception(far, esr, regs);
- local_daif_restore(DAIF_PROCCTX);
- exit_to_user_mode(regs);
-}
-
static void noinstr el0_svc(struct pt_regs *regs)
{
enter_from_user_mode(regs);
@@ -1003,6 +991,14 @@ static void noinstr el0_svc_compat(struct pt_regs *regs)
exit_to_user_mode(regs);
}
+static void noinstr el0_bkpt32(struct pt_regs *regs, unsigned long esr)
+{
+ enter_from_user_mode(regs);
+ local_daif_restore(DAIF_PROCCTX);
+ do_bkpt32(esr, regs);
+ exit_to_user_mode(regs);
+}
+
asmlinkage void noinstr el0t_32_sync_handler(struct pt_regs *regs)
{
unsigned long esr = read_sysreg(esr_el1);
@@ -1046,7 +1042,7 @@ asmlinkage void noinstr el0t_32_sync_handler(struct pt_regs *regs)
el0_watchpt(regs, esr);
break;
case ESR_ELx_EC_BKPT32:
- el0_dbg(regs, esr);
+ el0_bkpt32(regs, esr);
break;
default:
el0_inv(regs, esr);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 033/315] gpio: mxc: fix irq_high handling
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.18 032/315] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 034/315] net: team: Remove unused team_mode_op, port_enabled Greg Kroah-Hartman
` (283 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Frank Li,
Bartosz Golaszewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit dac917ed5aead741004db8d0d5151dd577802df8 ]
If port->irq_high is -1 (fsl,imx21-gpio compatible) and gpio_idx is >= 16
enable_irq_wake() is called with -1 which is wrong.
Fixes: 5f6d1998adeb ("gpio: mxc: release the parent IRQ in runtime suspend")
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260526063504.25916-1-alexander.stein@ew.tq-group.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-mxc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-mxc.c b/drivers/gpio/gpio-mxc.c
index 441ba95b38cf9b..dbdf0f41b6bb91 100644
--- a/drivers/gpio/gpio-mxc.c
+++ b/drivers/gpio/gpio-mxc.c
@@ -469,7 +469,7 @@ static int mxc_gpio_probe(struct platform_device *pdev)
* the handler is needed only once, but doing it for every port
* is more robust and easier.
*/
- port->irq_high = -1;
+ port->irq_high = 0;
port->mx_irq_handler = mx2_gpio_irq_handler;
} else
port->mx_irq_handler = mx3_gpio_irq_handler;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 023/307] arm64: debug: remove debug exception registration infrastructure
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-06-07 9:56 ` [PATCH 6.12 022/307] arm64: debug: split bkpt32 " Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 024/307] arm64: debug: always unmask interrupts in el0_softstp() Greg Kroah-Hartman
` (283 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz,
Luis Claudio R. Goncalves, Will Deacon, Mark Rutland,
Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit a8b8cce9d96d65dfe3d89abf02033151f8b7d670 ]
Now that debug exceptions are handled individually and without the need
for dynamic registration, remove the unused registration infrastructure.
This removes the external caller for `debug_exception_enter()` and
`debug_exception_exit()`.
Make them static again and remove them from the header.
Remove `early_brk64()` as it has been made redundant by
(arm64: debug: split brk64 exception entry) and is not used anymore.
Note : in `early_brk64()` `bug_brk_handler()` is called unconditionally
as a fall-through, but now `call_break_hook()` only calls it if the
immediate matches.
This does not change the behaviour in early boot, as if
`bug_brk_handler()` was called on a non-BUG immediate it would return
DBG_HOOK_ERROR anyway, which `call_break_hook()` will do if no immediate
matches.
Remove `trap_init()`, as it would be empty and a weak definition already
exists in `init/main.c`.
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Tested-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
Reviewed-by: Will Deacon <will@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250707114109.35672-14-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/debug-monitors.h | 2 -
arch/arm64/include/asm/exception.h | 6 ---
arch/arm64/include/asm/system_misc.h | 4 --
arch/arm64/kernel/debug-monitors.c | 3 --
arch/arm64/kernel/entry-common.c | 4 +-
arch/arm64/kernel/traps.c | 27 -------------
arch/arm64/mm/fault.c | 53 -------------------------
7 files changed, 2 insertions(+), 97 deletions(-)
diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h
index 24c7981abeb0b9..4f3901884c5d85 100644
--- a/arch/arm64/include/asm/debug-monitors.h
+++ b/arch/arm64/include/asm/debug-monitors.h
@@ -93,7 +93,5 @@ static inline bool try_step_suspended_breakpoints(struct pt_regs *regs)
bool try_handle_aarch32_break(struct pt_regs *regs);
-void debug_traps_init(void);
-
#endif /* __ASSEMBLY */
#endif /* __ASM_DEBUG_MONITORS_H */
diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h
index 9b05c6f487ccf1..50c5329ff2edae 100644
--- a/arch/arm64/include/asm/exception.h
+++ b/arch/arm64/include/asm/exception.h
@@ -57,8 +57,6 @@ void do_el0_undef(struct pt_regs *regs, unsigned long esr);
void do_el1_undef(struct pt_regs *regs, unsigned long esr);
void do_el0_bti(struct pt_regs *regs);
void do_el1_bti(struct pt_regs *regs, unsigned long esr);
-void do_debug_exception(unsigned long addr_if_watchpoint, unsigned long esr,
- struct pt_regs *regs);
#ifdef CONFIG_HAVE_HW_BREAKPOINT
void do_breakpoint(unsigned long esr, struct pt_regs *regs);
void do_watchpoint(unsigned long addr, unsigned long esr,
@@ -91,8 +89,4 @@ void do_serror(struct pt_regs *regs, unsigned long esr);
void do_signal(struct pt_regs *regs);
void __noreturn panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigned long far);
-
-void debug_exception_enter(struct pt_regs *regs);
-void debug_exception_exit(struct pt_regs *regs);
-
#endif /* __ASM_EXCEPTION_H */
diff --git a/arch/arm64/include/asm/system_misc.h b/arch/arm64/include/asm/system_misc.h
index c343442567625d..344b1c1a4bbb69 100644
--- a/arch/arm64/include/asm/system_misc.h
+++ b/arch/arm64/include/asm/system_misc.h
@@ -25,10 +25,6 @@ void arm64_notify_die(const char *str, struct pt_regs *regs,
int signo, int sicode, unsigned long far,
unsigned long err);
-void hook_debug_fault_code(int nr, int (*fn)(unsigned long, unsigned long,
- struct pt_regs *),
- int sig, int code, const char *name);
-
struct mm_struct;
extern void __show_regs(struct pt_regs *);
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
index ed03270fa34375..16390fd4ba5edd 100644
--- a/arch/arm64/kernel/debug-monitors.c
+++ b/arch/arm64/kernel/debug-monitors.c
@@ -316,9 +316,6 @@ bool try_handle_aarch32_break(struct pt_regs *regs)
}
NOKPROBE_SYMBOL(try_handle_aarch32_break);
-void __init debug_traps_init(void)
-{}
-
/* Re-enable single step for syscall restarting. */
void user_rewind_single_step(struct task_struct *task)
{
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index 9a1ea5a6e6b72a..b98d6d1a1dfd63 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -448,7 +448,7 @@ static __always_inline void fpsimd_syscall_exit(void)
* accidentally schedule in exception context and it will force a warning
* if we somehow manage to schedule by accident.
*/
-void debug_exception_enter(struct pt_regs *regs)
+static void debug_exception_enter(struct pt_regs *regs)
{
preempt_disable();
@@ -457,7 +457,7 @@ void debug_exception_enter(struct pt_regs *regs)
}
NOKPROBE_SYMBOL(debug_exception_enter);
-void debug_exception_exit(struct pt_regs *regs)
+static void debug_exception_exit(struct pt_regs *regs)
{
preempt_enable_no_resched();
}
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 013159bc0882ee..e6e815ef03c777 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -1091,30 +1091,3 @@ int ubsan_brk_handler(struct pt_regs *regs, unsigned long esr)
return DBG_HOOK_HANDLED;
}
#endif
-
-/*
- * Initial handler for AArch64 BRK exceptions
- * This handler only used until debug_traps_init().
- */
-int __init early_brk64(unsigned long addr, unsigned long esr,
- struct pt_regs *regs)
-{
-#ifdef CONFIG_CFI_CLANG
- if (esr_is_cfi_brk(esr))
- return cfi_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
-#endif
-#ifdef CONFIG_KASAN_SW_TAGS
- if ((esr_brk_comment(esr) & ~KASAN_BRK_MASK) == KASAN_BRK_IMM)
- return kasan_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
-#endif
-#ifdef CONFIG_UBSAN_TRAP
- if (esr_is_ubsan_brk(esr))
- return ubsan_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
-#endif
- return bug_brk_handler(regs, esr) != DBG_HOOK_HANDLED;
-}
-
-void __init trap_init(void)
-{
- debug_traps_init();
-}
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 7c87d2b3b06eaa..9ee5a2d2b32151 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -53,18 +53,12 @@ struct fault_info {
};
static const struct fault_info fault_info[];
-static struct fault_info debug_fault_info[];
static inline const struct fault_info *esr_to_fault_info(unsigned long esr)
{
return fault_info + (esr & ESR_ELx_FSC);
}
-static inline const struct fault_info *esr_to_debug_fault_info(unsigned long esr)
-{
- return debug_fault_info + DBG_ESR_EVT(esr);
-}
-
static void data_abort_decode(unsigned long esr)
{
unsigned long iss2 = ESR_ELx_ISS2(esr);
@@ -911,53 +905,6 @@ void do_sp_pc_abort(unsigned long addr, unsigned long esr, struct pt_regs *regs)
}
NOKPROBE_SYMBOL(do_sp_pc_abort);
-/*
- * __refdata because early_brk64 is __init, but the reference to it is
- * clobbered at arch_initcall time.
- * See traps.c and debug-monitors.c:debug_traps_init().
- */
-static struct fault_info __refdata debug_fault_info[] = {
- { do_bad, SIGTRAP, TRAP_HWBKPT, "hardware breakpoint" },
- { do_bad, SIGTRAP, TRAP_HWBKPT, "hardware single-step" },
- { do_bad, SIGTRAP, TRAP_HWBKPT, "hardware watchpoint" },
- { do_bad, SIGKILL, SI_KERNEL, "unknown 3" },
- { do_bad, SIGTRAP, TRAP_BRKPT, "aarch32 BKPT" },
- { do_bad, SIGKILL, SI_KERNEL, "aarch32 vector catch" },
- { early_brk64, SIGTRAP, TRAP_BRKPT, "aarch64 BRK" },
- { do_bad, SIGKILL, SI_KERNEL, "unknown 7" },
-};
-
-void __init hook_debug_fault_code(int nr,
- int (*fn)(unsigned long, unsigned long, struct pt_regs *),
- int sig, int code, const char *name)
-{
- BUG_ON(nr < 0 || nr >= ARRAY_SIZE(debug_fault_info));
-
- debug_fault_info[nr].fn = fn;
- debug_fault_info[nr].sig = sig;
- debug_fault_info[nr].code = code;
- debug_fault_info[nr].name = name;
-}
-
-void do_debug_exception(unsigned long addr_if_watchpoint, unsigned long esr,
- struct pt_regs *regs)
-{
- const struct fault_info *inf = esr_to_debug_fault_info(esr);
- unsigned long pc = instruction_pointer(regs);
-
- debug_exception_enter(regs);
-
- if (user_mode(regs) && !is_ttbr0_addr(pc))
- arm64_apply_bp_hardening();
-
- if (inf->fn(addr_if_watchpoint, esr, regs)) {
- arm64_notify_die(inf->name, regs, inf->sig, inf->code, pc, esr);
- }
-
- debug_exception_exit(regs);
-}
-NOKPROBE_SYMBOL(do_debug_exception);
-
/*
* Used during anonymous page fault handling.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 034/315] net: team: Remove unused team_mode_op, port_enabled
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 033/315] gpio: mxc: fix irq_high handling Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 035/315] net: team: Rename port_disabled team mode op to port_tx_disabled Greg Kroah-Hartman
` (282 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Marc Harvey,
Kuniyuki Iwashima, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Harvey <marcharvey@google.com>
[ Upstream commit 014f249121d73909528df320818fba7693d0ec92 ]
This team_mode_op wasn't used by any of the team modes, so remove it.
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Marc Harvey <marcharvey@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260409-teaming-driver-internal-v7-2-f47e7589685d@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 25fe708bbc59 ("net: team: fix NULL pointer dereference in team_xmit during mode change")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team_core.c | 2 --
include/linux/if_team.h | 1 -
2 files changed, 3 deletions(-)
diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index a98f5e5061544c..712d8043e66e17 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -945,8 +945,6 @@ static void team_port_enable(struct team *team,
team_port_index_hash(team, port->index));
team_adjust_ops(team);
team_queue_override_port_add(team, port);
- if (team->ops.port_enabled)
- team->ops.port_enabled(team, port);
team_notify_peers(team);
team_mcast_rejoin(team);
team_lower_state_changed(port);
diff --git a/include/linux/if_team.h b/include/linux/if_team.h
index ce97d891cf720f..0d550d44a1c230 100644
--- a/include/linux/if_team.h
+++ b/include/linux/if_team.h
@@ -121,7 +121,6 @@ struct team_mode_ops {
int (*port_enter)(struct team *team, struct team_port *port);
void (*port_leave)(struct team *team, struct team_port *port);
void (*port_change_dev_addr)(struct team *team, struct team_port *port);
- void (*port_enabled)(struct team *team, struct team_port *port);
void (*port_disabled)(struct team *team, struct team_port *port);
};
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 024/307] arm64: debug: always unmask interrupts in el0_softstp()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 023/307] arm64: debug: remove debug exception registration infrastructure Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 025/307] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
` (282 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz, Mark Rutland,
Catalin Marinas, Sebastian Andrzej Siewior, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit ea0d55ae4b3207c33691a73da3443b1fd379f1d2 ]
We intend that EL0 exception handlers unmask all DAIF exceptions
before calling exit_to_user_mode().
When completing single-step of a suspended breakpoint, we do not call
local_daif_restore(DAIF_PROCCTX) before calling exit_to_user_mode(),
leaving all DAIF exceptions masked.
When pseudo-NMIs are not in use this is benign.
When pseudo-NMIs are in use, this is unsound. At this point interrupts
are masked by both DAIF.IF and PMR_EL1, and subsequent irq flag
manipulation may not work correctly. For example, a subsequent
local_irq_enable() within exit_to_user_mode_loop() will only unmask
interrupts via PMR_EL1 (leaving those masked via DAIF.IF), and
anything depending on interrupts being unmasked (e.g. delivery of
signals) will not work correctly.
This was detected by CONFIG_ARM64_DEBUG_PRIORITY_MASKING.
Move the call to `try_step_suspended_breakpoints()` outside of the check
so that interrupts can be unmasked even if we don't call the step handler.
Fixes: 0ac7584c08ce ("arm64: debug: split single stepping exception entry")
Cc: <stable@vger.kernel.org> # 6.17
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
[catalin.marinas@arm.com: added Mark's rewritten commit log and some whitespace]
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/entry-common.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
index b98d6d1a1dfd63..ea3876d99c2ec5 100644
--- a/arch/arm64/kernel/entry-common.c
+++ b/arch/arm64/kernel/entry-common.c
@@ -796,6 +796,8 @@ static void noinstr el0_breakpt(struct pt_regs *regs, unsigned long esr)
static void noinstr el0_softstp(struct pt_regs *regs, unsigned long esr)
{
+ bool step_done;
+
if (!is_ttbr0_addr(regs->pc))
arm64_apply_bp_hardening();
@@ -806,10 +808,10 @@ static void noinstr el0_softstp(struct pt_regs *regs, unsigned long esr)
* If we are stepping a suspended breakpoint there's nothing more to do:
* the single-step is complete.
*/
- if (!try_step_suspended_breakpoints(regs)) {
- local_daif_restore(DAIF_PROCCTX);
+ step_done = try_step_suspended_breakpoints(regs);
+ local_daif_restore(DAIF_PROCCTX);
+ if (!step_done)
do_el0_softstep(esr, regs);
- }
exit_to_user_mode(regs);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 035/315] net: team: Rename port_disabled team mode op to port_tx_disabled
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 034/315] net: team: Remove unused team_mode_op, port_enabled Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 036/315] net: team: fix NULL pointer dereference in team_xmit during mode change Greg Kroah-Hartman
` (281 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Marc Harvey,
Kuniyuki Iwashima, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Harvey <marcharvey@google.com>
[ Upstream commit cfa477df2cc62ba53cb936669886361152b594a7 ]
This team mode op is only used by the load balance mode, and it only
uses it in the tx path.
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Marc Harvey <marcharvey@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260409-teaming-driver-internal-v7-3-f47e7589685d@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 25fe708bbc59 ("net: team: fix NULL pointer dereference in team_xmit during mode change")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team_core.c | 4 ++--
drivers/net/team/team_mode_loadbalance.c | 4 ++--
include/linux/if_team.h | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index 712d8043e66e17..11c8e6551dd357 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -969,8 +969,8 @@ static void team_port_disable(struct team *team,
{
if (!team_port_enabled(port))
return;
- if (team->ops.port_disabled)
- team->ops.port_disabled(team, port);
+ if (team->ops.port_tx_disabled)
+ team->ops.port_tx_disabled(team, port);
hlist_del_rcu(&port->hlist);
__reconstruct_port_hlist(team, port->index);
port->index = -1;
diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
index b14538bde2f824..b27e44a4df5f6e 100644
--- a/drivers/net/team/team_mode_loadbalance.c
+++ b/drivers/net/team/team_mode_loadbalance.c
@@ -655,7 +655,7 @@ static void lb_port_leave(struct team *team, struct team_port *port)
free_percpu(lb_port_priv->pcpu_stats);
}
-static void lb_port_disabled(struct team *team, struct team_port *port)
+static void lb_port_tx_disabled(struct team *team, struct team_port *port)
{
lb_tx_hash_to_port_mapping_null_port(team, port);
}
@@ -665,7 +665,7 @@ static const struct team_mode_ops lb_mode_ops = {
.exit = lb_exit,
.port_enter = lb_port_enter,
.port_leave = lb_port_leave,
- .port_disabled = lb_port_disabled,
+ .port_tx_disabled = lb_port_tx_disabled,
.receive = lb_receive,
.transmit = lb_transmit,
};
diff --git a/include/linux/if_team.h b/include/linux/if_team.h
index 0d550d44a1c230..cd5acf40040d2e 100644
--- a/include/linux/if_team.h
+++ b/include/linux/if_team.h
@@ -121,7 +121,7 @@ struct team_mode_ops {
int (*port_enter)(struct team *team, struct team_port *port);
void (*port_leave)(struct team *team, struct team_port *port);
void (*port_change_dev_addr)(struct team *team, struct team_port *port);
- void (*port_disabled)(struct team *team, struct team_port *port);
+ void (*port_tx_disabled)(struct team *team, struct team_port *port);
};
extern int team_modeop_port_enter(struct team *team, struct team_port *port);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 025/307] nfc: llcp: Fix use-after-free in llcp_sock_release()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 024/307] arm64: debug: always unmask interrupts in el0_softstp() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 026/307] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
` (281 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, David Heidelberg,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit f4268b466190dae95a7585f69b4f1f8ad097632c ]
llcp_sock_release() unconditionally unlinks the socket from the local
sockets list. However, if the socket is still in connecting state, it
is on the connecting list.
Fix this by checking the socket state and unlinking from the correct list.
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Signed-off-by: Lee Jones <lee@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-1-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 57a2f97004e172..915929cd724f90 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
if (sock->type == SOCK_RAW)
nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+ else if (sk->sk_state == LLCP_CONNECTING)
+ nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
else
nfc_llcp_sock_unlink(&local->sockets, sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 036/315] net: team: fix NULL pointer dereference in team_xmit during mode change
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 035/315] net: team: Rename port_disabled team mode op to port_tx_disabled Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 037/315] net: Avoid checksumming unreadable skb tail on trim Greg Kroah-Hartman
` (280 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Jiayuan Chen,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 25fe708bbc59289d3d1ea4b126fbc1b460a072a5 ]
__team_change_mode() clears team->ops with memset() before restoring
safe dummy handlers via team_adjust_ops(). A concurrent team_xmit()
running under RCU on another CPU can read team->ops.transmit during
this window and call a NULL function pointer, crashing the kernel.
The race requires a mode change (CAP_NET_ADMIN) concurrent with
transmit on the team device.
BUG: kernel NULL pointer dereference, address: 0000000000000000
Oops: 0010 [#1] SMP KASAN NOPTI
RIP: 0010:0x0
Call Trace:
team_xmit (drivers/net/team/team_core.c:1853)
dev_hard_start_xmit (net/core/dev.c:3904)
__dev_queue_xmit (net/core/dev.c:4871)
packet_sendmsg (net/packet/af_packet.c:3109)
__sys_sendto (net/socket.c:2265)
The original code assumed that no ports means no traffic, so mode
changes could freely memset()/memcpy() the ops. AF_PACKET with
forced carrier breaks that assumption.
Prevent the race instead of making it safe: replace memset()/memcpy()
with per-field updates that never touch transmit or receive. Those
two handlers are managed solely by team_adjust_ops(), which already
installs dummies when tx_en_port_count == 0 (always true during mode
change since no ports are present). WRITE_ONCE/READ_ONCE prevent
store/load tearing on the handler pointers.
synchronize_net() before exit_op() drains in-flight readers that may
still reference old mode state from before port removal switched the
handlers to dummies.
Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260521081159.1491563-3-bestswngs@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team_core.c | 45 +++++++++++++++++++++++++-----------
1 file changed, 32 insertions(+), 13 deletions(-)
diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index 11c8e6551dd357..ff4dcd6035cd10 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -535,21 +535,23 @@ static void team_adjust_ops(struct team *team)
if (!team->en_port_count || !team_is_mode_set(team) ||
!team->mode->ops->transmit)
- team->ops.transmit = team_dummy_transmit;
+ WRITE_ONCE(team->ops.transmit, team_dummy_transmit);
else
- team->ops.transmit = team->mode->ops->transmit;
+ WRITE_ONCE(team->ops.transmit, team->mode->ops->transmit);
if (!team->en_port_count || !team_is_mode_set(team) ||
!team->mode->ops->receive)
- team->ops.receive = team_dummy_receive;
+ WRITE_ONCE(team->ops.receive, team_dummy_receive);
else
- team->ops.receive = team->mode->ops->receive;
+ WRITE_ONCE(team->ops.receive, team->mode->ops->receive);
}
/*
- * We can benefit from the fact that it's ensured no port is present
- * at the time of mode change. Therefore no packets are in fly so there's no
- * need to set mode operations in any special way.
+ * team_change_mode() ensures no ports are present during mode change,
+ * but lockless readers can still reach team_xmit(). Avoid touching
+ * transmit/receive -- they are already set to dummies by
+ * team_adjust_ops() since no ports are enabled. synchronize_net()
+ * drains in-flight readers before destroying old mode state.
*/
static int __team_change_mode(struct team *team,
const struct team_mode *new_mode)
@@ -558,9 +560,21 @@ static int __team_change_mode(struct team *team,
if (team_is_mode_set(team)) {
void (*exit_op)(struct team *team) = team->ops.exit;
- /* Clear ops area so no callback is called any longer */
- memset(&team->ops, 0, sizeof(struct team_mode_ops));
- team_adjust_ops(team);
+ /* Clear cold-path ops used only under RTNL. transmit and
+ * receive are already dummies (no ports) so leave them
+ * alone -- overwriting them is the source of the race.
+ */
+ team->ops.init = NULL;
+ team->ops.exit = NULL;
+ team->ops.port_enter = NULL;
+ team->ops.port_leave = NULL;
+ team->ops.port_change_dev_addr = NULL;
+ team->ops.port_tx_disabled = NULL;
+
+ /* Wait for in-flight readers before tearing down mode
+ * state they may reference.
+ */
+ synchronize_net();
if (exit_op)
exit_op(team);
@@ -583,7 +597,12 @@ static int __team_change_mode(struct team *team,
}
team->mode = new_mode;
- memcpy(&team->ops, new_mode->ops, sizeof(struct team_mode_ops));
+ team->ops.init = new_mode->ops->init;
+ team->ops.exit = new_mode->ops->exit;
+ team->ops.port_enter = new_mode->ops->port_enter;
+ team->ops.port_leave = new_mode->ops->port_leave;
+ team->ops.port_change_dev_addr = new_mode->ops->port_change_dev_addr;
+ team->ops.port_tx_disabled = new_mode->ops->port_tx_disabled;
team_adjust_ops(team);
return 0;
@@ -744,7 +763,7 @@ static rx_handler_result_t team_handle_frame(struct sk_buff **pskb)
/* allow exact match delivery for disabled ports */
res = RX_HANDLER_EXACT;
} else {
- res = team->ops.receive(team, port, skb);
+ res = READ_ONCE(team->ops.receive)(team, port, skb);
}
if (res == RX_HANDLER_ANOTHER) {
struct team_pcpu_stats *pcpu_stats;
@@ -1683,7 +1702,7 @@ static netdev_tx_t team_xmit(struct sk_buff *skb, struct net_device *dev)
tx_success = team_queue_override_transmit(team, skb);
if (!tx_success)
- tx_success = team->ops.transmit(team, skb);
+ tx_success = READ_ONCE(team->ops.transmit)(team, skb);
if (tx_success) {
struct team_pcpu_stats *pcpu_stats;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 026/307] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 025/307] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 027/307] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
` (280 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Simon Horman,
David Heidelberg, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit b493ea2765cc17cb8aa7e7544a4b6dcb05b6ed77 ]
A race condition exists in the NFC LLCP connection state machine where
the connection acceptance packet (CC) can be processed concurrently with
socket release. This can lead to a use-after-free of the socket object.
When nfc_llcp_recv_cc() moves the socket from the connecting_sockets
list to the sockets list, it does so without holding the socket lock.
If llcp_sock_release() is executing concurrently, it might have already
unlinked the socket and dropped its references, which can result in
nfc_llcp_recv_cc() linking a freed socket into the live list.
Fix this by holding lock_sock() during the state transition and list
movement in nfc_llcp_recv_cc(). After acquiring the lock, check if
the socket is still hashed to ensure it hasn't already been unlinked
and marked for destruction by the release path. This aligns the locking
pattern with recv_hdlc() and recv_disc().
Fixes: a69f32af86e3 ("NFC: Socket linked list")
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-2-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index d9562840fa180b..62b0f2d6686eb8 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1216,6 +1216,15 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk = &llcp_sock->sk;
+ lock_sock(sk);
+
+ /* Check if socket was destroyed whilst waiting for the lock */
+ if (!sk_hashed(sk)) {
+ release_sock(sk);
+ nfc_llcp_sock_put(llcp_sock);
+ return;
+ }
+
/* Unlink from connecting and link to the client array */
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
nfc_llcp_sock_link(&local->sockets, sk);
@@ -1227,6 +1236,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk->sk_state = LLCP_CONNECTED;
sk->sk_state_change(sk);
+ release_sock(sk);
+
nfc_llcp_sock_put(llcp_sock);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 037/315] net: Avoid checksumming unreadable skb tail on trim
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 036/315] net: team: fix NULL pointer dereference in team_xmit during mode change Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 038/315] ethtool: rss: avoid modifying the RSS context response Greg Kroah-Hartman
` (279 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Björn Töpel, Breno Leitao,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Björn Töpel <bjorn@kernel.org>
[ Upstream commit 2e357f002c61fd76fd8f12468744a06a5ec48eaa ]
pskb_trim_rcsum_slow() keeps CHECKSUM_COMPLETE valid by subtracting
the checksum of the bytes removed from the skb tail. That assumes the
removed bytes can be read.
io_uring zcrx skbs may contain unreadable net_iov frags. With fbnic
header/data split, small TCP/IPv4 packets can carry Ethernet padding
in such a frag. ip_rcv_core() trims the skb to iph->tot_len before TCP
sees it, and the CHECKSUM_COMPLETE adjustment then calls
skb_checksum() on the padding.
This is exposed by IPv4 because small TCP/IPv4 frames can be shorter
than the Ethernet minimum payload. TCP/IPv6 frames are large enough in
the normal zcrx path, so they do not hit the same padding trim.
Keep the existing checksum adjustment for readable skbs. If the
remaining packet is fully linear, drop CHECKSUM_COMPLETE and let the
stack validate the packet after trimming. If unreadable payload would
remain, fail the trim; the checksum cannot be adjusted without reading
the trimmed tail.
Also clear skb->unreadable when trimming removes all frags.
Fixes: 65249feb6b3d ("net: add support for skbs with unreadable frags")
Signed-off-by: Björn Töpel <bjorn@kernel.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260522120643.242974-1-bjorn@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a8911f1b90c15d..6618bfa70ca444 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2739,6 +2739,8 @@ int ___pskb_trim(struct sk_buff *skb, unsigned int len)
skb->data_len = 0;
skb_set_tail_pointer(skb, len);
}
+ if (!skb_shinfo(skb)->nr_frags && !skb_has_frag_list(skb))
+ skb->unreadable = 0;
if (!skb->sk || skb->destructor == sock_edemux)
skb_condense(skb);
@@ -2746,16 +2748,37 @@ int ___pskb_trim(struct sk_buff *skb, unsigned int len)
}
EXPORT_SYMBOL(___pskb_trim);
+static int pskb_trim_rcsum_complete(struct sk_buff *skb, unsigned int len)
+{
+ int delta = skb->len - len;
+
+ if (skb_frags_readable(skb)) {
+ skb->csum = csum_block_sub(skb->csum,
+ skb_checksum(skb, len, delta, 0),
+ len);
+ return 0;
+ }
+
+ if (len > skb_headlen(skb))
+ return -EFAULT;
+
+ /* The trimmed bytes are unreadable, but the remaining packet can be
+ * checksummed by software after trimming.
+ */
+ skb->ip_summed = CHECKSUM_NONE;
+ return 0;
+}
+
/* Note : use pskb_trim_rcsum() instead of calling this directly
*/
int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len)
{
if (skb->ip_summed == CHECKSUM_COMPLETE) {
- int delta = skb->len - len;
+ int err;
- skb->csum = csum_block_sub(skb->csum,
- skb_checksum(skb, len, delta, 0),
- len);
+ err = pskb_trim_rcsum_complete(skb, len);
+ if (err)
+ return err;
} else if (skb->ip_summed == CHECKSUM_PARTIAL) {
int hdlen = (len > skb_headlen(skb)) ? skb_headlen(skb) : len;
int offset = skb_checksum_start_offset(skb) + skb->csum_offset;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 027/307] xfrm: Check for underflow in xfrm_state_mtu
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 026/307] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 028/307] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
` (279 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Lin, David Ahern,
Steffen Klassert, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <dahern@nvidia.com>
[ Upstream commit 742b04d0550b0ec89dcbc99537ec88653bd1ad90 ]
Leo Lin reported OOB write issue in esp component:
xfrm_state_mtu() returns u32 but performs its arithmetic in unsigned
modulo-2^32 space using an attacker-influenced "header_len + authsize +
net_adj" subtracted from a small "mtu" argument. A nobody user can
install an IPv4 ESP tunnel SA with a large authentication key
(XFRMA_ALG_AUTH_TRUNC, e.g. hmac(sha512), 64-byte key, 64-byte trunc),
configure a small interface MTU (68 bytes), and set XFRMA_TFCPAD to a
large value. When a single UDP datagram is then sent through the
tunnel, xfrm_state_mtu() underflows to a near-2^32 value, and
esp_output() consumes it as a signed int via:
padto = min(x->tfcpad, xfrm_state_mtu(x, mtu_cached))
esp.tfclen = padto - skb->len (assigned to int)
esp.tfclen ends up negative (e.g. -207). It is sign-extended to size_t
when passed to memset() inside esp_output_fill_trailer(), producing a
~16 EB write of zeroes at skb_tail_pointer(skb). KASAN logs it as
"Write of size 18446744073709551537 at addr ffff888...".
Check for underflow and return 1. This causes the sendmsg attempt to
fail with ENETUNREACH.
Fixes: c5c252389374 ("[XFRM]: Optimize MTU calculation")
Reported-by: Leo Lin <leo@depthfirst.com>
Assisted-by: Codex:26.506.31004
Signed-off-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 6a92d88f9e0363..4823a9c054ae2b 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3022,10 +3022,14 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
const struct xfrm_type *type = READ_ONCE(x->type);
struct crypto_aead *aead;
u32 blksize, net_adj = 0;
+ u32 overhead, payload_mtu;
if (x->km.state != XFRM_STATE_VALID ||
- !type || type->proto != IPPROTO_ESP)
+ !type || type->proto != IPPROTO_ESP) {
+ if (mtu <= x->props.header_len)
+ return 1;
return mtu - x->props.header_len;
+ }
aead = x->data;
blksize = ALIGN(crypto_aead_blocksize(aead), 4);
@@ -3045,8 +3049,17 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
break;
}
- return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
- net_adj) & ~(blksize - 1)) + net_adj - 2;
+ overhead = x->props.header_len + crypto_aead_authsize(aead) + net_adj;
+ if (mtu <= overhead)
+ return 1;
+
+ payload_mtu = mtu - overhead;
+ payload_mtu &= ~(blksize - 1);
+ if (payload_mtu <= 2)
+ return 1;
+
+ return payload_mtu + net_adj - 2;
+
}
EXPORT_SYMBOL_GPL(xfrm_state_mtu);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 038/315] ethtool: rss: avoid modifying the RSS context response
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 037/315] net: Avoid checksumming unreadable skb tail on trim Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 039/315] ethtool: rss: add missing errno on RSS context delete Greg Kroah-Hartman
` (278 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit c75b6f6eaacd0b74b832414cc3b9289c3686e941 ]
Gemini says that we're modifying the RSS_CREATE response skb.
I think it's right, the comment says that unicast() should
unshare the skb but I'm not entirely sure what I meant there.
netlink_trim() does a copy but only if skb is not well sized
(it's at least 2x larger than necessary for the payload).
Fixes: a166ab7816c5 ("ethtool: rss: support creating contexts via Netlink")
Link: https://patch.msgid.link/20260522230647.1705600-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--git a/net/ethtool/rss.c b/net/ethtool/rss.c
index da5934cceb0757..926be5698ba4cc 100644
--- a/net/ethtool/rss.c
+++ b/net/ethtool/rss.c
@@ -974,11 +974,17 @@ ethnl_rss_create_validate(struct net_device *dev, struct genl_info *info)
}
static void
-ethnl_rss_create_send_ntf(struct sk_buff *rsp, struct net_device *dev)
+ethnl_rss_create_send_ntf(const struct sk_buff *rsp, struct net_device *dev)
{
- struct nlmsghdr *nlh = (void *)rsp->data;
struct genlmsghdr *genl_hdr;
+ struct nlmsghdr *nlh;
+ struct sk_buff *ntf;
+
+ ntf = skb_copy_expand(rsp, 0, 0, GFP_KERNEL);
+ if (!ntf)
+ return;
+ nlh = nlmsg_hdr(ntf);
/* Convert the reply into a notification */
nlh->nlmsg_pid = 0;
nlh->nlmsg_seq = ethnl_bcast_seq_next();
@@ -986,7 +992,7 @@ ethnl_rss_create_send_ntf(struct sk_buff *rsp, struct net_device *dev)
genl_hdr = nlmsg_data(nlh);
genl_hdr->cmd = ETHTOOL_MSG_RSS_CREATE_NTF;
- ethnl_multicast(rsp, dev);
+ ethnl_multicast(ntf, dev);
}
int ethnl_rss_create_doit(struct sk_buff *skb, struct genl_info *info)
@@ -1094,12 +1100,8 @@ int ethnl_rss_create_doit(struct sk_buff *skb, struct genl_info *info)
genlmsg_end(rsp, hdr);
- /* Use the same skb for the response and the notification,
- * genlmsg_reply() will copy the skb if it has elevated user count.
- */
- skb_get(rsp);
- ret = genlmsg_reply(rsp, info);
ethnl_rss_create_send_ntf(rsp, dev);
+ ret = genlmsg_reply(rsp, info);
rsp = NULL;
exit_unlock:
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 028/307] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 027/307] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 029/307] kunit: fix use-after-free in debugfs when using kunit.filter Greg Kroah-Hartman
` (278 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carl Lee, Bartosz Golaszewski,
Mark Pearson, Luca Stefani, David Heidelberg, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carl Lee <carl.lee@amd.com>
[ Upstream commit f23bf992d65a42007c517b060ca35cebdea3525a ]
Some ACPI-based platforms report incorrect IRQ trigger types (e.g.
IRQF_TRIGGER_HIGH), which can lead to interrupt storms.
Use the historically working rising-edge trigger on ACPI systems to
avoid this regression.
Device Tree-based systems continue to use the firmware-provided
trigger type.
Fixes: 57be33f85e36 ("nfc: nxp-nci: remove interrupt trigger type")
Signed-off-by: Carl Lee <carl.lee@amd.com>
Tested-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Luca Stefani <luca.stefani.ge1@gmail.com>
Link: https://patch.msgid.link/20260516-nfc-nxp-nci-i2c-restore-irq-trigger-fallback-v3-1-37ba4b6e9086@amd.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/nxp-nci/i2c.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index b3d34433bd14a0..a6c08175d9dd93 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -16,6 +16,7 @@
#include <linux/delay.h>
#include <linux/i2c.h>
#include <linux/interrupt.h>
+#include <linux/irq.h>
#include <linux/module.h>
#include <linux/nfc.h>
#include <linux/gpio/consumer.h>
@@ -267,6 +268,7 @@ static int nxp_nci_i2c_probe(struct i2c_client *client)
{
struct device *dev = &client->dev;
struct nxp_nci_i2c_phy *phy;
+ unsigned long irqflags;
int r;
if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
@@ -303,9 +305,26 @@ static int nxp_nci_i2c_probe(struct i2c_client *client)
if (r < 0)
return r;
+ /*
+ * ACPI platforms may report incorrect IRQ trigger types
+ * (e.g. level-high), which can lead to interrupt storms.
+ *
+ * Use the historically stable rising-edge trigger for ACPI devices.
+ *
+ * On non-ACPI systems (e.g. Device Tree), prefer the firmware-
+ * provided trigger type, falling back to rising-edge if not set.
+ */
+ if (ACPI_COMPANION(dev)) {
+ irqflags = IRQF_TRIGGER_RISING;
+ } else {
+ irqflags = irq_get_trigger_type(client->irq);
+ if (!irqflags)
+ irqflags = IRQF_TRIGGER_RISING;
+ }
+
r = request_threaded_irq(client->irq, NULL,
nxp_nci_i2c_irq_thread_fn,
- IRQF_ONESHOT,
+ irqflags | IRQF_ONESHOT,
NXP_NCI_I2C_DRIVER_NAME, phy);
if (r < 0)
nfc_err(&client->dev, "Unable to register IRQ handler\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 039/315] ethtool: rss: add missing errno on RSS context delete
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 038/315] ethtool: rss: avoid modifying the RSS context response Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 040/315] ethtool: rss: fix falsely ignoring indir table updates Greg Kroah-Hartman
` (277 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 3e6c6e9782ff8a8d8ded774b07ad4590cd61d04c ]
Remember to set ret before jumping out if someone tries
to delete a context on a device which doesn't support
contexts.
Fixes: fbe09277fa63 ("ethtool: rss: support removing contexts via Netlink")
Link: https://patch.msgid.link/20260522230647.1705600-3-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--git a/net/ethtool/rss.c b/net/ethtool/rss.c
index 926be5698ba4cc..688c0e4bba69db 100644
--- a/net/ethtool/rss.c
+++ b/net/ethtool/rss.c
@@ -1160,8 +1160,10 @@ int ethnl_rss_delete_doit(struct sk_buff *skb, struct genl_info *info)
dev = req.dev;
ops = dev->ethtool_ops;
- if (!ops->create_rxfh_context)
+ if (!ops->create_rxfh_context) {
+ ret = -EOPNOTSUPP;
goto exit_free_dev;
+ }
rtnl_lock();
netdev_lock_ops(dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 029/307] kunit: fix use-after-free in debugfs when using kunit.filter
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 028/307] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 030/307] kernel/fork: validate exit_signal in kernel_clone() Greg Kroah-Hartman
` (277 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Schmaus, Martin Kaiser,
David Gow, Shuah Khan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Schmaus <florian.schmaus@codasip.com>
[ Upstream commit fb6988b83b4cafe8db63999c1ddff1b7c66d2ff5 ]
When the kernel is booted with a kunit filter (e.g.,
kunit.filter="speed!=slow"), the kunit executor dynamically allocates
copies of the filtered test suites using kmalloc/kmemdup.
During the initial boot execution, kunit_debugfs_create_suite() creates
debugfs files (such as /sys/kernel/debug/kunit/<suite>/run) and
permanently stores a pointer to the dynamically allocated suite in the
inode's i_private field.
Previously, the executor freed this dynamically allocated suite_set
immediately after executing the boot-time tests. Because the debugfs
nodes were not destroyed, any subsequent interaction with the debugfs
`run` file from userspace triggered a use-after-free (UAF). On systems
with architectural capabilities, like CHERI RISC-V, this resulted in
an immediate fatal hardware exception due to the invalidation of the
capability tags on the reclaimed memory. On other architectures, it
resulted in silent memory corruption.
Fix this UAF by properly coupling the lifetime of the filtered suite
memory allocation to the lifetime of the kunit subsystem and its
associated VFS nodes. Ownership of the boot-time suite_set is now
transferred to a global tracker ('kunit_boot_suites'), and the memory
is cleanly released in kunit_exit() during module teardown.
Link: https://lore.kernel.org/r/20260507084854.233984-1-florian.schmaus@codasip.com
Fixes: e2219db280e3 ("kunit: add debugfs /sys/kernel/debug/kunit/<suite>/results display")
Signed-off-by: Florian Schmaus <florian.schmaus@codasip.com>
Reviewed-by: Martin Kaiser <martin@kaiser.cx>
Reviewed-by: David Gow <david@davidgow.net>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/kunit/test.h | 1 +
lib/kunit/executor.c | 19 ++++++++++++++++---
lib/kunit/test.c | 1 +
3 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/include/kunit/test.h b/include/kunit/test.h
index 34b71e42fb107c..6132faa314fcb8 100644
--- a/include/kunit/test.h
+++ b/include/kunit/test.h
@@ -547,6 +547,7 @@ unsigned long kunit_vm_mmap(struct kunit *test, struct file *file,
unsigned long offset);
void kunit_cleanup(struct kunit *test);
+void kunit_free_boot_suites(void);
void __printf(2, 3) kunit_log_append(struct string_stream *log, const char *fmt, ...);
diff --git a/lib/kunit/executor.c b/lib/kunit/executor.c
index 34b7b6833df3d5..7cd1c87eb2edfb 100644
--- a/lib/kunit/executor.c
+++ b/lib/kunit/executor.c
@@ -15,6 +15,16 @@ extern struct kunit_suite * const __kunit_suites_end[];
extern struct kunit_suite * const __kunit_init_suites_start[];
extern struct kunit_suite * const __kunit_init_suites_end[];
+static struct kunit_suite_set kunit_boot_suites;
+
+void kunit_free_boot_suites(void)
+{
+ if (kunit_boot_suites.start) {
+ kunit_free_suite_set(kunit_boot_suites);
+ kunit_boot_suites = (struct kunit_suite_set){ NULL, NULL };
+ }
+}
+
static char *action_param;
module_param_named(action, action_param, charp, 0400);
@@ -392,9 +402,12 @@ int kunit_run_all_tests(void)
pr_err("kunit executor: unknown action '%s'\n", action_param);
free_out:
- if (filter_glob_param || filter_param)
- kunit_free_suite_set(suite_set);
- else if (init_num_suites > 0)
+ if (filter_glob_param || filter_param) {
+ if (err)
+ kunit_free_suite_set(suite_set);
+ else
+ kunit_boot_suites = suite_set;
+ } else if (init_num_suites > 0)
/* Don't use kunit_free_suite_set because suites aren't individually allocated */
kfree(suite_set.start);
diff --git a/lib/kunit/test.c b/lib/kunit/test.c
index 089c832e3cdbd5..b808826e6de2cf 100644
--- a/lib/kunit/test.c
+++ b/lib/kunit/test.c
@@ -954,6 +954,7 @@ static void __exit kunit_exit(void)
kunit_bus_shutdown();
kunit_debugfs_cleanup();
+ kunit_free_boot_suites();
}
module_exit(kunit_exit);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 040/315] ethtool: rss: fix falsely ignoring indir table updates
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 039/315] ethtool: rss: add missing errno on RSS context delete Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 041/315] ethtool: rss: fix indir_table and hkey leak on get_rxfh failure Greg Kroah-Hartman
` (276 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 8d60141a32875248ef71d49c9920fa5e2aa40b29 ]
rss_set_prep_indir() compares the new indirection table against the
current one to determine whether any update is needed. The memcmp
call passes data->indir_size as the length argument, but indir_size
is the number of u32 entries, not the byte count.
Fixes: c0ae03588bbb ("ethtool: rss: initial RSS_SET (indirection table handling)")
Link: https://patch.msgid.link/20260522230647.1705600-4-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/net/ethtool/rss.c b/net/ethtool/rss.c
index 688c0e4bba69db..4877655f724419 100644
--- a/net/ethtool/rss.c
+++ b/net/ethtool/rss.c
@@ -684,7 +684,7 @@ rss_set_prep_indir(struct net_device *dev, struct genl_info *info,
ethtool_rxfh_indir_default(i, num_rx_rings);
}
- *mod |= memcmp(rxfh->indir, data->indir_table, data->indir_size);
+ *mod |= memcmp(rxfh->indir, data->indir_table, alloc_size);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 030/307] kernel/fork: validate exit_signal in kernel_clone()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 029/307] kunit: fix use-after-free in debugfs when using kunit.filter Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 031/307] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
` (276 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Deepanshu Kartikey, Oleg Nesterov,
syzbot+bbe6b99feefc3a0842de, Michal Hocko, Ben Segall,
Christian Brauner, David Hildenbrand, Dietmar Eggemann,
Ingo Molnar, Juri Lelli, Kees Cook, Liam Howlett,
Lorenzo Stoakes (Oracle), Mel Gorman, Mike Rapoport,
Peter Zijlstra, Steven Rostedt, Suren Baghdasaryan,
Valentin Schneider, Vincent Guittot, Vlastimil Babka,
Tetsuo Handa, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
When a child process exits, it sends exit_signal to its parent via
do_notify_parent(). The clone() syscall constructs exit_signal as:
(lower_32_bits(clone_flags) & CSIGNAL)
CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
non-zero non-valid exit_signal acts the same as exit_signal == 0: the
parent process is not signaled when the child terminates.
The syzkaller reproducer triggers this by calling clone() with flags=0x80,
resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
is not a valid signal.
The v1 of this patch added the check only in the clone() syscall handler,
which is incomplete. kernel_clone() has other callers such as
sys_ia32_clone() which would remain unprotected. Move the check to
kernel_clone() to cover all callers.
Since the valid_signal() check is now in kernel_clone() and covers all
callers including clone3(), the same check in copy_clone_args_from_user()
becomes redundant and is removed. The higher 32bits check for clone3() is
kept as it is clone3() specific.
Note that this is a user-visible change: previously, passing an invalid
exit_signal to clone() was silently accepted. The man page for clone()
does not document any defined behavior for invalid exit_signal values, so
rejecting them with -EINVAL is the correct behavior. It is unlikely that
any sane application relies on passing an invalid exit_signal.
[oleg@redhat.com: the comment above kernel_clone() should be updated]
Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Ben Segall <bsegall@google.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Liam Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Valentin Schneider <vschneid@redhat.com>
Cc: Vincent Guittot <vincent.guittot@linaro.org>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/fork.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/kernel/fork.c b/kernel/fork.c
index c4955cffcb6f4e..1f306743832b3e 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2773,8 +2773,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
*
* It copies the process, and if successful kick-starts
* it and waits for it to finish using the VM if required.
- *
- * args->exit_signal is expected to be checked for sanity by the caller.
*/
pid_t kernel_clone(struct kernel_clone_args *args)
{
@@ -2799,6 +2797,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
(args->pidfd == args->parent_tid))
return -EINVAL;
+ if (!valid_signal(args->exit_signal))
+ return -EINVAL;
+
/*
* Determine whether and which event to report to ptracer. When
* called from kernel_thread or CLONE_UNTRACED is explicitly
@@ -2999,11 +3000,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
return -EINVAL;
/*
- * Verify that higher 32bits of exit_signal are unset and that
- * it is a valid signal
+ * Verify that higher 32bits of exit_signal are unset
*/
- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
- !valid_signal(args.exit_signal)))
+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
return -EINVAL;
if ((args.flags & CLONE_INTO_CGROUP) &&
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 041/315] ethtool: rss: fix indir_table and hkey leak on get_rxfh failure
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 040/315] ethtool: rss: fix falsely ignoring indir table updates Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 042/315] ethtool: rss: fix hkey leak when indir_size is 0 Greg Kroah-Hartman
` (275 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 266297692f97008ca48bc311775c087c59bd7fe3 ]
rss_prepare_get() allocates the indirection table and hash key buffer
via rss_get_data_alloc(), then calls ops->get_rxfh() to populate them.
If get_rxfh() fails, the function returns an error without freeing
the allocation.
Fixes: 4f038a6a02d2 ("net: ethtool: Don't call .cleanup_data when prepare_data fails")
Link: https://patch.msgid.link/20260522230647.1705600-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--git a/net/ethtool/rss.c b/net/ethtool/rss.c
index 4877655f724419..5416aec13b7fe7 100644
--- a/net/ethtool/rss.c
+++ b/net/ethtool/rss.c
@@ -168,8 +168,10 @@ rss_prepare_get(const struct rss_req_info *request, struct net_device *dev,
rxfh.key = data->hkey;
ret = ops->get_rxfh(dev, &rxfh);
- if (ret)
+ if (ret) {
+ rss_get_data_free(data);
goto out_unlock;
+ }
data->hfunc = rxfh.hfunc;
data->input_xfrm = rxfh.input_xfrm;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 031/307] netfilter: synproxy: refresh tcphdr after skb_ensure_writable
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 030/307] kernel/fork: validate exit_signal in kernel_clone() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 032/307] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
` (275 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason,
Fernando Fernandez Mancera, Florian Westphal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
[ Upstream commit 92170e6afe927ab2792a3f71902845789c8e31b1 ]
synproxy_tstamp_adjust() rewrites the TCP timestamp option in place
and then patches the TCP checksum via inet_proto_csum_replace4() on
the caller-supplied tcphdr pointer. Both ipv4_synproxy_hook() and
ipv6_synproxy_hook() obtain that pointer with skb_header_pointer()
before calling in, so it may either alias skb->head directly or
point at the caller's on-stack _tcph buffer.
Between obtaining the pointer and using it, the function calls
skb_ensure_writable(skb, optend), which on a cloned or non-linear
skb invokes pskb_expand_head() and frees the old skb->head. After
that point the cached th is stale:
caller (ipv[46]_synproxy_hook)
th = skb_header_pointer(skb, ..., &_tcph)
synproxy_tstamp_adjust(skb, protoff, th, ...)
skb_ensure_writable(skb, optend)
pskb_expand_head() /* kfree(old skb->head) */
...
inet_proto_csum_replace4(&th->check, ...)
/* writes into freed head, or
into the caller's stack copy
leaving the on-wire checksum
stale */
The option bytes are written through skb->data and are fine; only
the checksum update goes through th and so lands in the wrong
place. The result is either a write into freed slab memory or a
packet leaving with a checksum that does not match its payload.
Fix by re-deriving th from skb->data + protoff immediately after
skb_ensure_writable() succeeds, so the subsequent checksum update
targets the linear, writable header.
Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_synproxy_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 3fa3f5dfb26444..6a851ac4dd048f 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -199,6 +199,8 @@ synproxy_tstamp_adjust(struct sk_buff *skb, unsigned int protoff,
if (skb_ensure_writable(skb, optend))
return 0;
+ th = (struct tcphdr *)(skb->data + protoff);
+
while (optoff < optend) {
unsigned char *op = skb->data + optoff;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 042/315] ethtool: rss: fix hkey leak when indir_size is 0
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 041/315] ethtool: rss: fix indir_table and hkey leak on get_rxfh failure Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 043/315] ethtool: rss: avoid device context leak on reply-build failure Greg Kroah-Hartman
` (274 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 78ccf1a70c6378e1f5073a8c2209b5129067b925 ]
rss_get_data_alloc() allocates a single buffer that backs both the
indirection table and the hash key, but only assigned data->indir_table
when indir_size was nonzero. The expectation was that no driver
implements RSS without supporting indirection table but apparently
enic does just that (it's the only such in-tree driver).
enic has get_rxfh_key_size but no get_rxfh_indir_size.
data->indir_table stays as NULL, hkey gets set but rss_get_data_free()
kfree(data->indir_table) is a nop and the allocation leaks.
Always store the allocation base in data->indir_table so the free path
is unambiguous. No caller treats indir_table as a sentinel; everything
keys off indir_size.
Fixes: 7112a04664bf ("ethtool: add netlink based get rss support")
Link: https://patch.msgid.link/20260522230647.1705600-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--git a/net/ethtool/rss.c b/net/ethtool/rss.c
index 5416aec13b7fe7..f745ddec6fbab8 100644
--- a/net/ethtool/rss.c
+++ b/net/ethtool/rss.c
@@ -132,8 +132,7 @@ rss_get_data_alloc(struct net_device *dev, struct rss_reply_data *data)
if (!rss_config)
return -ENOMEM;
- if (data->indir_size)
- data->indir_table = (u32 *)rss_config;
+ data->indir_table = (u32 *)rss_config;
if (data->hkey_size)
data->hkey = rss_config + indir_bytes;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 032/307] netfilter: xt_cpu: prefer raw_smp_processor_id
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 031/307] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 033/307] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
` (274 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+690d3e3ffa7335ac10eb,
Florian Westphal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit c376f07e16c02239ed44cabb97145d03f65b4d15 ]
With PREEMPT_RCU we get splat:
BUG: using smp_processor_id() in preemptible [..]
caller is cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
CPU: 1 .. Comm: syz.3.1377 #0 PREEMPT(full)
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
[..]
Just use raw version instead.
This is similar to 14d14a5d2957 ("netfilter: nft_meta: use raw_smp_processor_id()").
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: syzbot+690d3e3ffa7335ac10eb@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_cpu.c b/net/netfilter/xt_cpu.c
index 3bdc302a0f9137..9cb259902a586b 100644
--- a/net/netfilter/xt_cpu.c
+++ b/net/netfilter/xt_cpu.c
@@ -34,7 +34,7 @@ static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_cpu_info *info = par->matchinfo;
- return (info->cpu == smp_processor_id()) ^ info->invert;
+ return (info->cpu == raw_smp_processor_id()) ^ info->invert;
}
static struct xt_match cpu_mt_reg __read_mostly = {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 043/315] ethtool: rss: avoid device context leak on reply-build failure
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 042/315] ethtool: rss: fix hkey leak when indir_size is 0 Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 044/315] ethtool: module: call ethnl_ops_complete() on module flash errors Greg Kroah-Hartman
` (273 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 32a9ecde62731c9f7412507709192c84dafc38d1 ]
We wait with filling the reply for new RSS context creation
until after the driver ->create_rxfh_context call. The driver
needs to fill some of the defaults in the context. The failure
of rss_fill_reply() is somewhat theoretical, but doesn't take
much effort to handle it properly. Call ->remove_rxfh_context().
If the driver's remove callback fails (some implementations like sfc
can return real command errors from firmware RPCs) - skip the xa_erase
and kfree, leaving the context in the xarray. This matches how
ethnl_rss_delete_doit() behaves.
Fixes: a166ab7816c5 ("ethtool: rss: support creating contexts via Netlink")
Link: https://patch.msgid.link/20260522230647.1705600-7-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--git a/net/ethtool/rss.c b/net/ethtool/rss.c
index f745ddec6fbab8..b122f67dbde1d6 100644
--- a/net/ethtool/rss.c
+++ b/net/ethtool/rss.c
@@ -1096,7 +1096,7 @@ int ethnl_rss_create_doit(struct sk_buff *skb, struct genl_info *info)
ntf_fail |= rss_fill_reply(rsp, &req.base, &data.base);
if (WARN_ON(!hdr || ntf_fail)) {
ret = -EMSGSIZE;
- goto exit_unlock;
+ goto err_remove_ctx;
}
genlmsg_end(rsp, hdr);
@@ -1124,6 +1124,10 @@ int ethnl_rss_create_doit(struct sk_buff *skb, struct genl_info *info)
nlmsg_free(rsp);
return ret;
+err_remove_ctx:
+ if (ops->remove_rxfh_context(dev, ctx, req.rss_context, NULL))
+ /* leave the context on failure, like ethnl_rss_delete_doit() */
+ goto exit_unlock;
err_ctx_id_free:
xa_erase(&dev->ethtool->rss_ctx, req.rss_context);
err_unlock_free_ctx:
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 033/307] netfilter: ebtables: fix OOB read in compat_mtw_from_user
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 032/307] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 034/307] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
` (273 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Luxiao Xu, Ren Wei, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit f438d1786d657d57790c5d138d6db3fc9fdac392 ]
Luxiao Xu says:
The function compat_mtw_from_user() converts ebtables extensions from
32-bit user structures to kernel native structures. However, it lacks
proper validation of the user-supplied match_size/target_size.
When certain extensions are processed, the kernel-side translation
logic may perform memory accesses based on the extension's expected
size. If the user provides a size smaller than what the extension
requires, it results in an out-of-bounds read as reported by KASAN.
This fix introduces a check to ensure match_size is at least as large
as the extension's required compatsize. This covers matches, watchers,
and targets, while maintaining compatibility with standard targets.
AFAIU this is relevant for matches that need to go though
match->compat_from_user() call. Those that use plain memcpy with the
user-provided size are ok because the caller checks that size vs the
start of the next rule entry offset (which itself is checked vs. total
size copied from userspace).
The ->compat_from_user() callbacks assume they can read compatsize bytes,
so they need this extra check.
Based on an earlier patch from Luxiao Xu.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index a461c59ad28595..1bc7b5d8f76d7a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1952,6 +1952,25 @@ enum compat_mwt {
EBT_COMPAT_TARGET,
};
+static bool match_size_ok(const struct xt_match *match, unsigned int match_size)
+{
+ u16 csize;
+
+ if (match->matchsize == -1) /* cannot validate ebt_among */
+ return true;
+
+ csize = match->compatsize ? : match->matchsize;
+
+ return match_size >= csize;
+}
+
+static bool tgt_size_ok(const struct xt_target *tgt, unsigned int tgt_size)
+{
+ u16 csize = tgt->compatsize ? : tgt->targetsize;
+
+ return tgt_size >= csize;
+}
+
static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
enum compat_mwt compat_mwt,
struct ebt_entries_buf_state *state,
@@ -1977,6 +1996,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
if (IS_ERR(match))
return PTR_ERR(match);
+ if (!match_size_ok(match, match_size)) {
+ module_put(match->me);
+ return -EINVAL;
+ }
+
off = ebt_compat_match_offset(match, match_size);
if (dst) {
if (match->compat_from_user)
@@ -1996,6 +2020,12 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
mwt->u.revision);
if (IS_ERR(wt))
return PTR_ERR(wt);
+
+ if (!tgt_size_ok(wt, match_size)) {
+ module_put(wt->me);
+ return -EINVAL;
+ }
+
off = xt_compat_target_offset(wt);
if (dst) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 044/315] ethtool: module: call ethnl_ops_complete() on module flash errors
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 043/315] ethtool: rss: avoid device context leak on reply-build failure Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 045/315] ethtool: module: avoid leaking a netdev ref " Greg Kroah-Hartman
` (272 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 84371fb58423f997939aacdcbc02d128d76a54e5 ]
When validate() fails we are skipping over ethnl_ops_complete()
even tho we already called ethnl_ops_begin().
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index 4d4e0a82579a2b..05e4c1d785656f 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -427,10 +427,11 @@ int ethnl_act_module_fw_flash(struct sk_buff *skb, struct genl_info *info)
ret = ethnl_module_fw_flash_validate(dev, info->extack);
if (ret < 0)
- goto out_unlock;
+ goto out_complete;
ret = module_flash_fw(dev, tb, skb, info);
+out_complete:
ethnl_ops_complete(dev);
out_unlock:
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 034/307] tun: free page on short-frame rejection in tun_xdp_one()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 033/307] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 035/307] tun: free page on build_skb failure " Greg Kroah-Hartman
` (272 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit f4feb1e20058e407cb00f45aff47f5b7e19a6bbf ]
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Fixes: 049584807f1d ("tun: add missing verification for short frame")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260520160020.375349-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index fb9d425eff8c1b..19c33d21bab947 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2459,8 +2459,10 @@ static int tun_xdp_one(struct tun_struct *tun,
bool skb_xdp = false;
struct page *page;
- if (unlikely(datasize < ETH_HLEN))
+ if (unlikely(datasize < ETH_HLEN)) {
+ put_page(virt_to_head_page(xdp->data));
return -EINVAL;
+ }
xdp_prog = rcu_dereference(tun->xdp_prog);
if (xdp_prog) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 045/315] ethtool: module: avoid leaking a netdev ref on module flash errors
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 044/315] ethtool: module: call ethnl_ops_complete() on module flash errors Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 046/315] ethtool: module: avoid racy updates to dev->ethtool bitfield Greg Kroah-Hartman
` (271 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit fb7f511d62692661846c47f199e0afe25c2982db ]
module_flash_fw_schedule() is missing undo for setting
the "in_progress" flag and taking the netdev reference.
Delay taking these, the device can't disappear while
we are holding rtnl_lock.
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-3-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index 05e4c1d785656f..fb61bb47083e62 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -319,8 +319,6 @@ module_flash_fw_schedule(struct net_device *dev, const char *file_name,
if (err < 0)
goto err_release_firmware;
- dev->ethtool->module_fw_flash_in_progress = true;
- netdev_hold(dev, &module_fw->dev_tracker, GFP_KERNEL);
fw_update->dev = dev;
fw_update->ntf_params.portid = info->snd_portid;
fw_update->ntf_params.seq = info->snd_seq;
@@ -335,6 +333,9 @@ module_flash_fw_schedule(struct net_device *dev, const char *file_name,
if (err < 0)
goto err_release_firmware;
+ dev->ethtool->module_fw_flash_in_progress = true;
+ netdev_hold(dev, &module_fw->dev_tracker, GFP_KERNEL);
+
schedule_work(&module_fw->work);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 035/307] tun: free page on build_skb failure in tun_xdp_one()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 034/307] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 036/307] vsock: keep poll shutdown state consistent Greg Kroah-Hartman
` (271 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit aa8963fdce667a42fb7f0bdd2909fadcab02f9a8 ]
When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.
Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.
Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260521163312.1479805-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 19c33d21bab947..d53e60823bf1bb 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2505,6 +2505,7 @@ static int tun_xdp_one(struct tun_struct *tun,
build:
skb = build_skb(xdp->data_hard_start, buflen);
if (!skb) {
+ put_page(virt_to_head_page(xdp->data));
ret = -ENOMEM;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 046/315] ethtool: module: avoid racy updates to dev->ethtool bitfield
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 045/315] ethtool: module: avoid leaking a netdev ref " Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 047/315] ethtool: module: check fw_flash_in_progress under rtnl_lock Greg Kroah-Hartman
` (270 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 7a84b965ffc12030af63cd10a8f3a1123ff39b7a ]
When reviewing other changes Gemini points out that we currently
update module_fw_flash_in_progress without holding any locks.
Since module_fw_flash_in_progress is part of a bitfield this
is not great, updates to other fields may be lost.
We could use a bool and sprinkle some READ_ONCE/WRITE_ONCE here
but seems like the issue is rather than the work is an unusual
writer. The other writers already hold the right locks. So just
very briefly take these locks when the work completes.
Note that nothing ever cancels the FW update work, so there's
no concern with deadlocks vs cancel.
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-4-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index fb61bb47083e62..8929b7fb2fa79c 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -221,14 +221,22 @@ static void module_flash_fw_work_list_del(struct list_head *list)
static void module_flash_fw_work(struct work_struct *work)
{
struct ethtool_module_fw_flash *module_fw;
+ struct net_device *dev;
module_fw = container_of(work, struct ethtool_module_fw_flash, work);
+ dev = module_fw->fw_update.dev;
ethtool_cmis_fw_update(&module_fw->fw_update);
module_flash_fw_work_list_del(&module_fw->list);
- module_fw->fw_update.dev->ethtool->module_fw_flash_in_progress = false;
- netdev_put(module_fw->fw_update.dev, &module_fw->dev_tracker);
+
+ rtnl_lock();
+ netdev_lock_ops(dev);
+ dev->ethtool->module_fw_flash_in_progress = false;
+ netdev_unlock_ops(dev);
+ rtnl_unlock();
+
+ netdev_put(dev, &module_fw->dev_tracker);
release_firmware(module_fw->fw_update.fw);
kfree(module_fw);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 036/307] vsock: keep poll shutdown state consistent
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 035/307] tun: free page on build_skb failure " Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 037/307] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
` (270 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyu Zhang, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyu Zhang <ziyuzhang201@gmail.com>
[ Upstream commit aae9d8a5528b8ee9ff8dc5d3558b8a9f852a724a ]
vsock_poll() reads vsk->peer_shutdown before taking the socket lock
to set EPOLLHUP and EPOLLRDHUP, then reads it again after taking
the lock to report EOF readability. A shutdown packet can update
peer_shutdown while poll is waiting for the lock, so one poll invocation
can report EOF readability without the corresponding HUP/RDHUP bits.
For connectible sockets, take one peer_shutdown snapshot after
lock_sock() and use it for all peer-shutdown-derived poll bits. For
datagram sockets, which do not take lock_sock() in poll(), take one
lockless READ_ONCE() snapshot and pair it with WRITE_ONCE() on the
writer side.
This keeps the peer-shutdown-derived bits internally consistent for each
poll pass.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Ziyu Zhang <ziyuzhang201@gmail.com>
Link: https://patch.msgid.link/20260519165636.62542-1-ziyuzhang201@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/af_vsock.c | 49 ++++++++++++++++---------
net/vmw_vsock/hyperv_transport.c | 9 +++--
net/vmw_vsock/virtio_transport_common.c | 14 ++++---
net/vmw_vsock/vmci_transport.c | 8 ++--
4 files changed, 52 insertions(+), 28 deletions(-)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 1db7a1f8e55f6d..f03e00cae028a5 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -523,7 +523,7 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
*/
sock_reset_flag(sk, SOCK_DONE);
sk->sk_state = TCP_CLOSE;
- vsk->peer_shutdown = 0;
+ WRITE_ONCE(vsk->peer_shutdown, 0);
}
if (sk->sk_type == SOCK_SEQPACKET) {
@@ -814,7 +814,7 @@ static struct sock *__vsock_create(struct net *net,
vsk->rejected = false;
vsk->sent_request = false;
vsk->ignore_connecting_rst = false;
- vsk->peer_shutdown = 0;
+ WRITE_ONCE(vsk->peer_shutdown, 0);
INIT_DELAYED_WORK(&vsk->connect_work, vsock_connect_timeout);
INIT_DELAYED_WORK(&vsk->pending_work, vsock_pending_work);
@@ -1099,6 +1099,25 @@ static int vsock_shutdown(struct socket *sock, int mode)
return err;
}
+static __poll_t vsock_poll_shutdown(struct sock *sk, u32 peer_shutdown)
+{
+ __poll_t mask = 0;
+
+ /* INET sockets treat local write shutdown and peer write shutdown as a
+ * case of EPOLLHUP set.
+ */
+ if (sk->sk_shutdown == SHUTDOWN_MASK ||
+ ((sk->sk_shutdown & SEND_SHUTDOWN) &&
+ (peer_shutdown & SEND_SHUTDOWN)))
+ mask |= EPOLLHUP;
+
+ if (sk->sk_shutdown & RCV_SHUTDOWN ||
+ peer_shutdown & SEND_SHUTDOWN)
+ mask |= EPOLLRDHUP;
+
+ return mask;
+}
+
static __poll_t vsock_poll(struct file *file, struct socket *sock,
poll_table *wait)
{
@@ -1116,24 +1135,17 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
/* Signify that there has been an error on this socket. */
mask |= EPOLLERR;
- /* INET sockets treat local write shutdown and peer write shutdown as a
- * case of EPOLLHUP set.
- */
- if ((sk->sk_shutdown == SHUTDOWN_MASK) ||
- ((sk->sk_shutdown & SEND_SHUTDOWN) &&
- (vsk->peer_shutdown & SEND_SHUTDOWN))) {
- mask |= EPOLLHUP;
- }
-
- if (sk->sk_shutdown & RCV_SHUTDOWN ||
- vsk->peer_shutdown & SEND_SHUTDOWN) {
- mask |= EPOLLRDHUP;
- }
-
if (sk_is_readable(sk))
mask |= EPOLLIN | EPOLLRDNORM;
if (sock->type == SOCK_DGRAM) {
+ u32 peer_shutdown = READ_ONCE(vsk->peer_shutdown);
+
+ /* DGRAM sockets do not take lock_sock() in poll(), so use one
+ * lockless snapshot for all shutdown-derived mask bits.
+ */
+ mask |= vsock_poll_shutdown(sk, peer_shutdown);
+
/* For datagram sockets we can read if there is something in
* the queue and write as long as the socket isn't shutdown for
* sending.
@@ -1148,6 +1160,7 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
} else if (sock_type_connectible(sk->sk_type)) {
const struct vsock_transport *transport;
+ u32 peer_shutdown;
lock_sock(sk);
@@ -1180,8 +1193,10 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
* terminated should also be considered read, and we check the
* shutdown flag for that.
*/
+ peer_shutdown = READ_ONCE(vsk->peer_shutdown);
+ mask |= vsock_poll_shutdown(sk, peer_shutdown);
if (sk->sk_shutdown & RCV_SHUTDOWN ||
- vsk->peer_shutdown & SEND_SHUTDOWN) {
+ peer_shutdown & SEND_SHUTDOWN) {
mask |= EPOLLIN | EPOLLRDNORM;
}
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index 34871ed1a099c6..865e004ee286f2 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -264,7 +264,7 @@ static void hvs_do_close_lock_held(struct vsock_sock *vsk,
struct sock *sk = sk_vsock(vsk);
sock_set_flag(sk, SOCK_DONE);
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
if (vsock_stream_has_data(vsk) <= 0)
sk->sk_state = TCP_CLOSING;
sk->sk_state_change(sk);
@@ -593,7 +593,9 @@ static int hvs_update_recv_data(struct hvsock *hvs)
return -EIO;
if (payload_len == 0)
- hvs->vsk->peer_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(hvs->vsk->peer_shutdown,
+ READ_ONCE(hvs->vsk->peer_shutdown) |
+ SEND_SHUTDOWN);
hvs->recv_data_len = payload_len;
hvs->recv_data_off = 0;
@@ -704,7 +706,8 @@ static s64 hvs_stream_has_data(struct vsock_sock *vsk)
ret = 1;
break;
case 0:
- vsk->peer_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(vsk->peer_shutdown,
+ READ_ONCE(vsk->peer_shutdown) | SEND_SHUTDOWN);
ret = 0;
break;
default: /* -1 */
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index c182886136b445..b588ccd133eaa7 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1234,7 +1234,7 @@ static void virtio_transport_do_close(struct vsock_sock *vsk,
struct sock *sk = sk_vsock(vsk);
sock_set_flag(sk, SOCK_DONE);
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
if (vsock_stream_has_data(vsk) <= 0)
sk->sk_state = TCP_CLOSING;
sk->sk_state_change(sk);
@@ -1437,12 +1437,15 @@ virtio_transport_recv_connected(struct sock *sk,
case VIRTIO_VSOCK_OP_CREDIT_UPDATE:
sk->sk_write_space(sk);
break;
- case VIRTIO_VSOCK_OP_SHUTDOWN:
+ case VIRTIO_VSOCK_OP_SHUTDOWN: {
+ u32 peer_shutdown = READ_ONCE(vsk->peer_shutdown);
+
if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SHUTDOWN_RCV)
- vsk->peer_shutdown |= RCV_SHUTDOWN;
+ peer_shutdown |= RCV_SHUTDOWN;
if (le32_to_cpu(hdr->flags) & VIRTIO_VSOCK_SHUTDOWN_SEND)
- vsk->peer_shutdown |= SEND_SHUTDOWN;
- if (vsk->peer_shutdown == SHUTDOWN_MASK) {
+ peer_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(vsk->peer_shutdown, peer_shutdown);
+ if (peer_shutdown == SHUTDOWN_MASK) {
if (vsock_stream_has_data(vsk) <= 0 && !sock_flag(sk, SOCK_DONE)) {
(void)virtio_transport_reset(vsk, NULL);
virtio_transport_do_close(vsk, true);
@@ -1457,6 +1460,7 @@ virtio_transport_recv_connected(struct sock *sk,
if (le32_to_cpu(virtio_vsock_hdr(skb)->flags))
sk->sk_state_change(sk);
break;
+ }
case VIRTIO_VSOCK_OP_RST:
virtio_transport_do_close(vsk, true);
break;
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 4cd11f355e9d6b..443125e48f2481 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -811,7 +811,7 @@ static void vmci_transport_handle_detach(struct sock *sk)
/* On a detach the peer will not be sending or receiving
* anymore.
*/
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
/* We should not be sending anymore since the peer won't be
* there to receive, but we can still receive if there is data
@@ -1534,7 +1534,9 @@ static int vmci_transport_recv_connected(struct sock *sk,
if (pkt->u.mode) {
vsk = vsock_sk(sk);
- vsk->peer_shutdown |= pkt->u.mode;
+ WRITE_ONCE(vsk->peer_shutdown,
+ READ_ONCE(vsk->peer_shutdown) |
+ pkt->u.mode);
sk->sk_state_change(sk);
}
break;
@@ -1551,7 +1553,7 @@ static int vmci_transport_recv_connected(struct sock *sk,
* a clean shutdown.
*/
sock_set_flag(sk, SOCK_DONE);
- vsk->peer_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(vsk->peer_shutdown, SHUTDOWN_MASK);
if (vsock_stream_has_data(vsk) <= 0)
sk->sk_state = TCP_CLOSING;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 047/315] ethtool: module: check fw_flash_in_progress under rtnl_lock
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 046/315] ethtool: module: avoid racy updates to dev->ethtool bitfield Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 048/315] ethtool: module: fix cleanup if socket used for flashing multiple devices Greg Kroah-Hartman
` (269 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 504eaefa44c8dec50f7499edcb36d24f3aefab2a ]
ethnl_set_module_validate() inspects module_fw_flash_in_progress
but validate is meant for _input_ validation, not state validation.
rtnl_lock is not held, yet. Move the check into ethnl_set_module().
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index 8929b7fb2fa79c..202e4c25280a76 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -120,12 +120,6 @@ ethnl_set_module_validate(struct ethnl_req_info *req_info,
if (!tb[ETHTOOL_A_MODULE_POWER_MODE_POLICY])
return 0;
- if (req_info->dev->ethtool->module_fw_flash_in_progress) {
- NL_SET_ERR_MSG(info->extack,
- "Module firmware flashing is in progress");
- return -EBUSY;
- }
-
if (!ops->get_module_power_mode || !ops->set_module_power_mode) {
NL_SET_ERR_MSG_ATTR(info->extack,
tb[ETHTOOL_A_MODULE_POWER_MODE_POLICY],
@@ -148,6 +142,12 @@ ethnl_set_module(struct ethnl_req_info *req_info, struct genl_info *info)
ops = dev->ethtool_ops;
+ if (dev->ethtool->module_fw_flash_in_progress) {
+ NL_SET_ERR_MSG(info->extack,
+ "Module firmware flashing is in progress");
+ return -EBUSY;
+ }
+
power_new.policy = nla_get_u8(tb[ETHTOOL_A_MODULE_POWER_MODE_POLICY]);
ret = ops->get_module_power_mode(dev, &power, info->extack);
if (ret < 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 037/307] net: netlink: fix sending unassigned nsid after assigned one
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 036/307] vsock: keep poll shutdown state consistent Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 038/307] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
` (269 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Maximets, Nicolas Dichtel,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 70f8592ee90585272018a725054b6eb2ab7e99ca ]
If the current skb is not shared, it is re-used directly for all the
sockets subscribed to the notification. If we have remote all-nsid
socket receiving a message first, then the 'nsid_is_set' will be
set to 'true'. If the nsid is NOT_ASSIGNED for the next socket in
the list, the 'nsid_is_set' will remain 'true' and the negative value
is be delivered to the user space. All subsequent nsid values will be
delivered as well, since there is no code path that sets the flag
back to 'false'.
Fix that by always dropping the flag to 'false' first.
Fixes: 7212462fa6fd ("netlink: don't send unknown nsid")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-2-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 8b060465a2be1a..287b4f921c607e 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1477,6 +1477,7 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+ NETLINK_CB(p->skb2).nsid_is_set = false;
NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
NETLINK_CB(p->skb2).nsid_is_set = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 048/315] ethtool: module: fix cleanup if socket used for flashing multiple devices
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 047/315] ethtool: module: check fw_flash_in_progress under rtnl_lock Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 049/315] ethtool: cmis: require exact CDB reply length Greg Kroah-Hartman
` (268 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danielle Ratson, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 760d04ebad5c4304f22c0d2251c9623b87a117c8 ]
When a single Netlink socket issues MODULE_FW_FLASH_ACT against multiple
devices, ethnl_sock_priv_set() overwrites sk_priv->dev on each call,
retaining only the last one. The socket priv is used on socket close,
to walk the global work list and mark the uncompleted flashing work
as "orphaned". Otherwise if another socket reuses the PID it will
unexpectedly receive the flashing notifications.
Don't record the device, record net pointer instead. The purpose of
the dev is to scope the work to a netns, anyway. If we store netns
the overrides are safe/a nop since all flashed devices must be in
the same netns as the socket.
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 9 ++++-----
net/ethtool/netlink.c | 4 ++--
net/ethtool/netlink.h | 4 ++--
3 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index 202e4c25280a76..9a11e7def0029a 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -291,11 +291,9 @@ void ethnl_module_fw_flash_sock_destroy(struct ethnl_sock_priv *sk_priv)
spin_lock(&module_fw_flash_work_list_lock);
list_for_each_entry(work, &module_fw_flash_work_list, list) {
- if (work->fw_update.dev == sk_priv->dev &&
- work->fw_update.ntf_params.portid == sk_priv->portid) {
+ if (work->fw_update.ntf_params.portid == sk_priv->portid &&
+ dev_net(work->fw_update.dev) == sk_priv->net)
work->fw_update.ntf_params.closed_sock = true;
- break;
- }
}
spin_unlock(&module_fw_flash_work_list_lock);
}
@@ -332,7 +330,8 @@ module_flash_fw_schedule(struct net_device *dev, const char *file_name,
fw_update->ntf_params.seq = info->snd_seq;
fw_update->ntf_params.closed_sock = false;
- err = ethnl_sock_priv_set(skb, dev, fw_update->ntf_params.portid,
+ err = ethnl_sock_priv_set(skb, dev_net(dev),
+ fw_update->ntf_params.portid,
ETHTOOL_SOCK_TYPE_MODULE_FW_FLASH);
if (err < 0)
goto err_release_firmware;
diff --git a/net/ethtool/netlink.c b/net/ethtool/netlink.c
index 2f813f25f07e1a..28577b878fd5b5 100644
--- a/net/ethtool/netlink.c
+++ b/net/ethtool/netlink.c
@@ -52,7 +52,7 @@ const struct nla_policy ethnl_header_policy_phy_stats[] = {
[ETHTOOL_A_HEADER_PHY_INDEX] = NLA_POLICY_MIN(NLA_U32, 1),
};
-int ethnl_sock_priv_set(struct sk_buff *skb, struct net_device *dev, u32 portid,
+int ethnl_sock_priv_set(struct sk_buff *skb, struct net *net, u32 portid,
enum ethnl_sock_type type)
{
struct ethnl_sock_priv *sk_priv;
@@ -61,7 +61,7 @@ int ethnl_sock_priv_set(struct sk_buff *skb, struct net_device *dev, u32 portid,
if (IS_ERR(sk_priv))
return PTR_ERR(sk_priv);
- sk_priv->dev = dev;
+ sk_priv->net = net;
sk_priv->portid = portid;
sk_priv->type = type;
diff --git a/net/ethtool/netlink.h b/net/ethtool/netlink.h
index 1d4f9ecb3d263b..3923188097ac0a 100644
--- a/net/ethtool/netlink.h
+++ b/net/ethtool/netlink.h
@@ -318,12 +318,12 @@ enum ethnl_sock_type {
};
struct ethnl_sock_priv {
- struct net_device *dev;
+ struct net *net;
u32 portid;
enum ethnl_sock_type type;
};
-int ethnl_sock_priv_set(struct sk_buff *skb, struct net_device *dev, u32 portid,
+int ethnl_sock_priv_set(struct sk_buff *skb, struct net *net, u32 portid,
enum ethnl_sock_type type);
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 038/307] net: netlink: dont set nsid on local notifications
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 037/307] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 039/307] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
` (268 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Perin, Ilya Maximets,
Nicolas Dichtel, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 88b126b39f9757e9debc322d4679239e9af089c7 ]
In most cases, notifications on sockets with NETLINK_LISTEN_ALL_NSID
do not contain NSID in their ancillary data in case the event is local
to the listener.
However, when a self-referential NSID is allocated for a namespace,
every local notification starts sending this ID to the user space.
This is problematic, because the listener cannot tell if those
notifications are local or not anymore without making extra requests
to figure out if the provided NSID is local or not. The listener
can also not figure out the local NSID beforehand as it can be
allocated at any point in time by other processes, changing the
structure of the future notifications for everyone.
The value is practically not useful, since it's the namespace's own
ID that the application has to obtain from other sources in order to
figure out if it's the same or not. So, for the application it's
just an extra busy work with no benefits. Moreover, applications
that do not know about this quirk may be mishandling notifications
with NSID set as notifications from remote namespaces. This is the
case for ovs-vswitchd and the iproute2's 'ip monitor' that stops
printing 'current' and starts printing the nsid number mid-session.
Lack of clear documentation for this behavior is also not helping.
A search though open-source projects doesn't reveal any projects
that use NETNSA_NSID_NOT_ASSIGNED and rely on metadata to contain
self-referential NSIDs (expected, since the value is not useful).
Quite the opposite, as already mentioned, there are few applications
that rely on NSID to not be present in local events.
Since the value is not useful and actively harmful in some cases,
let's not report it for local events, making the notifications more
consistent.
Also adding some blank lines for readability.
Fixes: 59324cf35aba ("netlink: allow to listen "all" netns")
Reported-by: Matteo Perin <matteo.perin@canonical.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-3-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 287b4f921c607e..e250d4a3d03097 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1477,10 +1477,14 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+
NETLINK_CB(p->skb2).nsid_is_set = false;
- NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
- if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
- NETLINK_CB(p->skb2).nsid_is_set = true;
+ if (!net_eq(sock_net(sk), p->net)) {
+ NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
+ if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
+ NETLINK_CB(p->skb2).nsid_is_set = true;
+ }
+
val = netlink_broadcast_deliver(sk, p->skb2);
if (val < 0) {
netlink_overrun(sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 049/315] ethtool: cmis: require exact CDB reply length
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 048/315] ethtool: module: fix cleanup if socket used for flashing multiple devices Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 050/315] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl Greg Kroah-Hartman
` (267 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danielle Ratson, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 6c3f999a9d1338c6c89a9ff4549eafe72bc2e7b1 ]
Malicious SFP module could respond with rpl_len longer than
what cmis_cdb_process_reply() expected, leading to OOB writes.
Malicious HW is a bit theoretical but some modules may just
be buggy and/or the reads may occasionally get corrupted,
so let's protect the kernel.
The existing check protects from short replies. We need to
protect from long ones, too. All callers that pass a non-zero
rpl_exp_len cast the reply payload to a fixed-layout struct
and read fields at fixed offsets, with no version negotiation
or short-reply handling:
- cmis_cdb_validate_password()
- cmis_cdb_module_features_get()
- cmis_fw_update_fw_mng_features_get()
so let's assume that responses longer than expected do not
have to be handled gracefully here. Add a warning message
to make the debug easier in case my understanding is wrong...
Note that page_data->length (argument of kmalloc) comes from
last arg to ethtool_cmis_page_init() which is rpl_exp_len.
Note2 that AIs also like to point out overflows in args->req.payload
itself (which is a fixed-size 120 B buffer, on the stack),
but callers should be reading structs defined by the standard,
so protecting from requests for more data than max seem like
defensive programming.
Fixes: a39c84d79625 ("ethtool: cmis_cdb: Add a layer for supporting CDB commands")
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-7-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis_cdb.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index 3057576bc81e3d..fe156991d0becd 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c
@@ -513,8 +513,13 @@ static int cmis_cdb_process_reply(struct net_device *dev,
}
rpl = (struct ethtool_cmis_cdb_rpl *)page_data->data;
- if ((args->rpl_exp_len > rpl->hdr.rpl_len + rpl_hdr_len) ||
- !rpl->hdr.rpl_chk_code) {
+ if (rpl->hdr.rpl_len != args->rpl_exp_len) {
+ netdev_warn(dev, "CDB reply length mismatch, expected %u got %u\n",
+ args->rpl_exp_len, rpl->hdr.rpl_len);
+ err = -EIO;
+ goto out;
+ }
+ if (!rpl->hdr.rpl_chk_code) {
err = -EIO;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 039/307] net/smc: Do not re-initialize smc hashtables
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 038/307] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 040/307] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
` (267 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Halil Pasic, Alexandra Winter,
Mahanta Jambigi, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Winter <wintera@linux.ibm.com>
[ Upstream commit 9e4389b0038781f19f97895186ed941ff8ac1678 ]
INIT_HLIST_HEAD(&smc_v*_hashinfo.ht) are called after smc_nl_init(),
proto_register() and sock_register(). This can lead to smc_v*_hashinfo.ht
being reset even though hash entries already exist and are being used,
possibly resulting in a corrupted list.
Remove unnecessary and dangerous re-initialisation of smc_v*_hashinfo.ht in
smc_init(); it is implicitly initialised to zero anyhow. Add
HLIST_HEAD_INIT to the definitions for clarity.
Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets")
Suggested-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
Link: https://patch.msgid.link/20260521145639.10317-1-wintera@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index c96abb1386be4b..6f3469ad54a165 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -187,10 +187,12 @@ static bool smc_hs_congested(const struct sock *sk)
struct smc_hashinfo smc_v4_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v4_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
struct smc_hashinfo smc_v6_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v6_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
int smc_hash_sk(struct sock *sk)
@@ -3594,8 +3596,6 @@ static int __init smc_init(void)
pr_err("%s: sock_register fails with %d\n", __func__, rc);
goto out_proto6;
}
- INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
- INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
rc = smc_ib_register_client();
if (rc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 050/315] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 049/315] ethtool: cmis: require exact CDB reply length Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 051/315] ethtool: cmis: validate start_cmd_payload_size from module Greg Kroah-Hartman
` (266 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 3e8c3d464c36bb342fe377b026577c7ec27fdbb4 ]
ethtool_cmis_cdb_compose_args() accepts msleep_pre_rpl as u16 but stores
it into the u8 field ethtool_cmis_cdb_cmd_args::msleep_pre_rpl, silently
truncating values >= 256. Seven of the nine call sites pass 1000 ms
(it's the third argument from the end).
Fixes: a39c84d79625 ("ethtool: cmis_cdb: Add a layer for supporting CDB commands")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-8-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/cmis.h b/net/ethtool/cmis.h
index 4a9a946cabf05d..778783a0f23c0b 100644
--- a/net/ethtool/cmis.h
+++ b/net/ethtool/cmis.h
@@ -63,9 +63,9 @@ struct ethtool_cmis_cdb_request {
* struct ethtool_cmis_cdb_cmd_args - CDB commands execution arguments
* @req: CDB command fields as described in the CMIS standard.
* @max_duration: Maximum duration time for command completion in msec.
+ * @msleep_pre_rpl: Waiting time before checking reply in msec.
* @read_write_len_ext: Allowable additional number of byte octets to the LPL
* in a READ or a WRITE commands.
- * @msleep_pre_rpl: Waiting time before checking reply in msec.
* @rpl_exp_len: Expected reply length in bytes.
* @flags: Validation flags for CDB commands.
* @err_msg: Error message to be sent to user space.
@@ -73,8 +73,8 @@ struct ethtool_cmis_cdb_request {
struct ethtool_cmis_cdb_cmd_args {
struct ethtool_cmis_cdb_request req;
u16 max_duration;
+ u16 msleep_pre_rpl;
u8 read_write_len_ext;
- u8 msleep_pre_rpl;
u8 rpl_exp_len;
u8 flags;
char *err_msg;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 040/307] net/iucv: fix locking in .getsockopt
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 039/307] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 041/307] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues Greg Kroah-Hartman
` (266 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanislav Fomichev, Breno Leitao,
Alexandra Winter, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3589d20a666caf30ad100c960a2de7de390fce88 ]
Mirror iucv_sock_setsockopt() and wrap the whole switch in
lock_sock()/release_sock(). The pre-existing SO_MSGLIMIT-only lock
becomes redundant and is removed.
Any AF_IUCV HIPER user can potentially crash the kernel by racing
recvmsg() with getsockopt(SO_MSGSIZE): the SO_MSGSIZE arm dereferences
iucv->hs_dev->mtu after iucv_sock_close() (called from the racing
recvmsg()) has set hs_dev to NULL, producing a NULL pointer dereference
oops.
Suggested-by: Stanislav Fomichev <sdf.kernel@gmail.com>
Fixes: 51363b8751a6 ("af_iucv: allow retrieval of maximum message size")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Tested-by: Alexandra Winter <wintera@linux.ibm.com>
Link: https://patch.msgid.link/20260521-af_iucv_fix2-v1-1-f16b1c510aa9@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/iucv/af_iucv.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 7929df08d4e023..1a0b41fcea8131 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -1537,7 +1537,7 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
struct sock *sk = sock->sk;
struct iucv_sock *iucv = iucv_sk(sk);
unsigned int val;
- int len;
+ int len, rc;
if (level != SOL_IUCV)
return -ENOPROTOOPT;
@@ -1550,26 +1550,34 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
len = min_t(unsigned int, len, sizeof(int));
+ rc = 0;
+
+ lock_sock(sk);
switch (optname) {
case SO_IPRMDATA_MSG:
val = (iucv->flags & IUCV_IPRMDATA) ? 1 : 0;
break;
case SO_MSGLIMIT:
- lock_sock(sk);
val = (iucv->path != NULL) ? iucv->path->msglim /* connected */
: iucv->msglimit; /* default */
- release_sock(sk);
break;
case SO_MSGSIZE:
- if (sk->sk_state == IUCV_OPEN)
- return -EBADFD;
+ if (sk->sk_state == IUCV_OPEN) {
+ rc = -EBADFD;
+ break;
+ }
val = (iucv->hs_dev) ? iucv->hs_dev->mtu -
sizeof(struct af_iucv_trans_hdr) - ETH_HLEN :
0x7fffffff;
break;
default:
- return -ENOPROTOOPT;
+ rc = -ENOPROTOOPT;
+ break;
}
+ release_sock(sk);
+
+ if (rc)
+ return rc;
if (put_user(len, optlen))
return -EFAULT;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 051/315] ethtool: cmis: validate start_cmd_payload_size from module
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 050/315] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 052/315] ethtool: cmis: validate fw->size against start_cmd_payload_size Greg Kroah-Hartman
` (265 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 12c2496a71f82f63617971ca9b730dffa05cf58b ]
The CMIS firmware update code reads start_cmd_payload_size from
the module's FW Management Features CDB reply and uses it directly
as the byte count for memcpy. The destination buffer is 112 bytes
(ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH - 8). So a malicious
module (or corrupted response) can cause a OOB write later on in
cmis_fw_update_start_download().
Let's error out. If modules that expect longer LPL writes actually
exist we should revisit.
struct cmis_cdb_start_fw_download_pl's definition has to move,
no change there.
Fixes: c4f78134d45c ("ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-9-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis_fw_update.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/net/ethtool/cmis_fw_update.c b/net/ethtool/cmis_fw_update.c
index df5f344209c47b..16190c97e1f78c 100644
--- a/net/ethtool/cmis_fw_update.c
+++ b/net/ethtool/cmis_fw_update.c
@@ -44,6 +44,20 @@ enum cmis_cdb_fw_write_mechanism {
CMIS_CDB_FW_WRITE_MECHANISM_BOTH = 0x11,
};
+/* See section 9.7.2 "CMD 0101h: Start Firmware Download" in CMIS standard
+ * revision 5.2.
+ * struct cmis_cdb_start_fw_download_pl is a structured layout of the
+ * flat array, ethtool_cmis_cdb_request::payload.
+ */
+struct cmis_cdb_start_fw_download_pl {
+ __struct_group(cmis_cdb_start_fw_download_pl_h, head, /* no attrs */,
+ __be32 image_size;
+ __be32 resv1;
+ );
+ u8 vendor_data[ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH -
+ sizeof(struct cmis_cdb_start_fw_download_pl_h)];
+};
+
static int
cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
struct net_device *dev,
@@ -86,6 +100,14 @@ cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
*/
cdb->read_write_len_ext = rpl->read_write_len_ext;
fw_mng->start_cmd_payload_size = rpl->start_cmd_payload_size;
+ if (fw_mng->start_cmd_payload_size >
+ sizeof_field(struct cmis_cdb_start_fw_download_pl, vendor_data)) {
+ ethnl_module_fw_flash_ntf_err(dev, ntf_params,
+ "Start cmd payload size exceeds max LPL payload",
+ NULL);
+ return -EINVAL;
+ }
+
fw_mng->write_mechanism =
rpl->write_mechanism == CMIS_CDB_FW_WRITE_MECHANISM_LPL ?
CMIS_CDB_FW_WRITE_MECHANISM_LPL :
@@ -97,20 +119,6 @@ cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
return 0;
}
-/* See section 9.7.2 "CMD 0101h: Start Firmware Download" in CMIS standard
- * revision 5.2.
- * struct cmis_cdb_start_fw_download_pl is a structured layout of the
- * flat array, ethtool_cmis_cdb_request::payload.
- */
-struct cmis_cdb_start_fw_download_pl {
- __struct_group(cmis_cdb_start_fw_download_pl_h, head, /* no attrs */,
- __be32 image_size;
- __be32 resv1;
- );
- u8 vendor_data[ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH -
- sizeof(struct cmis_cdb_start_fw_download_pl_h)];
-};
-
static int
cmis_fw_update_start_download(struct ethtool_cmis_cdb *cdb,
struct ethtool_cmis_fw_update_params *fw_update,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 041/307] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 040/307] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 042/307] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
` (265 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Jeffery, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Jeffery <djeffery@redhat.com>
[ Upstream commit 7205b58702273baf21d6ba7992e6ba15852325f7 ]
While a SCSI host is in a recovery state, scsi_mq_requeue_cmd() will not
set the requeue list for a requeued command to be kicked in the future.
The expectation is a call to scsi_run_host_queues() will kick all SCSI
devices once the recovery state is cleared.
However, scsi_run_host_queues() uses shost_for_each_device() which uses
scsi_device_get() and so will ignore devices in a partially removed
state like SDEV_CANCEL. But these devices may also have requeued
requests, leaving their requests stuck from not being kicked and causing
the removal process of the device to hang.
scsi_run_host_queues() needs to run against more devices than the macro
shost_for_each_device() allows. Instead of using the too limiting
scsi_device_get() state checks, only ignore devices in SDEV_DEL state or
when unable to acquire a reference. Attempt to run the queues for all
other devices when scsi_run_host_queues() is called.
Fixes: 8b566edbdbfb ("scsi: core: Only kick the requeue list if necessary")
Signed-off-by: David Jeffery <djeffery@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20260515180941.9698-1-djeffery@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_lib.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 55717fd3234be2..d63d10d53a2aad 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -569,10 +569,33 @@ void scsi_requeue_run_queue(struct work_struct *work)
void scsi_run_host_queues(struct Scsi_Host *shost)
{
- struct scsi_device *sdev;
+ struct scsi_device *sdev, *prev = NULL;
+ unsigned long flags;
- shost_for_each_device(sdev, shost)
+ spin_lock_irqsave(shost->host_lock, flags);
+ __shost_for_each_device(sdev, shost) {
+ /*
+ * Only skip devices so deep into removal they will never need
+ * another kick to their queues. Thus scsi_device_get() cannot
+ * be used as it would skip devices in SDEV_CANCEL state which
+ * may need a queue kick.
+ */
+ if (sdev->sdev_state == SDEV_DEL ||
+ !get_device(&sdev->sdev_gendev))
+ continue;
+ spin_unlock_irqrestore(shost->host_lock, flags);
+
+ if (prev)
+ put_device(&prev->sdev_gendev);
scsi_run_queue(sdev->request_queue);
+
+ prev = sdev;
+
+ spin_lock_irqsave(shost->host_lock, flags);
+ }
+ spin_unlock_irqrestore(shost->host_lock, flags);
+ if (prev)
+ put_device(&prev->sdev_gendev);
}
static void scsi_uninit_cmd(struct scsi_cmnd *cmd)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 052/315] ethtool: cmis: validate fw->size against start_cmd_payload_size
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 051/315] ethtool: cmis: validate start_cmd_payload_size from module Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 053/315] cxl/test: Update mock dev array before calling platform_device_add() Greg Kroah-Hartman
` (264 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit d5551f4c1800dc714cec86647bdd651ae0de923e ]
cmis_fw_update_start_download() copies start_cmd_payload_size bytes
from the firmware blob into the CDB LPL vendor_data[] payload without
validating that the FW has enough data.
Since the start_cmd_payload_size can only be ~120B an image too short
is most likely corrupted, so reject it.
Fixes: c4f78134d45c ("ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-10-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis_fw_update.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/ethtool/cmis_fw_update.c b/net/ethtool/cmis_fw_update.c
index 16190c97e1f78c..291d04d2776a5c 100644
--- a/net/ethtool/cmis_fw_update.c
+++ b/net/ethtool/cmis_fw_update.c
@@ -130,6 +130,14 @@ cmis_fw_update_start_download(struct ethtool_cmis_cdb *cdb,
u8 lpl_len;
int err;
+ if (fw_update->fw->size < vendor_data_size) {
+ ethnl_module_fw_flash_ntf_err(fw_update->dev,
+ &fw_update->ntf_params,
+ "Firmware image too small for module's start payload",
+ NULL);
+ return -EINVAL;
+ }
+
pl.image_size = cpu_to_be32(fw_update->fw->size);
memcpy(pl.vendor_data, fw_update->fw->data, vendor_data_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 042/307] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 041/307] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 043/307] ALSA: pcm: oss: Fix setup list UAF on proc write error Greg Kroah-Hartman
` (264 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Eric Dumazet, Cong Wang,
Jason Xing, Jiayuan Chen, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 87a1e0fe7776da7ab411be332b4be58ac8840d10 ]
ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
too soon.
Only after unregister_net_sysctl_table() we can be sure no threads can possibly
use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260521122147.3584624-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/sysctl_net_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 8d411cce0aedc1..35a6e7d8f52f7e 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -1630,10 +1630,10 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
{
const struct ctl_table *table;
- kfree(net->ipv4.sysctl_local_reserved_ports);
table = net->ipv4.ipv4_hdr->ctl_table_arg;
unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
kfree(table);
+ kfree(net->ipv4.sysctl_local_reserved_ports);
}
static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 053/315] cxl/test: Update mock dev array before calling platform_device_add()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 052/315] ethtool: cmis: validate fw->size against start_cmd_payload_size Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 054/315] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
` (263 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Ming, Alison Schofield,
Dave Jiang, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Ming <ming.li@zohomail.com>
[ Upstream commit d90f236f8b9e354848bd226f581db27755ab901d ]
CXL test environment hits the following error sometimes.
cxl_mem mem9: endpoint7 failed probe
All mock memdevs are platform firmware devices added by cxl_test module,
and cxl_test module also provides a platform device driver for them to
create a memdev device to CXL subsystem. cxl_test module uses
cxl_rcd/mem_single/mem arrays to store different types of mock memdevs.
CXL drivers calls registered mock functions for a mock memdev by
checking if a given memdev is in these arrays.
When cxl_test module adds these mock memdevs, it always calls
platform_device_add() before adding them to a suitable mock memdev
array. However, there is a small window where CXL drivers calls mock
function for a added memdev before it added to a mock memdev array. In
above case, cxl endpoint driver considers a added memdev was not a mock
memdev, then calling devm_cxl_endpoint_decoders_setup() for it rather
than mock_endpoint_decoders_setup().
An appropriate solution is that adding a new mock device to a mock
device array before calling platform_device_add() for it. It can
guarantee the new mock device is visible to CXL subsystem.
This patch introduces a new helped called cxl_mock_platform_device_add()
to handle the issue, and uses the function for all mock devices addition.
Fixes: 3a2b97b3210b ("cxl/test: Improve init-order fidelity relative to real-world systems")
Signed-off-by: Li Ming <ming.li@zohomail.com>
Tested-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Alison Schofield <alison.schofield@intel.com>
Link: https://patch.msgid.link/20260520121457.234404-1-ming.li@zohomail.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/cxl/test/cxl.c | 105 ++++++++++++++---------------------
1 file changed, 43 insertions(+), 62 deletions(-)
diff --git a/tools/testing/cxl/test/cxl.c b/tools/testing/cxl/test/cxl.c
index 2d135ca533d02b..5771c75bc58893 100644
--- a/tools/testing/cxl/test/cxl.c
+++ b/tools/testing/cxl/test/cxl.c
@@ -1132,6 +1132,23 @@ static void mock_companion(struct acpi_device *adev, struct device *dev)
#define SZ_64G (SZ_32G * 2)
#endif
+static int cxl_mock_platform_device_add(struct platform_device *pdev,
+ struct platform_device **ppdev)
+{
+ int rc;
+
+ if (ppdev)
+ *ppdev = pdev;
+ rc = platform_device_add(pdev);
+ if (rc) {
+ platform_device_put(pdev);
+ if (ppdev)
+ *ppdev = NULL;
+ }
+
+ return rc;
+}
+
static __init int cxl_rch_topo_init(void)
{
int rc, i;
@@ -1146,13 +1163,10 @@ static __init int cxl_rch_topo_init(void)
goto err_bridge;
mock_companion(adev, &pdev->dev);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_rch[i]);
+ if (rc)
goto err_bridge;
- }
- cxl_rch[i] = pdev;
mock_pci_bus[idx].bridge = &pdev->dev;
rc = sysfs_create_link(&pdev->dev.kobj, &pdev->dev.kobj,
"firmware_node");
@@ -1204,13 +1218,10 @@ static __init int cxl_single_topo_init(void)
goto err_bridge;
mock_companion(adev, &pdev->dev);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_hb_single[i]);
+ if (rc)
goto err_bridge;
- }
- cxl_hb_single[i] = pdev;
mock_pci_bus[i + NR_CXL_HOST_BRIDGES].bridge = &pdev->dev;
rc = sysfs_create_link(&pdev->dev.kobj, &pdev->dev.kobj,
"physical_node");
@@ -1229,12 +1240,9 @@ static __init int cxl_single_topo_init(void)
goto err_port;
pdev->dev.parent = &bridge->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_root_single[i]);
+ if (rc)
goto err_port;
- }
- cxl_root_single[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_swu_single); i++) {
@@ -1247,12 +1255,9 @@ static __init int cxl_single_topo_init(void)
goto err_uport;
pdev->dev.parent = &root_port->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_swu_single[i]);
+ if (rc)
goto err_uport;
- }
- cxl_swu_single[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_swd_single); i++) {
@@ -1266,12 +1271,9 @@ static __init int cxl_single_topo_init(void)
goto err_dport;
pdev->dev.parent = &uport->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_swd_single[i]);
+ if (rc)
goto err_dport;
- }
- cxl_swd_single[i] = pdev;
}
return 0;
@@ -1344,12 +1346,9 @@ static int cxl_mem_init(void)
pdev->dev.parent = &dport->dev;
set_dev_node(&pdev->dev, i % 2);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_mem[i]);
+ if (rc)
goto err_mem;
- }
- cxl_mem[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_mem_single); i++) {
@@ -1362,12 +1361,9 @@ static int cxl_mem_init(void)
pdev->dev.parent = &dport->dev;
set_dev_node(&pdev->dev, i % 2);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_mem_single[i]);
+ if (rc)
goto err_single;
- }
- cxl_mem_single[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_rcd); i++) {
@@ -1381,12 +1377,9 @@ static int cxl_mem_init(void)
pdev->dev.parent = &rch->dev;
set_dev_node(&pdev->dev, i % 2);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_rcd[i]);
+ if (rc)
goto err_rcd;
- }
- cxl_rcd[i] = pdev;
}
return 0;
@@ -1451,13 +1444,10 @@ static __init int cxl_test_init(void)
goto err_bridge;
mock_companion(adev, &pdev->dev);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_host_bridge[i]);
+ if (rc)
goto err_bridge;
- }
- cxl_host_bridge[i] = pdev;
mock_pci_bus[i].bridge = &pdev->dev;
rc = sysfs_create_link(&pdev->dev.kobj, &pdev->dev.kobj,
"physical_node");
@@ -1475,12 +1465,9 @@ static __init int cxl_test_init(void)
goto err_port;
pdev->dev.parent = &bridge->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_root_port[i]);
+ if (rc)
goto err_port;
- }
- cxl_root_port[i] = pdev;
}
BUILD_BUG_ON(ARRAY_SIZE(cxl_switch_uport) != ARRAY_SIZE(cxl_root_port));
@@ -1493,12 +1480,9 @@ static __init int cxl_test_init(void)
goto err_uport;
pdev->dev.parent = &root_port->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_switch_uport[i]);
+ if (rc)
goto err_uport;
- }
- cxl_switch_uport[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_switch_dport); i++) {
@@ -1511,12 +1495,9 @@ static __init int cxl_test_init(void)
goto err_dport;
pdev->dev.parent = &uport->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_switch_dport[i]);
+ if (rc)
goto err_dport;
- }
- cxl_switch_dport[i] = pdev;
}
rc = cxl_single_topo_init();
@@ -1534,9 +1515,9 @@ static __init int cxl_test_init(void)
mock_companion(&acpi0017_mock, &cxl_acpi->dev);
acpi0017_mock.dev.bus = &platform_bus_type;
- rc = platform_device_add(cxl_acpi);
+ rc = cxl_mock_platform_device_add(cxl_acpi, NULL);
if (rc)
- goto err_root;
+ goto err_rch;
rc = cxl_mem_init();
if (rc)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 043/307] ALSA: pcm: oss: Fix setup list UAF on proc write error
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 042/307] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 044/307] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
` (263 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8e498074a794999eb41c,
Cássio Gabriel, Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 4cc54bdd54b337e77115be5b55577d1c58608eae ]
snd_pcm_oss_proc_write() links a newly allocated setup entry into the
OSS setup list before duplicating the task name. If the task-name
allocation fails, the error path frees the already linked entry and
leaves setup_list pointing at freed memory.
A later OSS device open can then walk the stale list entry in
snd_pcm_oss_look_for_setup() and dereference freed memory.
Allocate the task name and initialize the setup entry before publishing
the entry on setup_list. Also fetch the initial proc read iterator only
after taking setup_mutex, so all setup_list traversal follows the same
list lifetime rules.
Reported-by: syzbot+8e498074a794999eb41c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6a1062b7.170a0220.35b2b7.0003.GAE@google.com
Closes: https://syzkaller.appspot.com/bug?extid=8e498074a794999eb41c
Fixes: 060d77b9c04a ("[ALSA] Fix / clean up PCM-OSS setup hooks")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260522-alsa-pcm-oss-setup-uaf-v1-1-40bdcc4d17e8@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/oss/pcm_oss.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c
index daa7cda98ae6f6..a65a3b8d04b8cb 100644
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -2966,8 +2966,10 @@ static void snd_pcm_oss_proc_read(struct snd_info_entry *entry,
struct snd_info_buffer *buffer)
{
struct snd_pcm_str *pstr = entry->private_data;
- struct snd_pcm_oss_setup *setup = pstr->oss.setup_list;
+ struct snd_pcm_oss_setup *setup;
+
guard(mutex)(&pstr->oss.setup_mutex);
+ setup = pstr->oss.setup_list;
while (setup) {
snd_iprintf(buffer, "%s %u %u%s%s%s%s%s%s\n",
setup->task_name,
@@ -3052,6 +3054,13 @@ static void snd_pcm_oss_proc_write(struct snd_info_entry *entry,
buffer->error = -ENOMEM;
return;
}
+ template.task_name = kstrdup(task_name, GFP_KERNEL);
+ if (!template.task_name) {
+ kfree(setup);
+ buffer->error = -ENOMEM;
+ return;
+ }
+ *setup = template;
if (pstr->oss.setup_list == NULL)
pstr->oss.setup_list = setup;
else {
@@ -3059,12 +3068,7 @@ static void snd_pcm_oss_proc_write(struct snd_info_entry *entry,
setup1->next; setup1 = setup1->next);
setup1->next = setup;
}
- template.task_name = kstrdup(task_name, GFP_KERNEL);
- if (! template.task_name) {
- kfree(setup);
- buffer->error = -ENOMEM;
- return;
- }
+ continue;
}
*setup = template;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 044/307] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 043/307] ALSA: pcm: oss: Fix setup list UAF on proc write error Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 045/307] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
` (262 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit afb2a3a9d8369d18122a0d7cd294eba9a98259c6 ]
byt_cht_es8316_init() enables MCLK before configuring the codec sysclk
and creating the headset jack. If either of those later steps fails, the
function returns without disabling MCLK, leaving the clock enabled after
card registration fails.
Track whether this driver enabled MCLK and disable it on the init error
paths. Add the matching DAI link exit callback so the same clock enable
is also balanced when ASoC cleans up a successfully initialized link.
Fixes: a03bdaa565cb ("ASoC: Intel: add machine driver for BYT/CHT + ES8316")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-asoc-bytcht-es8316-mclk-leak-v1-1-b4a11cdc2afd@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcht_es8316.c | 29 ++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c
index 7975dc0ceb3518..676c08247cfcb9 100644
--- a/sound/soc/intel/boards/bytcht_es8316.c
+++ b/sound/soc/intel/boards/bytcht_es8316.c
@@ -40,6 +40,7 @@ struct byt_cht_es8316_private {
struct gpio_desc *speaker_en_gpio;
struct device *codec_dev;
bool speaker_en;
+ bool mclk_enabled;
};
enum {
@@ -170,6 +171,15 @@ static struct snd_soc_jack_pin byt_cht_es8316_jack_pins[] = {
},
};
+static void byt_cht_es8316_disable_mclk(struct byt_cht_es8316_private *priv)
+{
+ if (!priv->mclk_enabled)
+ return;
+
+ clk_disable_unprepare(priv->mclk);
+ priv->mclk_enabled = false;
+}
+
static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
{
struct snd_soc_component *codec = snd_soc_rtd_to_codec(runtime, 0)->component;
@@ -226,12 +236,14 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ret = clk_prepare_enable(priv->mclk);
if (ret)
dev_err(card->dev, "unable to enable MCLK\n");
+ else
+ priv->mclk_enabled = true;
ret = snd_soc_dai_set_sysclk(snd_soc_rtd_to_codec(runtime, 0), 0, 19200000,
SND_SOC_CLOCK_IN);
if (ret < 0) {
dev_err(card->dev, "can't set codec clock %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
ret = snd_soc_card_jack_new_pins(card, "Headset",
@@ -240,13 +252,25 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ARRAY_SIZE(byt_cht_es8316_jack_pins));
if (ret) {
dev_err(card->dev, "jack creation failed %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
snd_jack_set_key(priv->jack.jack, SND_JACK_BTN_0, KEY_PLAYPAUSE);
snd_soc_component_set_jack(codec, &priv->jack, NULL);
return 0;
+
+err_disable_mclk:
+ byt_cht_es8316_disable_mclk(priv);
+ return ret;
+}
+
+static void byt_cht_es8316_exit(struct snd_soc_pcm_runtime *runtime)
+{
+ struct snd_soc_card *card = runtime->card;
+ struct byt_cht_es8316_private *priv = snd_soc_card_get_drvdata(card);
+
+ byt_cht_es8316_disable_mclk(priv);
}
static int byt_cht_es8316_codec_fixup(struct snd_soc_pcm_runtime *rtd,
@@ -356,6 +380,7 @@ static struct snd_soc_dai_link byt_cht_es8316_dais[] = {
.dpcm_playback = 1,
.dpcm_capture = 1,
.init = byt_cht_es8316_init,
+ .exit = byt_cht_es8316_exit,
SND_SOC_DAILINK_REG(ssp2_port, ssp2_codec, platform),
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 054/315] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 053/315] cxl/test: Update mock dev array before calling platform_device_add() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 055/315] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
` (262 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b4bc94353050b1fa7b702bd4c6600710dd926cff ]
Sashiko found that iptunnel_pmtud_build_icmp() and
iptunnel_pmtud_build_icmpv6() were caching ip_hdr() and ipv6_hdr()
before an skb_cow() call which can reallocate skb->head.
Fix this possible UAF by initializing the local variables
after the skb_cow() call.
Remove skb_reset_network_header() calls which were not needed.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525201335.2361845-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 5683c328990f49..d5a63155a05597 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -212,7 +212,7 @@ EXPORT_SYMBOL_GPL(iptunnel_handle_offloads);
*/
static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
{
- const struct iphdr *iph = ip_hdr(skb);
+ const struct iphdr *iph;
struct icmphdr *icmph;
struct iphdr *niph;
struct ethhdr eh;
@@ -226,7 +226,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, 576 - sizeof(*niph) - sizeof(*icmph));
if (err)
@@ -236,7 +235,7 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
err = skb_cow(skb, sizeof(*niph) + sizeof(*icmph) + ETH_HLEN);
if (err)
return err;
-
+ iph = ip_hdr(skb);
icmph = skb_push(skb, sizeof(*icmph));
*icmph = (struct icmphdr) {
.type = ICMP_DEST_UNREACH,
@@ -308,7 +307,7 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
{
- const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+ const struct ipv6hdr *ip6h;
struct icmp6hdr *icmp6h;
struct ipv6hdr *nip6h;
struct ethhdr eh;
@@ -323,7 +322,6 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, IPV6_MIN_MTU - sizeof(*nip6h) - sizeof(*icmp6h));
if (err)
@@ -334,6 +332,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
if (err)
return err;
+ ip6h = ipv6_hdr(skb);
icmp6h = skb_push(skb, sizeof(*icmp6h));
*icmp6h = (struct icmp6hdr) {
.icmp6_type = ICMPV6_PKT_TOOBIG,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 055/315] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 054/315] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 056/315] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
` (261 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7d9ef0cb271555d8cf39fefe6c981e1493b25ecf ]
skb_tunnel_check_pmtu() can change skb->head.
Reusing old_iph afer skb_tunnel_check_pmtu() can cause an UAF.
Use instead ip_hdr(skb) as done in drivers/net/bareudp.c
and drivers/net/geneve.c.
Found by Sashiko.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525203642.2389723-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index d2d0e0bd43716c..a4ff66e354f532 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2532,7 +2532,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
vni, md, flags, udp_sum);
@@ -2606,7 +2606,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip6_dst_hoplimit(ndst);
skb_scrub_packet(skb, xnet);
err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr),
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 045/307] net: hsr: fix potential OOB access in supervision frame handling
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 044/307] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 046/307] accel/ivpu: prevent uninitialized data bug in debugfs Greg Kroah-Hartman
` (261 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luka Gejak,
Fernando Fernandez Mancera, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
[ Upstream commit f229426072fc865654a60978bb7fda790a051ff3 ]
Ensure the entire TLV header is linearized before access by adding
sizeof(struct hsr_sup_tlv) to the pskb_may_pull() calls. Without this,
a truncated frame could cause an out-of-bounds access.
Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames")
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260523130330.61880-1-luka.gejak@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_forward.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index fa97405c517c70..e3037741a74895 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -84,7 +84,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
/* Get next tlv */
total_length += hsr_sup_tag->tlv.HSR_TLV_length;
- if (!pskb_may_pull(skb, total_length))
+ if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
return false;
skb_pull(skb, total_length);
hsr_sup_tlv = (struct hsr_sup_tlv *)skb->data;
@@ -100,7 +100,7 @@ static bool is_supervision_frame(struct hsr_priv *hsr, struct sk_buff *skb)
/* make sure another tlv follows */
total_length += sizeof(struct hsr_sup_tlv) + hsr_sup_tlv->HSR_TLV_length;
- if (!pskb_may_pull(skb, total_length))
+ if (!pskb_may_pull(skb, total_length + sizeof(struct hsr_sup_tlv)))
return false;
/* get next tlv */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 046/307] accel/ivpu: prevent uninitialized data bug in debugfs
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 045/307] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 047/307] gpio: mxc: fix irq_high handling Greg Kroah-Hartman
` (260 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Karol Wachowski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit 44e151be23deb788d9f6124de93823faf6e04e99 ]
The simple_write_to_buffer() will only initialize data starting from
the *pos offset so if it's non-zero then the first part of the buffer
uninitialized. Really, if *pos is non-zero then this code won't work
so just check for that at the start of the function.
Fixes: 320323d2e545 ("accel/ivpu: Add debugfs interface for setting HWS priority bands")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/ahP24m6Mii9EDL7Q@stanley.mountain
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/ivpu/ivpu_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/accel/ivpu/ivpu_debugfs.c b/drivers/accel/ivpu/ivpu_debugfs.c
index df89c1c0da6dd7..1da4ce6a99cd9b 100644
--- a/drivers/accel/ivpu/ivpu_debugfs.c
+++ b/drivers/accel/ivpu/ivpu_debugfs.c
@@ -447,7 +447,7 @@ priority_bands_fops_write(struct file *file, const char __user *user_buf, size_t
u32 band;
int ret;
- if (size >= sizeof(buf))
+ if (*pos != 0 || size >= sizeof(buf))
return -EINVAL;
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, pos, user_buf, size);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 056/315] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 055/315] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 057/315] ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE Greg Kroah-Hartman
` (260 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damiano Melotti, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 509323077ef79a26ba0c60bb556e45c12c398b2d ]
In some cases, iptunnel_pmtud_check_icmp() can be called while
skb transport header is not set.
This triggers an out-of-bound access, because
(typeof(skb->transport_header))~0U is 65535.
Access the icmp header based on IPv4 network header,
after making sure icmp->type is present in skb linear part.
Note that iptunnel_pmtud_check_icmpv6()) is fine.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260522115512.1519110-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index d5a63155a05597..4b5fd4b13722ca 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -280,7 +280,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
{
- const struct icmphdr *icmph = icmp_hdr(skb);
const struct iphdr *iph = ip_hdr(skb);
if (mtu < 576 || iph->frag_off != htons(IP_DF))
@@ -291,9 +290,17 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
ipv4_is_lbcast(iph->saddr) || ipv4_is_multicast(iph->saddr))
return 0;
- if (iph->protocol == IPPROTO_ICMP && icmp_is_err(icmph->type))
- return 0;
+ if (iph->protocol == IPPROTO_ICMP) {
+ const struct icmphdr *icmph;
+ if (!pskb_network_may_pull(skb, iph->ihl * 4 +
+ offsetofend(struct icmphdr, type)))
+ return 0;
+ iph = ip_hdr(skb);
+ icmph = (void *)iph + iph->ihl * 4;
+ if (icmp_is_err(icmph->type))
+ return 0;
+ }
return iptunnel_pmtud_build_icmp(skb, mtu);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 047/307] gpio: mxc: fix irq_high handling
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 046/307] accel/ivpu: prevent uninitialized data bug in debugfs Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 048/307] net: Avoid checksumming unreadable skb tail on trim Greg Kroah-Hartman
` (259 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Frank Li,
Bartosz Golaszewski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit dac917ed5aead741004db8d0d5151dd577802df8 ]
If port->irq_high is -1 (fsl,imx21-gpio compatible) and gpio_idx is >= 16
enable_irq_wake() is called with -1 which is wrong.
Fixes: 5f6d1998adeb ("gpio: mxc: release the parent IRQ in runtime suspend")
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260526063504.25916-1-alexander.stein@ew.tq-group.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-mxc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-mxc.c b/drivers/gpio/gpio-mxc.c
index 3cdc2b218a86af..a8ab78ae7fa30c 100644
--- a/drivers/gpio/gpio-mxc.c
+++ b/drivers/gpio/gpio-mxc.c
@@ -473,7 +473,7 @@ static int mxc_gpio_probe(struct platform_device *pdev)
* the handler is needed only once, but doing it for every port
* is more robust and easier.
*/
- port->irq_high = -1;
+ port->irq_high = 0;
port->mx_irq_handler = mx2_gpio_irq_handler;
} else
port->mx_irq_handler = mx3_gpio_irq_handler;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 057/315] ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 056/315] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 058/315] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
` (259 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Sergey Senozhatsky,
Steve French, Sean Shen, Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Shen <grayhat@foxmail.com>
[ Upstream commit cc57232cae23c0df91b4a59d0f519141ce9b5b02 ]
FSCTL_SET_SPARSE in fsctl_set_sparse() modifies the file's sparse
attribute and saves it through xattr without any permission checks.
This exposes two issues:
1) A client on a read-only share can change the sparse attribute
on files it opened, even though the share is read-only.
Other FSCTL write operations already check
test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE),
but FSCTL_SET_SPARSE does not.
2) Even on writable shares, clients without FILE_WRITE_DATA or
FILE_WRITE_ATTRIBUTES access should not modify the sparse
attribute. Similar handle-level checks exist in other functions
but are missing here.
Add both share-level writable check and per-handle access check.
Use goto out on error to avoid leaking file references.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Steve French <smfrench@gmail.com>
Signed-off-by: Sean Shen <grayhat@foxmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index da7b96707186e4..4689aac12c14ea 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8203,9 +8203,20 @@ static inline int fsctl_set_sparse(struct ksmbd_work *work, u64 id,
int ret = 0;
__le32 old_fattr;
+ if (!test_tree_conn_flag(work->tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) {
+ ksmbd_debug(SMB, "User does not have write permission\n");
+ return -EACCES;
+ }
+
fp = ksmbd_lookup_fd_fast(work, id);
if (!fp)
return -ENOENT;
+
+ if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_WRITE_ATTRIBUTES_LE))) {
+ ret = -EACCES;
+ goto out;
+ }
+
idmap = file_mnt_idmap(fp->filp);
old_fattr = fp->f_ci->m_fattr;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 048/307] net: Avoid checksumming unreadable skb tail on trim
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 047/307] gpio: mxc: fix irq_high handling Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 049/307] ethtool: rss: fix hkey leak when indir_size is 0 Greg Kroah-Hartman
` (258 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Björn Töpel, Breno Leitao,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Björn Töpel <bjorn@kernel.org>
[ Upstream commit 2e357f002c61fd76fd8f12468744a06a5ec48eaa ]
pskb_trim_rcsum_slow() keeps CHECKSUM_COMPLETE valid by subtracting
the checksum of the bytes removed from the skb tail. That assumes the
removed bytes can be read.
io_uring zcrx skbs may contain unreadable net_iov frags. With fbnic
header/data split, small TCP/IPv4 packets can carry Ethernet padding
in such a frag. ip_rcv_core() trims the skb to iph->tot_len before TCP
sees it, and the CHECKSUM_COMPLETE adjustment then calls
skb_checksum() on the padding.
This is exposed by IPv4 because small TCP/IPv4 frames can be shorter
than the Ethernet minimum payload. TCP/IPv6 frames are large enough in
the normal zcrx path, so they do not hit the same padding trim.
Keep the existing checksum adjustment for readable skbs. If the
remaining packet is fully linear, drop CHECKSUM_COMPLETE and let the
stack validate the packet after trimming. If unreadable payload would
remain, fail the trim; the checksum cannot be adjusted without reading
the trimmed tail.
Also clear skb->unreadable when trimming removes all frags.
Fixes: 65249feb6b3d ("net: add support for skbs with unreadable frags")
Signed-off-by: Björn Töpel <bjorn@kernel.org>
Reviewed-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260522120643.242974-1-bjorn@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index aa9e9148847363..8c9f026182a6f0 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2765,6 +2765,8 @@ int ___pskb_trim(struct sk_buff *skb, unsigned int len)
skb->data_len = 0;
skb_set_tail_pointer(skb, len);
}
+ if (!skb_shinfo(skb)->nr_frags && !skb_has_frag_list(skb))
+ skb->unreadable = 0;
if (!skb->sk || skb->destructor == sock_edemux)
skb_condense(skb);
@@ -2772,16 +2774,37 @@ int ___pskb_trim(struct sk_buff *skb, unsigned int len)
}
EXPORT_SYMBOL(___pskb_trim);
+static int pskb_trim_rcsum_complete(struct sk_buff *skb, unsigned int len)
+{
+ int delta = skb->len - len;
+
+ if (skb_frags_readable(skb)) {
+ skb->csum = csum_block_sub(skb->csum,
+ skb_checksum(skb, len, delta, 0),
+ len);
+ return 0;
+ }
+
+ if (len > skb_headlen(skb))
+ return -EFAULT;
+
+ /* The trimmed bytes are unreadable, but the remaining packet can be
+ * checksummed by software after trimming.
+ */
+ skb->ip_summed = CHECKSUM_NONE;
+ return 0;
+}
+
/* Note : use pskb_trim_rcsum() instead of calling this directly
*/
int pskb_trim_rcsum_slow(struct sk_buff *skb, unsigned int len)
{
if (skb->ip_summed == CHECKSUM_COMPLETE) {
- int delta = skb->len - len;
+ int err;
- skb->csum = csum_block_sub(skb->csum,
- skb_checksum(skb, len, delta, 0),
- len);
+ err = pskb_trim_rcsum_complete(skb, len);
+ if (err)
+ return err;
} else if (skb->ip_summed == CHECKSUM_PARTIAL) {
int hdlen = (len > skb_headlen(skb)) ? skb_headlen(skb) : len;
int offset = skb_checksum_start_offset(skb) + skb->csum_offset;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 058/315] ASoC: codecs: simple-mux: Fix enum control bounds check
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 057/315] ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 059/315] drm/xe: Restore IDLEDLY regiter on engine reset Greg Kroah-Hartman
` (258 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit f63ad68e18d774a5d15cd7e405ead63f6b322679 ]
simple_mux_control_put() rejects values greater than e->items, but
enum control values are zero based. For the two-entry mux used by this
driver, valid values are 0 and 1, so value 2 must be rejected as well.
Accepting e->items can store an invalid mux state, pass it to the GPIO
setter, and pass it on to the DAPM mux update path where it is used as
an index into the enum text array.
Use the same >= e->items check used by the ASoC enum helpers.
Fixes: 342fbb7578d1 ("ASoC: add simple-mux")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260527-asoc-simple-mux-enum-bounds-v1-1-3f805b9fc671@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/simple-mux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/simple-mux.c b/sound/soc/codecs/simple-mux.c
index 3906964401557d..cedd181ffdaf46 100644
--- a/sound/soc/codecs/simple-mux.c
+++ b/sound/soc/codecs/simple-mux.c
@@ -51,7 +51,7 @@ static int simple_mux_control_put(struct snd_kcontrol *kcontrol,
struct snd_soc_component *c = snd_soc_dapm_to_component(dapm);
struct simple_mux *priv = snd_soc_component_get_drvdata(c);
- if (ucontrol->value.enumerated.item[0] > e->items)
+ if (ucontrol->value.enumerated.item[0] >= e->items)
return -EINVAL;
if (priv->mux == ucontrol->value.enumerated.item[0])
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 059/315] drm/xe: Restore IDLEDLY regiter on engine reset
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 058/315] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 060/315] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
` (257 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Roper,
Balasubramani Vivekanandan, Rodrigo Vivi, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
[ Upstream commit f657a6a3ba4c20bc01f5be3752d53498ee1bfe35 ]
Wa_16023105232 programs the register IDLEDLY. The register is reset
whenever the engine is reset. Therefore it should be added to the GuC
save-restore register list for it to be restored after reset.
Fixes: 7c53ff050ba8 ("drm/xe: Apply Wa_16023105232")
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Link: https://patch.msgid.link/20260522163531.1365540-2-balasubramani.vivekanandan@intel.com
Signed-off-by: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
(cherry picked from commit df1cfe24743a93b71eab27687e148ab8ae9b69e3)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_guc_ads.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/xe/xe_guc_ads.c b/drivers/gpu/drm/xe/xe_guc_ads.c
index 0e2bece1d8b83b..db71823b253801 100644
--- a/drivers/gpu/drm/xe/xe_guc_ads.c
+++ b/drivers/gpu/drm/xe/xe_guc_ads.c
@@ -772,6 +772,11 @@ static unsigned int guc_mmio_regset_write(struct xe_guc_ads *ads,
}
}
+ if (XE_GT_WA(hwe->gt, 16023105232))
+ guc_mmio_regset_write_one(ads, regset_map,
+ RING_IDLEDLY(hwe->mmio_base),
+ count++);
+
return count;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 049/307] ethtool: rss: fix hkey leak when indir_size is 0
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 048/307] net: Avoid checksumming unreadable skb tail on trim Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 050/307] ethtool: module: avoid leaking a netdev ref on module flash errors Greg Kroah-Hartman
` (257 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 78ccf1a70c6378e1f5073a8c2209b5129067b925 ]
rss_get_data_alloc() allocates a single buffer that backs both the
indirection table and the hash key, but only assigned data->indir_table
when indir_size was nonzero. The expectation was that no driver
implements RSS without supporting indirection table but apparently
enic does just that (it's the only such in-tree driver).
enic has get_rxfh_key_size but no get_rxfh_indir_size.
data->indir_table stays as NULL, hkey gets set but rss_get_data_free()
kfree(data->indir_table) is a nop and the allocation leaks.
Always store the allocation base in data->indir_table so the free path
is unambiguous. No caller treats indir_table as a sentinel; everything
keys off indir_size.
Fixes: 7112a04664bf ("ethtool: add netlink based get rss support")
Link: https://patch.msgid.link/20260522230647.1705600-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--git a/net/ethtool/rss.c b/net/ethtool/rss.c
index 8aa45f3fdfdf08..3570d58c5cca6d 100644
--- a/net/ethtool/rss.c
+++ b/net/ethtool/rss.c
@@ -78,8 +78,7 @@ rss_prepare_get(const struct rss_req_info *request, struct net_device *dev,
goto out_ops;
}
- if (data->indir_size)
- data->indir_table = (u32 *)rss_config;
+ data->indir_table = (u32 *)rss_config;
if (data->hkey_size)
data->hkey = rss_config + indir_bytes;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 060/315] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 059/315] drm/xe: Restore IDLEDLY regiter on engine reset Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 061/315] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
` (256 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhao Dongdong,
Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
[ Upstream commit 3c40d381ce04f9575a5d8b542898183c3b4b38dc ]
The skb_clone() function can return NULL if memory allocation fails.
send_mcast_pkt() calls skb_clone() without checking the return value, which
can lead to a NULL pointer dereference in send_pkt() when it dereferences
skb->data.
Add a NULL check after skb_clone() and skip the peer if the clone fails.
Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/6lowpan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index 2c21ae8abadc22..038f01600eebab 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -486,6 +486,8 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
int ret;
local_skb = skb_clone(skb, GFP_ATOMIC);
+ if (!local_skb)
+ continue;
BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
netdev->name,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 050/307] ethtool: module: avoid leaking a netdev ref on module flash errors
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 049/307] ethtool: rss: fix hkey leak when indir_size is 0 Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 051/307] ethtool: module: check fw_flash_in_progress under rtnl_lock Greg Kroah-Hartman
` (256 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit fb7f511d62692661846c47f199e0afe25c2982db ]
module_flash_fw_schedule() is missing undo for setting
the "in_progress" flag and taking the netdev reference.
Delay taking these, the device can't disappear while
we are holding rtnl_lock.
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-3-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index 6988e07bdcd6d4..76d13ef4ba0427 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -318,8 +318,6 @@ module_flash_fw_schedule(struct net_device *dev, const char *file_name,
if (err < 0)
goto err_release_firmware;
- dev->ethtool->module_fw_flash_in_progress = true;
- netdev_hold(dev, &module_fw->dev_tracker, GFP_KERNEL);
fw_update->dev = dev;
fw_update->ntf_params.portid = info->snd_portid;
fw_update->ntf_params.seq = info->snd_seq;
@@ -334,6 +332,9 @@ module_flash_fw_schedule(struct net_device *dev, const char *file_name,
if (err < 0)
goto err_release_firmware;
+ dev->ethtool->module_fw_flash_in_progress = true;
+ netdev_hold(dev, &module_fw->dev_tracker, GFP_KERNEL);
+
schedule_work(&module_fw->work);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 061/315] bonding: refuse to enslave CAN devices
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 060/315] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 062/315] bridge: Fix sleep in atomic context in netlink path Greg Kroah-Hartman
` (255 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8ed98cbd0161632bce95,
Oliver Hartkopp, Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit 8ba68464e4787b6a7ec938826e16124df20fd23d ]
syzbot reported a kernel paging request crash in
can_rx_unregister() inside net/can/af_can.c. The crash occurs
because a virtual CAN device (vxcan) is being enslaved to a
bonding master.
During the enslavement process, the bonding driver mutates
and modifies the network device states to fit an Ethernet-like
aggregation model. However, CAN devices operate on a completely
different Layer 2 architecture, relying on the CAN mid-layer
private data structure (can_ml_priv) instead of standard
Ethernet structures. Since bonding does not initialize or
maintain these CAN structures, subsequent operations on the
half-enslaved interface (such as closing associated sockets
via isotp_release) lead to a null-pointer dereference when
accessing the CAN receiver lists.
Bonding CAN interfaces is architecturally invalid as CAN lacks
MAC addresses, ARP capabilities, and standard Ethernet
link-layer mechanisms. While generic loopback devices are
blocked globally in net/core/dev.c, virtual CAN devices
bypass this check because they do not carry the IFF_LOOPBACK
flag, despite acting as local software-loopbacks.
Fix this by explicitly blocking network devices of type
ARPHRD_CAN from being enslaved at the very beginning of
bond_enslave(). This prevents illegal state mutations,
eliminates the resulting KASAN crashes, and avoids potential
memory leaks from incomplete socket cleanups.
As the CAN support has been added a long time after bonding
the Fixes-tag points to the introduction of ARPHRD_CAN that
would have needed a specific handling in bonding_main.c.
Fixes: cd05acfe65ed ("[CAN]: Allocate protocol numbers for PF_CAN")
Reported-by: syzbot+8ed98cbd0161632bce95@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8ed98cbd0161632bce95
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20260526-bonding-candev-v1-1-ba1df400918a@hartkopp.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 8b1422dda4c080..2132acff2e52c4 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1860,6 +1860,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
struct sockaddr_storage ss;
int res = 0, i;
+ if (slave_dev->type == ARPHRD_CAN) {
+ BOND_NL_ERR(bond_dev, extack,
+ "CAN devices cannot be enslaved");
+ return -EPERM;
+ }
+
if (slave_dev->flags & IFF_MASTER &&
!netif_is_bond_master(slave_dev)) {
BOND_NL_ERR(bond_dev, extack,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 051/307] ethtool: module: check fw_flash_in_progress under rtnl_lock
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 050/307] ethtool: module: avoid leaking a netdev ref on module flash errors Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 052/307] ethtool: module: fix cleanup if socket used for flashing multiple devices Greg Kroah-Hartman
` (255 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 504eaefa44c8dec50f7499edcb36d24f3aefab2a ]
ethnl_set_module_validate() inspects module_fw_flash_in_progress
but validate is meant for _input_ validation, not state validation.
rtnl_lock is not held, yet. Move the check into ethnl_set_module().
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index 76d13ef4ba0427..ab1e8a83acd0b1 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -119,12 +119,6 @@ ethnl_set_module_validate(struct ethnl_req_info *req_info,
if (!tb[ETHTOOL_A_MODULE_POWER_MODE_POLICY])
return 0;
- if (req_info->dev->ethtool->module_fw_flash_in_progress) {
- NL_SET_ERR_MSG(info->extack,
- "Module firmware flashing is in progress");
- return -EBUSY;
- }
-
if (!ops->get_module_power_mode || !ops->set_module_power_mode) {
NL_SET_ERR_MSG_ATTR(info->extack,
tb[ETHTOOL_A_MODULE_POWER_MODE_POLICY],
@@ -147,6 +141,12 @@ ethnl_set_module(struct ethnl_req_info *req_info, struct genl_info *info)
ops = dev->ethtool_ops;
+ if (dev->ethtool->module_fw_flash_in_progress) {
+ NL_SET_ERR_MSG(info->extack,
+ "Module firmware flashing is in progress");
+ return -EBUSY;
+ }
+
power_new.policy = nla_get_u8(tb[ETHTOOL_A_MODULE_POWER_MODE_POLICY]);
ret = ops->get_module_power_mode(dev, &power, info->extack);
if (ret < 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 062/315] bridge: Fix sleep in atomic context in netlink path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 061/315] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 063/315] bridge: Fix sleep in atomic context in sysfs path Greg Kroah-Hartman
` (254 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 5eec4427b89c2fb2beac54920101e55a2f1c0c21 ]
Since the introduction of the netlink configuration path for bridge
ports in commit 25c71c75ac87 ("bridge: bridge port parameters over
netlink"), br_setport() was always called with the bridge lock held
around it. Back then this decision made sense: The bridge lock protects
the STP state of the bridge and its ports and at that time the function
only processed three STP related netlink attributes (cost, priority and
state).
Nowadays, br_setport() processes a lot more attributes and most of them
do not need the bridge lock:
* Bridge flags: Only require RTNL. Read locklessly by the data path.
Annotations can be added in net-next.
* FDB port flushing: Only requires the FDB lock.
* Multicast attributes: Only require the multicast lock.
* Group forward mask: Only requires RTNL. Read locklessly by the data
path. Annotations can be added in net-next.
* Backup port and NHID: Only require RTNL. Read locklessly by the data
path.
This is a problem as the bridge calls dev_set_promiscuity() when certain
bridge port flags change and this function can sleep since the commit
cited below, resulting in a splat such as [1].
Fix this by reducing the scope of the bridge lock and only take it when
processing the three STP related attributes that require it. This is
consistent with the multicast attributes where each attribute acquires
the multicast lock instead of having one critical section for all
relevant attributes.
[1]
BUG: sleeping function called from invalid context at net/core/dev_addr_lists.c:1262
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 356, name: bridge
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by bridge/356:
#0: ffffffff919473a0 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg (net/core/rtnetlink.c:80 net/core/rtnetlink.c:7002)
#1: ffff888115072d58 (&br->lock){+...}-{3:3}, at: br_setlink (./include/linux/spinlock.h:348 net/bridge/br_netlink.c:1117)
Preemption disabled at:
0x0
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
__might_resched.cold (kernel/sched/core.c:9163)
netif_rx_mode_run (net/core/dev_addr_lists.c:1262)
netif_rx_mode_sync (net/core/dev_addr_lists.c:1428)
dev_set_promiscuity (net/core/dev_api.c:289)
br_manage_promisc (net/bridge/br_if.c:135 net/bridge/br_if.c:172)
br_port_flags_change (net/bridge/br_if.c:242 net/bridge/br_if.c:747)
br_setport (net/bridge/br_netlink.c:1000)
br_setlink (net/bridge/br_netlink.c:1118)
rtnl_bridge_setlink (net/core/rtnetlink.c:5572)
rtnetlink_rcv_msg (net/core/rtnetlink.c:7005)
netlink_rcv_skb (net/netlink/af_netlink.c:2550)
netlink_unicast (net/netlink/af_netlink.c:1318 net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1894)
__sock_sendmsg (net/socket.c:787 (discriminator 4) net/socket.c:802 (discriminator 4))
____sys_sendmsg (net/socket.c:2698)
___sys_sendmsg (net/socket.c:2752)
__sys_sendmsg (net/socket.c:2784)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Fixes: 78cd408356fe ("net: add missing instance lock to dev_set_promiscuity")
Reviewed-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260526064818.272516-2-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_netlink.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 4e2d53b2722104..6d5b2ef5f18d3d 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -1000,19 +1000,25 @@ static int br_setport(struct net_bridge_port *p, struct nlattr *tb[],
br_port_flags_change(p, changed_mask);
if (tb[IFLA_BRPORT_COST]) {
+ spin_lock_bh(&p->br->lock);
err = br_stp_set_path_cost(p, nla_get_u32(tb[IFLA_BRPORT_COST]));
+ spin_unlock_bh(&p->br->lock);
if (err)
return err;
}
if (tb[IFLA_BRPORT_PRIORITY]) {
+ spin_lock_bh(&p->br->lock);
err = br_stp_set_port_priority(p, nla_get_u16(tb[IFLA_BRPORT_PRIORITY]));
+ spin_unlock_bh(&p->br->lock);
if (err)
return err;
}
if (tb[IFLA_BRPORT_STATE]) {
+ spin_lock_bh(&p->br->lock);
err = br_set_port_state(p, nla_get_u8(tb[IFLA_BRPORT_STATE]));
+ spin_unlock_bh(&p->br->lock);
if (err)
return err;
}
@@ -1114,9 +1120,7 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh, u16 flags,
if (err)
return err;
- spin_lock_bh(&p->br->lock);
err = br_setport(p, tb, extack);
- spin_unlock_bh(&p->br->lock);
} else {
/* Binary compatibility with old RSTP */
if (nla_len(protinfo) < sizeof(u8))
@@ -1203,17 +1207,10 @@ static int br_port_slave_changelink(struct net_device *brdev,
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct net_bridge *br = netdev_priv(brdev);
- int ret;
-
if (!data)
return 0;
- spin_lock_bh(&br->lock);
- ret = br_setport(br_port_get_rtnl(dev), data, extack);
- spin_unlock_bh(&br->lock);
-
- return ret;
+ return br_setport(br_port_get_rtnl(dev), data, extack);
}
static int br_port_fill_slave_info(struct sk_buff *skb,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 052/307] ethtool: module: fix cleanup if socket used for flashing multiple devices
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 051/307] ethtool: module: check fw_flash_in_progress under rtnl_lock Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 053/307] ethtool: cmis: require exact CDB reply length Greg Kroah-Hartman
` (254 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danielle Ratson, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 760d04ebad5c4304f22c0d2251c9623b87a117c8 ]
When a single Netlink socket issues MODULE_FW_FLASH_ACT against multiple
devices, ethnl_sock_priv_set() overwrites sk_priv->dev on each call,
retaining only the last one. The socket priv is used on socket close,
to walk the global work list and mark the uncompleted flashing work
as "orphaned". Otherwise if another socket reuses the PID it will
unexpectedly receive the flashing notifications.
Don't record the device, record net pointer instead. The purpose of
the dev is to scope the work to a netns, anyway. If we store netns
the overrides are safe/a nop since all flashed devices must be in
the same netns as the socket.
Fixes: 32b4c8b53ee7 ("ethtool: Add ability to flash transceiver modules' firmware")
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/module.c | 9 ++++-----
net/ethtool/netlink.c | 4 ++--
net/ethtool/netlink.h | 4 ++--
3 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/net/ethtool/module.c b/net/ethtool/module.c
index ab1e8a83acd0b1..5a08c320b4660d 100644
--- a/net/ethtool/module.c
+++ b/net/ethtool/module.c
@@ -282,11 +282,9 @@ void ethnl_module_fw_flash_sock_destroy(struct ethnl_sock_priv *sk_priv)
spin_lock(&module_fw_flash_work_list_lock);
list_for_each_entry(work, &module_fw_flash_work_list, list) {
- if (work->fw_update.dev == sk_priv->dev &&
- work->fw_update.ntf_params.portid == sk_priv->portid) {
+ if (work->fw_update.ntf_params.portid == sk_priv->portid &&
+ dev_net(work->fw_update.dev) == sk_priv->net)
work->fw_update.ntf_params.closed_sock = true;
- break;
- }
}
spin_unlock(&module_fw_flash_work_list_lock);
}
@@ -323,7 +321,8 @@ module_flash_fw_schedule(struct net_device *dev, const char *file_name,
fw_update->ntf_params.seq = info->snd_seq;
fw_update->ntf_params.closed_sock = false;
- err = ethnl_sock_priv_set(skb, dev, fw_update->ntf_params.portid,
+ err = ethnl_sock_priv_set(skb, dev_net(dev),
+ fw_update->ntf_params.portid,
ETHTOOL_SOCK_TYPE_MODULE_FW_FLASH);
if (err < 0)
goto err_release_firmware;
diff --git a/net/ethtool/netlink.c b/net/ethtool/netlink.c
index a52be67139d0ac..409b4109940b7c 100644
--- a/net/ethtool/netlink.c
+++ b/net/ethtool/netlink.c
@@ -50,7 +50,7 @@ const struct nla_policy ethnl_header_policy_phy_stats[] = {
[ETHTOOL_A_HEADER_PHY_INDEX] = NLA_POLICY_MIN(NLA_U32, 1),
};
-int ethnl_sock_priv_set(struct sk_buff *skb, struct net_device *dev, u32 portid,
+int ethnl_sock_priv_set(struct sk_buff *skb, struct net *net, u32 portid,
enum ethnl_sock_type type)
{
struct ethnl_sock_priv *sk_priv;
@@ -59,7 +59,7 @@ int ethnl_sock_priv_set(struct sk_buff *skb, struct net_device *dev, u32 portid,
if (IS_ERR(sk_priv))
return PTR_ERR(sk_priv);
- sk_priv->dev = dev;
+ sk_priv->net = net;
sk_priv->portid = portid;
sk_priv->type = type;
diff --git a/net/ethtool/netlink.h b/net/ethtool/netlink.h
index 5e176938d6d228..11843bd10bcade 100644
--- a/net/ethtool/netlink.h
+++ b/net/ethtool/netlink.h
@@ -315,12 +315,12 @@ enum ethnl_sock_type {
};
struct ethnl_sock_priv {
- struct net_device *dev;
+ struct net *net;
u32 portid;
enum ethnl_sock_type type;
};
-int ethnl_sock_priv_set(struct sk_buff *skb, struct net_device *dev, u32 portid,
+int ethnl_sock_priv_set(struct sk_buff *skb, struct net *net, u32 portid,
enum ethnl_sock_type type);
/**
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 063/315] bridge: Fix sleep in atomic context in sysfs path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 062/315] bridge: Fix sleep in atomic context in netlink path Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 064/315] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES Greg Kroah-Hartman
` (253 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 6d34594cc619d0d4b07d5afcad8b5984f3526dcf ]
Since the start of the git history, brport_store() always acquired the
bridge lock. Back then this decision made sense: The bridge lock
protects the STP state of the bridge and its ports and at that time the
function was only used by two STP related attributes (cost and
priority).
Nowadays, brport_store() processes a lot more attributes and most of
them do not need the bridge lock:
* Bridge flags: Only require RTNL. Read locklessly by the data path.
Annotations can be added in net-next.
* FDB port flushing: Only requires the FDB lock.
* Multicast attributes: Only require the multicast lock.
* Group forward mask: Only requires RTNL. Read locklessly by the data
path. Annotations can be added in net-next.
* Backup port: Only requires RTNL. Read locklessly by the data path.
This is a problem as the bridge calls dev_set_promiscuity() when certain
bridge port flags change and this function can sleep since the commit
cited below, resulting in a splat such as [1].
Fix this by reducing the scope of the bridge lock and only take it when
processing the two STP related attributes that require it. Remove the
now stale comment from br_switchdev_set_port_flag(). The
SWITCHDEV_F_DEFER flag can be removed in net-next.
[1]
BUG: sleeping function called from invalid context at net/core/dev_addr_lists.c:1262
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 372, name: bash
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
5 locks held by bash/372:
#0: ffff88810c51c3f0 (sb_writers#7){.+.+}-{0:0}, at: ksys_write (fs/read_write.c:740)
#1: ffff888115ce9480 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter (fs/kernfs/file.c:343)
#2: ffff88810b9fd330 (kn->active#37){.+.+}-{0:0}, at: kernfs_fop_write_iter (fs/kernfs/file.c:80 fs/kernfs/file.c:344)
#3: ffffffffa59473a0 (rtnl_mutex){+.+.}-{4:4}, at: brport_store (net/bridge/br_sysfs_if.c:326)
#4: ffff8881099d2d58 (&br->lock){+...}-{3:3}, at: brport_store (./include/linux/spinlock.h:348 net/bridge/br_sysfs_if.c:345)
Preemption disabled at:
0x0
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
__might_resched.cold (kernel/sched/core.c:9163)
netif_rx_mode_run (net/core/dev_addr_lists.c:1262)
netif_rx_mode_sync (net/core/dev_addr_lists.c:1428)
dev_set_promiscuity (net/core/dev_api.c:289)
br_manage_promisc (net/bridge/br_if.c:135 net/bridge/br_if.c:172)
br_port_flags_change (net/bridge/br_if.c:242 net/bridge/br_if.c:747)
store_learning (net/bridge/br_sysfs_if.c:79 net/bridge/br_sysfs_if.c:235)
brport_store (net/bridge/br_sysfs_if.c:346)
kernfs_fop_write_iter (fs/kernfs/file.c:352)
new_sync_write (fs/read_write.c:595)
vfs_write (fs/read_write.c:688)
ksys_write (fs/read_write.c:740)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Fixes: 78cd408356fe ("net: add missing instance lock to dev_set_promiscuity")
Reviewed-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260526064818.272516-3-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_switchdev.c | 1 -
net/bridge/br_sysfs_if.c | 30 ++++++++++++++++++++++--------
2 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c
index fe3f7bbe86ee62..b5c6e314204f94 100644
--- a/net/bridge/br_switchdev.c
+++ b/net/bridge/br_switchdev.c
@@ -99,7 +99,6 @@ int br_switchdev_set_port_flag(struct net_bridge_port *p,
attr.u.brport_flags.val = flags;
attr.u.brport_flags.mask = mask;
- /* We run from atomic context here */
err = call_switchdev_notifiers(SWITCHDEV_PORT_ATTR_SET, p->dev,
&info.info, extack);
err = notifier_to_errno(err);
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index 74fdd8105dca9e..3fe664fd1f5b82 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -86,16 +86,34 @@ static ssize_t show_path_cost(struct net_bridge_port *p, char *buf)
return sprintf(buf, "%d\n", p->path_cost);
}
-static BRPORT_ATTR(path_cost, 0644,
- show_path_cost, br_stp_set_path_cost);
+static int store_path_cost(struct net_bridge_port *p, unsigned long v)
+{
+ int ret;
+
+ spin_lock_bh(&p->br->lock);
+ ret = br_stp_set_path_cost(p, v);
+ spin_unlock_bh(&p->br->lock);
+ return ret;
+}
+
+static BRPORT_ATTR(path_cost, 0644, show_path_cost, store_path_cost);
static ssize_t show_priority(struct net_bridge_port *p, char *buf)
{
return sprintf(buf, "%d\n", p->priority);
}
-static BRPORT_ATTR(priority, 0644,
- show_priority, br_stp_set_port_priority);
+static int store_priority(struct net_bridge_port *p, unsigned long v)
+{
+ int ret;
+
+ spin_lock_bh(&p->br->lock);
+ ret = br_stp_set_port_priority(p, v);
+ spin_unlock_bh(&p->br->lock);
+ return ret;
+}
+
+static BRPORT_ATTR(priority, 0644, show_priority, store_priority);
static ssize_t show_designated_root(struct net_bridge_port *p, char *buf)
{
@@ -334,17 +352,13 @@ static ssize_t brport_store(struct kobject *kobj,
ret = -ENOMEM;
goto out_unlock;
}
- spin_lock_bh(&p->br->lock);
ret = brport_attr->store_raw(p, buf_copy);
- spin_unlock_bh(&p->br->lock);
kfree(buf_copy);
} else if (brport_attr->store) {
val = simple_strtoul(buf, &endp, 0);
if (endp == buf)
goto out_unlock;
- spin_lock_bh(&p->br->lock);
ret = brport_attr->store(p, val);
- spin_unlock_bh(&p->br->lock);
}
if (!ret) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 053/307] ethtool: cmis: require exact CDB reply length
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 052/307] ethtool: module: fix cleanup if socket used for flashing multiple devices Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 054/307] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl Greg Kroah-Hartman
` (253 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danielle Ratson, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 6c3f999a9d1338c6c89a9ff4549eafe72bc2e7b1 ]
Malicious SFP module could respond with rpl_len longer than
what cmis_cdb_process_reply() expected, leading to OOB writes.
Malicious HW is a bit theoretical but some modules may just
be buggy and/or the reads may occasionally get corrupted,
so let's protect the kernel.
The existing check protects from short replies. We need to
protect from long ones, too. All callers that pass a non-zero
rpl_exp_len cast the reply payload to a fixed-layout struct
and read fields at fixed offsets, with no version negotiation
or short-reply handling:
- cmis_cdb_validate_password()
- cmis_cdb_module_features_get()
- cmis_fw_update_fw_mng_features_get()
so let's assume that responses longer than expected do not
have to be handled gracefully here. Add a warning message
to make the debug easier in case my understanding is wrong...
Note that page_data->length (argument of kmalloc) comes from
last arg to ethtool_cmis_page_init() which is rpl_exp_len.
Note2 that AIs also like to point out overflows in args->req.payload
itself (which is a fixed-size 120 B buffer, on the stack),
but callers should be reading structs defined by the standard,
so protecting from requests for more data than max seem like
defensive programming.
Fixes: a39c84d79625 ("ethtool: cmis_cdb: Add a layer for supporting CDB commands")
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-7-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis_cdb.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index 8bf99295bfbe96..690002366d965a 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c
@@ -508,8 +508,13 @@ static int cmis_cdb_process_reply(struct net_device *dev,
}
rpl = (struct ethtool_cmis_cdb_rpl *)page_data->data;
- if ((args->rpl_exp_len > rpl->hdr.rpl_len + rpl_hdr_len) ||
- !rpl->hdr.rpl_chk_code) {
+ if (rpl->hdr.rpl_len != args->rpl_exp_len) {
+ netdev_warn(dev, "CDB reply length mismatch, expected %u got %u\n",
+ args->rpl_exp_len, rpl->hdr.rpl_len);
+ err = -EIO;
+ goto out;
+ }
+ if (!rpl->hdr.rpl_chk_code) {
err = -EIO;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 064/315] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 063/315] bridge: Fix sleep in atomic context in sysfs path Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 065/315] ethtool: tsconfig: fix reply error handling Greg Kroah-Hartman
` (252 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 7281b096b072f6c6e30420e3467d738f2e4c4b57 ]
ethnl_update_profile() walks the ETHTOOL_A_PROFILE_IRQ_MODERATION
nest list with an index 'i' and writes new_profile[i++] without
bounding i. The destination is kmemdup()'d at NET_DIM_PARAMS_NUM_PROFILES
entries (5), but the Netlink nest count is entirely user-controlled.
Netlink policies do not have support for constraining the number
of nested entries (or number of multi-attr entries).
Fixes: f750dfe825b9 ("ethtool: provide customized dim profile management")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/coalesce.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ethtool/coalesce.c b/net/ethtool/coalesce.c
index 3e18ca1ccc5ef6..cace02d964cb21 100644
--- a/net/ethtool/coalesce.c
+++ b/net/ethtool/coalesce.c
@@ -463,6 +463,12 @@ static int ethnl_update_profile(struct net_device *dev,
nla_for_each_nested_type(nest, ETHTOOL_A_PROFILE_IRQ_MODERATION,
nests, rem) {
+ if (i >= NET_DIM_PARAMS_NUM_PROFILES) {
+ NL_SET_BAD_ATTR(extack, nest);
+ ret = -E2BIG;
+ goto err_out;
+ }
+
ret = nla_parse_nested(tb, len_irq_moder - 1, nest,
coalesce_irq_moderation_policy,
extack);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 054/307] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 053/307] ethtool: cmis: require exact CDB reply length Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 055/307] net: ethtool: Add new parameters and a function to support EPL Greg Kroah-Hartman
` (252 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 3e8c3d464c36bb342fe377b026577c7ec27fdbb4 ]
ethtool_cmis_cdb_compose_args() accepts msleep_pre_rpl as u16 but stores
it into the u8 field ethtool_cmis_cdb_cmd_args::msleep_pre_rpl, silently
truncating values >= 256. Seven of the nine call sites pass 1000 ms
(it's the third argument from the end).
Fixes: a39c84d79625 ("ethtool: cmis_cdb: Add a layer for supporting CDB commands")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-8-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/cmis.h b/net/ethtool/cmis.h
index 3e7c293af78c4d..aa32a675b8f8d2 100644
--- a/net/ethtool/cmis.h
+++ b/net/ethtool/cmis.h
@@ -59,9 +59,9 @@ struct ethtool_cmis_cdb_request {
* struct ethtool_cmis_cdb_cmd_args - CDB commands execution arguments
* @req: CDB command fields as described in the CMIS standard.
* @max_duration: Maximum duration time for command completion in msec.
+ * @msleep_pre_rpl: Waiting time before checking reply in msec.
* @read_write_len_ext: Allowable additional number of byte octets to the LPL
* in a READ or a WRITE commands.
- * @msleep_pre_rpl: Waiting time before checking reply in msec.
* @rpl_exp_len: Expected reply length in bytes.
* @flags: Validation flags for CDB commands.
* @err_msg: Error message to be sent to user space.
@@ -69,8 +69,8 @@ struct ethtool_cmis_cdb_request {
struct ethtool_cmis_cdb_cmd_args {
struct ethtool_cmis_cdb_request req;
u16 max_duration;
+ u16 msleep_pre_rpl;
u8 read_write_len_ext;
- u8 msleep_pre_rpl;
u8 rpl_exp_len;
u8 flags;
char *err_msg;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 065/315] ethtool: tsconfig: fix reply error handling
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 064/315] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 066/315] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error Greg Kroah-Hartman
` (251 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vadim Fedorenko, Kory Maincent,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit a888bbd43940cada72f7686337741ce86d1cf869 ]
A couple of trivial bugs in error handling in tsconfig_send_reply().
If we failed to allocate rskb we need to set the error.
If we did allocate it but failed to send it - we need to remember
to free it.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-3-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/tsconfig.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/tsconfig.c b/net/ethtool/tsconfig.c
index 169b413b31fc5f..041de8687472bd 100644
--- a/net/ethtool/tsconfig.c
+++ b/net/ethtool/tsconfig.c
@@ -224,16 +224,21 @@ static int tsconfig_send_reply(struct net_device *dev, struct genl_info *info)
reply_len = ret + ethnl_reply_header_size();
rskb = ethnl_reply_init(reply_len, dev, ETHTOOL_MSG_TSCONFIG_SET_REPLY,
ETHTOOL_A_TSCONFIG_HEADER, info, &reply_payload);
- if (!rskb)
+ if (!rskb) {
+ ret = -ENOMEM;
goto err_cleanup;
+ }
ret = tsconfig_fill_reply(rskb, &req_info->base, &reply_data->base);
if (ret < 0)
- goto err_cleanup;
+ goto err_free_msg;
genlmsg_end(rskb, reply_payload);
ret = genlmsg_reply(rskb, info);
+ rskb = NULL;
+err_free_msg:
+ nlmsg_free(rskb);
err_cleanup:
kfree(reply_data);
kfree(req_info);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 055/307] net: ethtool: Add new parameters and a function to support EPL
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 054/307] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 056/307] net: ethtool: Add support for writing firmware blocks using EPL payload Greg Kroah-Hartman
` (251 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danielle Ratson, Petr Machata,
Simon Horman, David S. Miller, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danielle Ratson <danieller@nvidia.com>
[ Upstream commit edc344568922eb9588e77ba49de1ef0cb9a2ff1c ]
In the CMIS specification for pluggable modules, LPL (Local Payload) and
EPL (Extended Payload) are two types of data payloads used for managing
various functions and features of the module.
EPL payloads are used for more complex and extensive management
functions that require a larger amount of data, so writing firmware
blocks using EPL is much more efficient.
Currently, only LPL payload is supported for writing firmware blocks to
the module.
Add EPL related parameters to the function ethtool_cmis_cdb_compose_args()
and add a specific function for calculating the maximum allowable length
extension for EPL. Both will be used in the next patch to add support for
writing firmware blocks using EPL.
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 12c2496a71f8 ("ethtool: cmis: validate start_cmd_payload_size from module")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis.h | 12 +++++++-----
net/ethtool/cmis_cdb.c | 32 +++++++++++++++++++++-----------
net/ethtool/cmis_fw_update.c | 17 ++++++++++-------
3 files changed, 38 insertions(+), 23 deletions(-)
diff --git a/net/ethtool/cmis.h b/net/ethtool/cmis.h
index aa32a675b8f8d2..e11e47b3f2fc8f 100644
--- a/net/ethtool/cmis.h
+++ b/net/ethtool/cmis.h
@@ -96,13 +96,15 @@ struct ethtool_cmis_cdb_rpl {
u8 payload[ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH];
};
-u32 ethtool_cmis_get_max_payload_size(u8 num_of_byte_octs);
+u32 ethtool_cmis_get_max_lpl_size(u8 num_of_byte_octs);
+u32 ethtool_cmis_get_max_epl_size(u8 num_of_byte_octs);
void ethtool_cmis_cdb_compose_args(struct ethtool_cmis_cdb_cmd_args *args,
- enum ethtool_cmis_cdb_cmd_id cmd, u8 *pl,
- u8 lpl_len, u16 max_duration,
- u8 read_write_len_ext, u16 msleep_pre_rpl,
- u8 rpl_exp_len, u8 flags);
+ enum ethtool_cmis_cdb_cmd_id cmd, u8 *lpl,
+ u8 lpl_len, u8 *epl, u16 epl_len,
+ u16 max_duration, u8 read_write_len_ext,
+ u16 msleep_pre_rpl, u8 rpl_exp_len,
+ u8 flags);
void ethtool_cmis_cdb_check_completion_flag(u8 cmis_rev, u8 *flags);
diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index 690002366d965a..31142e239cf6b2 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c
@@ -11,25 +11,34 @@
* min(i, 15) byte octets where i specifies the allowable additional number of
* byte octets in a READ or a WRITE.
*/
-u32 ethtool_cmis_get_max_payload_size(u8 num_of_byte_octs)
+u32 ethtool_cmis_get_max_lpl_size(u8 num_of_byte_octs)
{
return 8 * (1 + min_t(u8, num_of_byte_octs, 15));
}
+/* For accessing the EPL field on page 9Fh, the allowable length extension is
+ * min(i, 255) byte octets where i specifies the allowable additional number of
+ * byte octets in a READ or a WRITE.
+ */
+u32 ethtool_cmis_get_max_epl_size(u8 num_of_byte_octs)
+{
+ return 8 * (1 + min_t(u8, num_of_byte_octs, 255));
+}
+
void ethtool_cmis_cdb_compose_args(struct ethtool_cmis_cdb_cmd_args *args,
- enum ethtool_cmis_cdb_cmd_id cmd, u8 *pl,
- u8 lpl_len, u16 max_duration,
- u8 read_write_len_ext, u16 msleep_pre_rpl,
- u8 rpl_exp_len, u8 flags)
+ enum ethtool_cmis_cdb_cmd_id cmd, u8 *lpl,
+ u8 lpl_len, u8 *epl, u16 epl_len,
+ u16 max_duration, u8 read_write_len_ext,
+ u16 msleep_pre_rpl, u8 rpl_exp_len, u8 flags)
{
args->req.id = cpu_to_be16(cmd);
args->req.lpl_len = lpl_len;
- if (pl)
- memcpy(args->req.payload, pl, args->req.lpl_len);
+ if (lpl)
+ memcpy(args->req.payload, lpl, args->req.lpl_len);
args->max_duration = max_duration;
args->read_write_len_ext =
- ethtool_cmis_get_max_payload_size(read_write_len_ext);
+ ethtool_cmis_get_max_lpl_size(read_write_len_ext);
args->msleep_pre_rpl = msleep_pre_rpl;
args->rpl_exp_len = rpl_exp_len;
args->flags = flags;
@@ -183,7 +192,7 @@ cmis_cdb_validate_password(struct ethtool_cmis_cdb *cdb,
}
ethtool_cmis_cdb_compose_args(&args, ETHTOOL_CMIS_CDB_CMD_QUERY_STATUS,
- (u8 *)&qs_pl, sizeof(qs_pl), 0,
+ (u8 *)&qs_pl, sizeof(qs_pl), NULL, 0, 0,
cdb->read_write_len_ext, 1000,
sizeof(*rpl),
CDB_F_COMPLETION_VALID | CDB_F_STATUS_VALID);
@@ -245,8 +254,9 @@ static int cmis_cdb_module_features_get(struct ethtool_cmis_cdb *cdb,
ethtool_cmis_cdb_check_completion_flag(cdb->cmis_rev, &flags);
ethtool_cmis_cdb_compose_args(&args,
ETHTOOL_CMIS_CDB_CMD_MODULE_FEATURES,
- NULL, 0, 0, cdb->read_write_len_ext,
- 1000, sizeof(*rpl), flags);
+ NULL, 0, NULL, 0, 0,
+ cdb->read_write_len_ext, 1000,
+ sizeof(*rpl), flags);
err = ethtool_cmis_cdb_execute_cmd(dev, &args);
if (err < 0) {
diff --git a/net/ethtool/cmis_fw_update.c b/net/ethtool/cmis_fw_update.c
index 655ff5224ffa30..a514127985d44e 100644
--- a/net/ethtool/cmis_fw_update.c
+++ b/net/ethtool/cmis_fw_update.c
@@ -54,7 +54,8 @@ cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
ethtool_cmis_cdb_check_completion_flag(cdb->cmis_rev, &flags);
ethtool_cmis_cdb_compose_args(&args,
ETHTOOL_CMIS_CDB_CMD_FW_MANAGMENT_FEATURES,
- NULL, 0, cdb->max_completion_time,
+ NULL, 0, NULL, 0,
+ cdb->max_completion_time,
cdb->read_write_len_ext, 1000,
sizeof(*rpl), flags);
@@ -122,7 +123,7 @@ cmis_fw_update_start_download(struct ethtool_cmis_cdb *cdb,
ethtool_cmis_cdb_compose_args(&args,
ETHTOOL_CMIS_CDB_CMD_START_FW_DOWNLOAD,
- (u8 *)&pl, lpl_len,
+ (u8 *)&pl, lpl_len, NULL, 0,
fw_mng->max_duration_start,
cdb->read_write_len_ext, 1000, 0,
CDB_F_COMPLETION_VALID | CDB_F_STATUS_VALID);
@@ -158,7 +159,7 @@ cmis_fw_update_write_image(struct ethtool_cmis_cdb *cdb,
int err;
max_lpl_len = min_t(u32,
- ethtool_cmis_get_max_payload_size(cdb->read_write_len_ext),
+ ethtool_cmis_get_max_lpl_size(cdb->read_write_len_ext),
ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH);
max_block_size =
max_lpl_len - sizeof_field(struct cmis_cdb_write_fw_block_lpl_pl,
@@ -183,7 +184,7 @@ cmis_fw_update_write_image(struct ethtool_cmis_cdb *cdb,
ethtool_cmis_cdb_compose_args(&args,
ETHTOOL_CMIS_CDB_CMD_WRITE_FW_BLOCK_LPL,
- (u8 *)&pl, lpl_len,
+ (u8 *)&pl, lpl_len, NULL, 0,
fw_mng->max_duration_write,
cdb->read_write_len_ext, 1, 0,
CDB_F_COMPLETION_VALID | CDB_F_STATUS_VALID);
@@ -212,7 +213,8 @@ cmis_fw_update_complete_download(struct ethtool_cmis_cdb *cdb,
ethtool_cmis_cdb_compose_args(&args,
ETHTOOL_CMIS_CDB_CMD_COMPLETE_FW_DOWNLOAD,
- NULL, 0, fw_mng->max_duration_complete,
+ NULL, 0, NULL, 0,
+ fw_mng->max_duration_complete,
cdb->read_write_len_ext, 1000, 0,
CDB_F_COMPLETION_VALID | CDB_F_STATUS_VALID);
@@ -294,7 +296,7 @@ cmis_fw_update_run_image(struct ethtool_cmis_cdb *cdb, struct net_device *dev,
int err;
ethtool_cmis_cdb_compose_args(&args, ETHTOOL_CMIS_CDB_CMD_RUN_FW_IMAGE,
- (u8 *)&pl, sizeof(pl),
+ (u8 *)&pl, sizeof(pl), NULL, 0,
cdb->max_completion_time,
cdb->read_write_len_ext, 1000, 0,
CDB_F_MODULE_STATE_VALID);
@@ -326,7 +328,8 @@ cmis_fw_update_commit_image(struct ethtool_cmis_cdb *cdb,
ethtool_cmis_cdb_compose_args(&args,
ETHTOOL_CMIS_CDB_CMD_COMMIT_FW_IMAGE,
- NULL, 0, cdb->max_completion_time,
+ NULL, 0, NULL, 0,
+ cdb->max_completion_time,
cdb->read_write_len_ext, 1000, 0,
CDB_F_COMPLETION_VALID | CDB_F_STATUS_VALID);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 066/315] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 065/315] ethtool: tsconfig: fix reply error handling Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 067/315] ethtool: pse-pd: fix missing ethnl_ops_complete() Greg Kroah-Hartman
` (250 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 596c51ed9e125b12c4d85b4530dfd4c7847634b7 ]
linkstate_prepare_data() calls ethnl_req_get_phydev() before
ethnl_ops_begin(), but routes its error path through "goto out"
which calls ethnl_ops_complete().
Fixes: fe55b1d401c6 ("ethtool: linkstate: migrate linkstate functions to support multi-PHY setups")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-4-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/linkstate.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/ethtool/linkstate.c b/net/ethtool/linkstate.c
index 05a5f72c99fab1..3dc52a39d34525 100644
--- a/net/ethtool/linkstate.c
+++ b/net/ethtool/linkstate.c
@@ -105,10 +105,8 @@ static int linkstate_prepare_data(const struct ethnl_req_info *req_base,
phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_LINKSTATE_HEADER,
info->extack);
- if (IS_ERR(phydev)) {
- ret = PTR_ERR(phydev);
- goto out;
- }
+ if (IS_ERR(phydev))
+ return PTR_ERR(phydev);
ret = ethnl_ops_begin(dev);
if (ret < 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 056/307] net: ethtool: Add support for writing firmware blocks using EPL payload
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 055/307] net: ethtool: Add new parameters and a function to support EPL Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 057/307] ethtool: cmis: validate start_cmd_payload_size from module Greg Kroah-Hartman
` (250 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danielle Ratson, Petr Machata,
Simon Horman, David S. Miller, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danielle Ratson <danieller@nvidia.com>
[ Upstream commit 9a3b0d078bd825613c0821bf7bf5a2e1d8d60057 ]
In the CMIS specification for pluggable modules, LPL (Local Payload) and
EPL (Extended Payload) are two types of data payloads used for managing
various functions and features of the module.
EPL payloads are used for more complex and extensive management
functions that require a larger amount of data, so writing firmware
blocks using EPL is much more efficient.
Currently, only LPL payload is supported for writing firmware blocks to
the module.
Add support for writing firmware block using EPL payload, both to
support modules that supports only EPL write mechanism, and to optimize
the flashing process of modules that support LPL and EPL.
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 12c2496a71f8 ("ethtool: cmis: validate start_cmd_payload_size from module")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis.h | 4 ++
net/ethtool/cmis_cdb.c | 66 ++++++++++++++++++++++++--
net/ethtool/cmis_fw_update.c | 91 ++++++++++++++++++++++++++++++++----
3 files changed, 148 insertions(+), 13 deletions(-)
diff --git a/net/ethtool/cmis.h b/net/ethtool/cmis.h
index e11e47b3f2fc8f..1ab96bdd2c6f92 100644
--- a/net/ethtool/cmis.h
+++ b/net/ethtool/cmis.h
@@ -1,6 +1,7 @@
/* SPDX-License-Identifier: GPL-2.0-only */
#define ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH 120
+#define ETHTOOL_CMIS_CDB_EPL_MAX_PL_LENGTH 2048
#define ETHTOOL_CMIS_CDB_CMD_PAGE 0x9F
#define ETHTOOL_CMIS_CDB_PAGE_I2C_ADDR 0x50
@@ -23,6 +24,7 @@ enum ethtool_cmis_cdb_cmd_id {
ETHTOOL_CMIS_CDB_CMD_FW_MANAGMENT_FEATURES = 0x0041,
ETHTOOL_CMIS_CDB_CMD_START_FW_DOWNLOAD = 0x0101,
ETHTOOL_CMIS_CDB_CMD_WRITE_FW_BLOCK_LPL = 0x0103,
+ ETHTOOL_CMIS_CDB_CMD_WRITE_FW_BLOCK_EPL = 0x0104,
ETHTOOL_CMIS_CDB_CMD_COMPLETE_FW_DOWNLOAD = 0x0107,
ETHTOOL_CMIS_CDB_CMD_RUN_FW_IMAGE = 0x0109,
ETHTOOL_CMIS_CDB_CMD_COMMIT_FW_IMAGE = 0x010A,
@@ -38,6 +40,7 @@ enum ethtool_cmis_cdb_cmd_id {
* @resv1: Added to match the CMIS standard request continuity.
* @resv2: Added to match the CMIS standard request continuity.
* @payload: Payload for the CDB commands.
+ * @epl: Extended payload for the CDB commands.
*/
struct ethtool_cmis_cdb_request {
__be16 id;
@@ -49,6 +52,7 @@ struct ethtool_cmis_cdb_request {
u8 resv2;
u8 payload[ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH];
);
+ u8 *epl; /* Everything above this field checksummed. */
};
#define CDB_F_COMPLETION_VALID BIT(0)
diff --git a/net/ethtool/cmis_cdb.c b/net/ethtool/cmis_cdb.c
index 31142e239cf6b2..606d88df31f235 100644
--- a/net/ethtool/cmis_cdb.c
+++ b/net/ethtool/cmis_cdb.c
@@ -33,12 +33,19 @@ void ethtool_cmis_cdb_compose_args(struct ethtool_cmis_cdb_cmd_args *args,
{
args->req.id = cpu_to_be16(cmd);
args->req.lpl_len = lpl_len;
- if (lpl)
+ if (lpl) {
memcpy(args->req.payload, lpl, args->req.lpl_len);
+ args->read_write_len_ext =
+ ethtool_cmis_get_max_lpl_size(read_write_len_ext);
+ }
+ if (epl) {
+ args->req.epl_len = cpu_to_be16(epl_len);
+ args->req.epl = epl;
+ args->read_write_len_ext =
+ ethtool_cmis_get_max_epl_size(read_write_len_ext);
+ }
args->max_duration = max_duration;
- args->read_write_len_ext =
- ethtool_cmis_get_max_lpl_size(read_write_len_ext);
args->msleep_pre_rpl = msleep_pre_rpl;
args->rpl_exp_len = rpl_exp_len;
args->flags = flags;
@@ -561,6 +568,49 @@ __ethtool_cmis_cdb_execute_cmd(struct net_device *dev,
return err;
}
+#define CMIS_CDB_EPL_PAGE_START 0xA0
+#define CMIS_CDB_EPL_PAGE_END 0xAF
+#define CMIS_CDB_EPL_FW_BLOCK_OFFSET_START 128
+#define CMIS_CDB_EPL_FW_BLOCK_OFFSET_END 255
+
+static int
+ethtool_cmis_cdb_execute_epl_cmd(struct net_device *dev,
+ struct ethtool_cmis_cdb_cmd_args *args,
+ struct ethtool_module_eeprom *page_data)
+{
+ u16 epl_len = be16_to_cpu(args->req.epl_len);
+ u32 bytes_written = 0;
+ u8 page;
+ int err;
+
+ for (page = CMIS_CDB_EPL_PAGE_START;
+ page <= CMIS_CDB_EPL_PAGE_END && bytes_written < epl_len; page++) {
+ u16 offset = CMIS_CDB_EPL_FW_BLOCK_OFFSET_START;
+
+ while (offset <= CMIS_CDB_EPL_FW_BLOCK_OFFSET_END &&
+ bytes_written < epl_len) {
+ u32 bytes_left = epl_len - bytes_written;
+ u16 space_left, bytes_to_write;
+
+ space_left = CMIS_CDB_EPL_FW_BLOCK_OFFSET_END - offset + 1;
+ bytes_to_write = min_t(u16, bytes_left,
+ min_t(u16, space_left,
+ args->read_write_len_ext));
+
+ err = __ethtool_cmis_cdb_execute_cmd(dev, page_data,
+ page, offset,
+ bytes_to_write,
+ args->req.epl + bytes_written);
+ if (err < 0)
+ return err;
+
+ offset += bytes_to_write;
+ bytes_written += bytes_to_write;
+ }
+ }
+ return 0;
+}
+
static u8 cmis_cdb_calc_checksum(const void *data, size_t size)
{
const u8 *bytes = (const u8 *)data;
@@ -582,7 +632,9 @@ int ethtool_cmis_cdb_execute_cmd(struct net_device *dev,
int err;
args->req.chk_code =
- cmis_cdb_calc_checksum(&args->req, sizeof(args->req));
+ cmis_cdb_calc_checksum(&args->req,
+ offsetof(struct ethtool_cmis_cdb_request,
+ epl));
if (args->req.lpl_len > args->read_write_len_ext) {
args->err_msg = "LPL length is longer than CDB read write length extension allows";
@@ -604,6 +656,12 @@ int ethtool_cmis_cdb_execute_cmd(struct net_device *dev,
if (err < 0)
return err;
+ if (args->req.epl_len) {
+ err = ethtool_cmis_cdb_execute_epl_cmd(dev, args, &page_data);
+ if (err < 0)
+ return err;
+ }
+
offset = CMIS_CDB_CMD_ID_OFFSET +
offsetof(struct ethtool_cmis_cdb_request, id);
err = __ethtool_cmis_cdb_execute_cmd(dev, &page_data,
diff --git a/net/ethtool/cmis_fw_update.c b/net/ethtool/cmis_fw_update.c
index a514127985d44e..48aef6220f0094 100644
--- a/net/ethtool/cmis_fw_update.c
+++ b/net/ethtool/cmis_fw_update.c
@@ -9,6 +9,7 @@
struct cmis_fw_update_fw_mng_features {
u8 start_cmd_payload_size;
+ u8 write_mechanism;
u16 max_duration_start;
u16 max_duration_write;
u16 max_duration_complete;
@@ -36,7 +37,9 @@ struct cmis_cdb_fw_mng_features_rpl {
};
enum cmis_cdb_fw_write_mechanism {
+ CMIS_CDB_FW_WRITE_MECHANISM_NONE = 0x00,
CMIS_CDB_FW_WRITE_MECHANISM_LPL = 0x01,
+ CMIS_CDB_FW_WRITE_MECHANISM_EPL = 0x10,
CMIS_CDB_FW_WRITE_MECHANISM_BOTH = 0x11,
};
@@ -68,10 +71,9 @@ cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
}
rpl = (struct cmis_cdb_fw_mng_features_rpl *)args.req.payload;
- if (!(rpl->write_mechanism == CMIS_CDB_FW_WRITE_MECHANISM_LPL ||
- rpl->write_mechanism == CMIS_CDB_FW_WRITE_MECHANISM_BOTH)) {
+ if (rpl->write_mechanism == CMIS_CDB_FW_WRITE_MECHANISM_NONE) {
ethnl_module_fw_flash_ntf_err(dev, ntf_params,
- "Write LPL is not supported",
+ "CDB write mechanism is not supported",
NULL);
return -EOPNOTSUPP;
}
@@ -83,6 +85,10 @@ cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
*/
cdb->read_write_len_ext = rpl->read_write_len_ext;
fw_mng->start_cmd_payload_size = rpl->start_cmd_payload_size;
+ fw_mng->write_mechanism =
+ rpl->write_mechanism == CMIS_CDB_FW_WRITE_MECHANISM_LPL ?
+ CMIS_CDB_FW_WRITE_MECHANISM_LPL :
+ CMIS_CDB_FW_WRITE_MECHANISM_EPL;
fw_mng->max_duration_start = be16_to_cpu(rpl->max_duration_start);
fw_mng->max_duration_write = be16_to_cpu(rpl->max_duration_write);
fw_mng->max_duration_complete = be16_to_cpu(rpl->max_duration_complete);
@@ -149,9 +155,9 @@ struct cmis_cdb_write_fw_block_lpl_pl {
};
static int
-cmis_fw_update_write_image(struct ethtool_cmis_cdb *cdb,
- struct ethtool_cmis_fw_update_params *fw_update,
- struct cmis_fw_update_fw_mng_features *fw_mng)
+cmis_fw_update_write_image_lpl(struct ethtool_cmis_cdb *cdb,
+ struct ethtool_cmis_fw_update_params *fw_update,
+ struct cmis_fw_update_fw_mng_features *fw_mng)
{
u8 start = fw_mng->start_cmd_payload_size;
u32 offset, max_block_size, max_lpl_len;
@@ -202,6 +208,67 @@ cmis_fw_update_write_image(struct ethtool_cmis_cdb *cdb,
return 0;
}
+struct cmis_cdb_write_fw_block_epl_pl {
+ u8 fw_block[ETHTOOL_CMIS_CDB_EPL_MAX_PL_LENGTH];
+};
+
+static int
+cmis_fw_update_write_image_epl(struct ethtool_cmis_cdb *cdb,
+ struct ethtool_cmis_fw_update_params *fw_update,
+ struct cmis_fw_update_fw_mng_features *fw_mng)
+{
+ u8 start = fw_mng->start_cmd_payload_size;
+ u32 image_size = fw_update->fw->size;
+ u32 offset, lpl_len;
+ int err;
+
+ lpl_len = sizeof_field(struct cmis_cdb_write_fw_block_lpl_pl,
+ block_address);
+
+ for (offset = start; offset < image_size;
+ offset += ETHTOOL_CMIS_CDB_EPL_MAX_PL_LENGTH) {
+ struct cmis_cdb_write_fw_block_lpl_pl lpl = {
+ .block_address = cpu_to_be32(offset - start),
+ };
+ struct cmis_cdb_write_fw_block_epl_pl *epl;
+ struct ethtool_cmis_cdb_cmd_args args = {};
+ u32 epl_len;
+
+ ethnl_module_fw_flash_ntf_in_progress(fw_update->dev,
+ &fw_update->ntf_params,
+ offset - start,
+ image_size);
+
+ epl_len = min_t(u32, ETHTOOL_CMIS_CDB_EPL_MAX_PL_LENGTH,
+ image_size - offset);
+ epl = kmalloc_array(epl_len, sizeof(u8), GFP_KERNEL);
+ if (!epl)
+ return -ENOMEM;
+
+ memcpy(epl->fw_block, &fw_update->fw->data[offset], epl_len);
+
+ ethtool_cmis_cdb_compose_args(&args,
+ ETHTOOL_CMIS_CDB_CMD_WRITE_FW_BLOCK_EPL,
+ (u8 *)&lpl, lpl_len, (u8 *)epl,
+ epl_len,
+ fw_mng->max_duration_write,
+ cdb->read_write_len_ext, 1, 0,
+ CDB_F_COMPLETION_VALID | CDB_F_STATUS_VALID);
+
+ err = ethtool_cmis_cdb_execute_cmd(fw_update->dev, &args);
+ kfree(epl);
+ if (err < 0) {
+ ethnl_module_fw_flash_ntf_err(fw_update->dev,
+ &fw_update->ntf_params,
+ "Write FW block EPL command failed",
+ args.err_msg);
+ return err;
+ }
+ }
+
+ return 0;
+}
+
static int
cmis_fw_update_complete_download(struct ethtool_cmis_cdb *cdb,
struct net_device *dev,
@@ -238,9 +305,15 @@ cmis_fw_update_download_image(struct ethtool_cmis_cdb *cdb,
if (err < 0)
return err;
- err = cmis_fw_update_write_image(cdb, fw_update, fw_mng);
- if (err < 0)
- return err;
+ if (fw_mng->write_mechanism == CMIS_CDB_FW_WRITE_MECHANISM_LPL) {
+ err = cmis_fw_update_write_image_lpl(cdb, fw_update, fw_mng);
+ if (err < 0)
+ return err;
+ } else {
+ err = cmis_fw_update_write_image_epl(cdb, fw_update, fw_mng);
+ if (err < 0)
+ return err;
+ }
err = cmis_fw_update_complete_download(cdb, fw_update->dev, fw_mng,
&fw_update->ntf_params);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 067/315] ethtool: pse-pd: fix missing ethnl_ops_complete()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 066/315] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 068/315] ethtool: tsconfig: " Greg Kroah-Hartman
` (249 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit ab5bf428fb6bd361163c7247b92750d1d24ca2ed ]
pse_prepare_data() is missing ethnl_ops_complete() if
ethnl_req_get_phydev() returned an error. Move getting
phydev up so that we don't have to worry about this
(similar order to linkstate_prepare_data()).
Note that phydev may still be NULL (this is checked in
pse_get_pse_attributes()), the goal isn't really to avoid
the _begin() / _complete() calls, only to simplify the error
handling.
While at it propagate the original error. Why this code
overrides the error with -ENODEV but !phydev generates
-EOPNOTSUPP is unclear to me...
Fixes: 31748765bed3 ("net: ethtool: pse-pd: Target the command to the requested PHY")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/pse-pd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/ethtool/pse-pd.c b/net/ethtool/pse-pd.c
index 24def9c9dd54bf..aa4514333d13bd 100644
--- a/net/ethtool/pse-pd.c
+++ b/net/ethtool/pse-pd.c
@@ -61,14 +61,14 @@ static int pse_prepare_data(const struct ethnl_req_info *req_base,
struct phy_device *phydev;
int ret;
- ret = ethnl_ops_begin(dev);
- if (ret < 0)
- return ret;
-
phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_PSE_HEADER,
info->extack);
if (IS_ERR(phydev))
- return -ENODEV;
+ return PTR_ERR(phydev);
+
+ ret = ethnl_ops_begin(dev);
+ if (ret < 0)
+ return ret;
ret = pse_get_pse_attributes(phydev, info->extack, data);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 057/307] ethtool: cmis: validate start_cmd_payload_size from module
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 056/307] net: ethtool: Add support for writing firmware blocks using EPL payload Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 058/307] ethtool: cmis: validate fw->size against start_cmd_payload_size Greg Kroah-Hartman
` (249 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 12c2496a71f82f63617971ca9b730dffa05cf58b ]
The CMIS firmware update code reads start_cmd_payload_size from
the module's FW Management Features CDB reply and uses it directly
as the byte count for memcpy. The destination buffer is 112 bytes
(ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH - 8). So a malicious
module (or corrupted response) can cause a OOB write later on in
cmis_fw_update_start_download().
Let's error out. If modules that expect longer LPL writes actually
exist we should revisit.
struct cmis_cdb_start_fw_download_pl's definition has to move,
no change there.
Fixes: c4f78134d45c ("ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-9-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis_fw_update.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
diff --git a/net/ethtool/cmis_fw_update.c b/net/ethtool/cmis_fw_update.c
index 48aef6220f0094..560bafd4d16864 100644
--- a/net/ethtool/cmis_fw_update.c
+++ b/net/ethtool/cmis_fw_update.c
@@ -43,6 +43,20 @@ enum cmis_cdb_fw_write_mechanism {
CMIS_CDB_FW_WRITE_MECHANISM_BOTH = 0x11,
};
+/* See section 9.7.2 "CMD 0101h: Start Firmware Download" in CMIS standard
+ * revision 5.2.
+ * struct cmis_cdb_start_fw_download_pl is a structured layout of the
+ * flat array, ethtool_cmis_cdb_request::payload.
+ */
+struct cmis_cdb_start_fw_download_pl {
+ __struct_group(cmis_cdb_start_fw_download_pl_h, head, /* no attrs */,
+ __be32 image_size;
+ __be32 resv1;
+ );
+ u8 vendor_data[ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH -
+ sizeof(struct cmis_cdb_start_fw_download_pl_h)];
+};
+
static int
cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
struct net_device *dev,
@@ -85,6 +99,14 @@ cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
*/
cdb->read_write_len_ext = rpl->read_write_len_ext;
fw_mng->start_cmd_payload_size = rpl->start_cmd_payload_size;
+ if (fw_mng->start_cmd_payload_size >
+ sizeof_field(struct cmis_cdb_start_fw_download_pl, vendor_data)) {
+ ethnl_module_fw_flash_ntf_err(dev, ntf_params,
+ "Start cmd payload size exceeds max LPL payload",
+ NULL);
+ return -EINVAL;
+ }
+
fw_mng->write_mechanism =
rpl->write_mechanism == CMIS_CDB_FW_WRITE_MECHANISM_LPL ?
CMIS_CDB_FW_WRITE_MECHANISM_LPL :
@@ -96,20 +118,6 @@ cmis_fw_update_fw_mng_features_get(struct ethtool_cmis_cdb *cdb,
return 0;
}
-/* See section 9.7.2 "CMD 0101h: Start Firmware Download" in CMIS standard
- * revision 5.2.
- * struct cmis_cdb_start_fw_download_pl is a structured layout of the
- * flat array, ethtool_cmis_cdb_request::payload.
- */
-struct cmis_cdb_start_fw_download_pl {
- __struct_group(cmis_cdb_start_fw_download_pl_h, head, /* no attrs */,
- __be32 image_size;
- __be32 resv1;
- );
- u8 vendor_data[ETHTOOL_CMIS_CDB_LPL_MAX_PL_LENGTH -
- sizeof(struct cmis_cdb_start_fw_download_pl_h)];
-};
-
static int
cmis_fw_update_start_download(struct ethtool_cmis_cdb *cdb,
struct ethtool_cmis_fw_update_params *fw_update,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 068/315] ethtool: tsconfig: fix missing ethnl_ops_complete()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 067/315] ethtool: pse-pd: fix missing ethnl_ops_complete() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 069/315] ethtool: tsinfo: fix uninitialized stats on the by-PHC path Greg Kroah-Hartman
` (248 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vadim Fedorenko, Kory Maincent,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 6386bd772de64e6760306eb91c7e86163af6c22f ]
tsconfig_prepare_data() calls ethnl_ops_begin(), we need to call
ethnl_ops_complete() before returning the error.
Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config")
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/tsconfig.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ethtool/tsconfig.c b/net/ethtool/tsconfig.c
index 041de8687472bd..a121928038b055 100644
--- a/net/ethtool/tsconfig.c
+++ b/net/ethtool/tsconfig.c
@@ -69,8 +69,10 @@ static int tsconfig_prepare_data(const struct ethnl_req_info *req_base,
if (ret)
goto out;
- if (ts_info.phc_index == -1)
- return -ENODEV;
+ if (ts_info.phc_index == -1) {
+ ret = -ENODEV;
+ goto out;
+ }
data->hwprov_desc.index = ts_info.phc_index;
data->hwprov_desc.qualifier = ts_info.phc_qualifier;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 058/307] ethtool: cmis: validate fw->size against start_cmd_payload_size
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 057/307] ethtool: cmis: validate start_cmd_payload_size from module Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 059/307] cxl/test: Update mock dev array before calling platform_device_add() Greg Kroah-Hartman
` (248 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Danielle Ratson,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit d5551f4c1800dc714cec86647bdd651ae0de923e ]
cmis_fw_update_start_download() copies start_cmd_payload_size bytes
from the firmware blob into the CDB LPL vendor_data[] payload without
validating that the FW has enough data.
Since the start_cmd_payload_size can only be ~120B an image too short
is most likely corrupted, so reject it.
Fixes: c4f78134d45c ("ethtool: cmis_fw_update: add a layer for supporting firmware update using CDB")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Danielle Ratson <danieller@nvidia.com>
Link: https://patch.msgid.link/20260522231312.1710836-10-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/cmis_fw_update.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/ethtool/cmis_fw_update.c b/net/ethtool/cmis_fw_update.c
index 560bafd4d16864..9c6d9571cf24db 100644
--- a/net/ethtool/cmis_fw_update.c
+++ b/net/ethtool/cmis_fw_update.c
@@ -129,6 +129,14 @@ cmis_fw_update_start_download(struct ethtool_cmis_cdb *cdb,
u8 lpl_len;
int err;
+ if (fw_update->fw->size < vendor_data_size) {
+ ethnl_module_fw_flash_ntf_err(fw_update->dev,
+ &fw_update->ntf_params,
+ "Firmware image too small for module's start payload",
+ NULL);
+ return -EINVAL;
+ }
+
pl.image_size = cpu_to_be32(fw_update->fw->size);
memcpy(pl.vendor_data, fw_update->fw->data, vendor_data_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 069/315] ethtool: tsinfo: fix uninitialized stats on the by-PHC path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 068/315] ethtool: tsconfig: " Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 070/315] ethtool: tsinfo: dont pass ERR_PTR to genlmsg_cancel on prepare failure Greg Kroah-Hartman
` (247 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 1de405699c62c3a9544bcdcfb9eff8a01cfc7582 ]
tsinfo_prepare_data() has two code paths: a "by-PHC" path for
user-specified hardware timestamping providers, and the old path.
Commit 89e281ebff72 ("ethtool: init tsinfo stats if requested") added
ethtool_stats_init() to mark stat slots as ETHTOOL_STAT_NOT_SET before
the driver callback populates them, but placed the call inside the
old-path block.
When commit b9e3f7dc9ed9 ("net: ethtool: tsinfo: Enhance tsinfo to
support several hwtstamp by net topology") added the by-PHC early
return, it landed above the stats initialization. On that path
the stats array retains the zero-fill from ethnl_init_reply_data()'s
zalloc. This leads to the reply including a stats nest with four
zero-valued attributes that should have been absent.
Reject GET requests for stats with HWTSTAMP_PROVIDER or dump.
Fixes: b9e3f7dc9ed9 ("net: ethtool: tsinfo: Enhance tsinfo to support several hwtstamp by net topology")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-7-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/tsinfo.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/ethtool/tsinfo.c b/net/ethtool/tsinfo.c
index 8c654caa6805a5..fcc28fca526d82 100644
--- a/net/ethtool/tsinfo.c
+++ b/net/ethtool/tsinfo.c
@@ -81,6 +81,11 @@ tsinfo_parse_request(struct ethnl_req_info *req_base, struct nlattr **tb,
if (!tb[ETHTOOL_A_TSINFO_HWTSTAMP_PROVIDER])
return 0;
+ if (req_base->flags & ETHTOOL_FLAG_STATS) {
+ NL_SET_ERR_MSG(extack, "can't query statistics for a provider");
+ return -EOPNOTSUPP;
+ }
+
return ts_parse_hwtst_provider(tb[ETHTOOL_A_TSINFO_HWTSTAMP_PROVIDER],
&req->hwprov_desc, extack, &mod);
}
@@ -521,6 +526,12 @@ int ethnl_tsinfo_start(struct netlink_callback *cb)
if (ret < 0)
goto free_reply_data;
+ if (req_info->base.flags & ETHTOOL_FLAG_STATS) {
+ NL_SET_ERR_MSG(cb->extack, "stats not supported in dump");
+ ret = -EOPNOTSUPP;
+ goto err_dev_put;
+ }
+
ctx->req_info = req_info;
ctx->reply_data = reply_data;
ctx->pos_ifindex = 0;
@@ -530,6 +541,8 @@ int ethnl_tsinfo_start(struct netlink_callback *cb)
return 0;
+err_dev_put:
+ ethnl_parse_header_dev_put(&req_info->base);
free_reply_data:
kfree(reply_data);
free_req_info:
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 059/307] cxl/test: Update mock dev array before calling platform_device_add()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 058/307] ethtool: cmis: validate fw->size against start_cmd_payload_size Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 060/307] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
` (247 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Ming, Alison Schofield,
Dave Jiang, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Ming <ming.li@zohomail.com>
[ Upstream commit d90f236f8b9e354848bd226f581db27755ab901d ]
CXL test environment hits the following error sometimes.
cxl_mem mem9: endpoint7 failed probe
All mock memdevs are platform firmware devices added by cxl_test module,
and cxl_test module also provides a platform device driver for them to
create a memdev device to CXL subsystem. cxl_test module uses
cxl_rcd/mem_single/mem arrays to store different types of mock memdevs.
CXL drivers calls registered mock functions for a mock memdev by
checking if a given memdev is in these arrays.
When cxl_test module adds these mock memdevs, it always calls
platform_device_add() before adding them to a suitable mock memdev
array. However, there is a small window where CXL drivers calls mock
function for a added memdev before it added to a mock memdev array. In
above case, cxl endpoint driver considers a added memdev was not a mock
memdev, then calling devm_cxl_endpoint_decoders_setup() for it rather
than mock_endpoint_decoders_setup().
An appropriate solution is that adding a new mock device to a mock
device array before calling platform_device_add() for it. It can
guarantee the new mock device is visible to CXL subsystem.
This patch introduces a new helped called cxl_mock_platform_device_add()
to handle the issue, and uses the function for all mock devices addition.
Fixes: 3a2b97b3210b ("cxl/test: Improve init-order fidelity relative to real-world systems")
Signed-off-by: Li Ming <ming.li@zohomail.com>
Tested-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Alison Schofield <alison.schofield@intel.com>
Link: https://patch.msgid.link/20260520121457.234404-1-ming.li@zohomail.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/cxl/test/cxl.c | 105 ++++++++++++++---------------------
1 file changed, 43 insertions(+), 62 deletions(-)
diff --git a/tools/testing/cxl/test/cxl.c b/tools/testing/cxl/test/cxl.c
index 050725afa45d16..0d0c434426e7bf 100644
--- a/tools/testing/cxl/test/cxl.c
+++ b/tools/testing/cxl/test/cxl.c
@@ -1058,6 +1058,23 @@ static void mock_companion(struct acpi_device *adev, struct device *dev)
#define SZ_64G (SZ_32G * 2)
#endif
+static int cxl_mock_platform_device_add(struct platform_device *pdev,
+ struct platform_device **ppdev)
+{
+ int rc;
+
+ if (ppdev)
+ *ppdev = pdev;
+ rc = platform_device_add(pdev);
+ if (rc) {
+ platform_device_put(pdev);
+ if (ppdev)
+ *ppdev = NULL;
+ }
+
+ return rc;
+}
+
static __init int cxl_rch_topo_init(void)
{
int rc, i;
@@ -1072,13 +1089,10 @@ static __init int cxl_rch_topo_init(void)
goto err_bridge;
mock_companion(adev, &pdev->dev);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_rch[i]);
+ if (rc)
goto err_bridge;
- }
- cxl_rch[i] = pdev;
mock_pci_bus[idx].bridge = &pdev->dev;
rc = sysfs_create_link(&pdev->dev.kobj, &pdev->dev.kobj,
"firmware_node");
@@ -1130,13 +1144,10 @@ static __init int cxl_single_topo_init(void)
goto err_bridge;
mock_companion(adev, &pdev->dev);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_hb_single[i]);
+ if (rc)
goto err_bridge;
- }
- cxl_hb_single[i] = pdev;
mock_pci_bus[i + NR_CXL_HOST_BRIDGES].bridge = &pdev->dev;
rc = sysfs_create_link(&pdev->dev.kobj, &pdev->dev.kobj,
"physical_node");
@@ -1155,12 +1166,9 @@ static __init int cxl_single_topo_init(void)
goto err_port;
pdev->dev.parent = &bridge->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_root_single[i]);
+ if (rc)
goto err_port;
- }
- cxl_root_single[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_swu_single); i++) {
@@ -1173,12 +1181,9 @@ static __init int cxl_single_topo_init(void)
goto err_uport;
pdev->dev.parent = &root_port->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_swu_single[i]);
+ if (rc)
goto err_uport;
- }
- cxl_swu_single[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_swd_single); i++) {
@@ -1192,12 +1197,9 @@ static __init int cxl_single_topo_init(void)
goto err_dport;
pdev->dev.parent = &uport->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_swd_single[i]);
+ if (rc)
goto err_dport;
- }
- cxl_swd_single[i] = pdev;
}
return 0;
@@ -1270,12 +1272,9 @@ static int cxl_mem_init(void)
pdev->dev.parent = &dport->dev;
set_dev_node(&pdev->dev, i % 2);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_mem[i]);
+ if (rc)
goto err_mem;
- }
- cxl_mem[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_mem_single); i++) {
@@ -1288,12 +1287,9 @@ static int cxl_mem_init(void)
pdev->dev.parent = &dport->dev;
set_dev_node(&pdev->dev, i % 2);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_mem_single[i]);
+ if (rc)
goto err_single;
- }
- cxl_mem_single[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_rcd); i++) {
@@ -1307,12 +1303,9 @@ static int cxl_mem_init(void)
pdev->dev.parent = &rch->dev;
set_dev_node(&pdev->dev, i % 2);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_rcd[i]);
+ if (rc)
goto err_rcd;
- }
- cxl_rcd[i] = pdev;
}
return 0;
@@ -1373,13 +1366,10 @@ static __init int cxl_test_init(void)
goto err_bridge;
mock_companion(adev, &pdev->dev);
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_host_bridge[i]);
+ if (rc)
goto err_bridge;
- }
- cxl_host_bridge[i] = pdev;
mock_pci_bus[i].bridge = &pdev->dev;
rc = sysfs_create_link(&pdev->dev.kobj, &pdev->dev.kobj,
"physical_node");
@@ -1397,12 +1387,9 @@ static __init int cxl_test_init(void)
goto err_port;
pdev->dev.parent = &bridge->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_root_port[i]);
+ if (rc)
goto err_port;
- }
- cxl_root_port[i] = pdev;
}
BUILD_BUG_ON(ARRAY_SIZE(cxl_switch_uport) != ARRAY_SIZE(cxl_root_port));
@@ -1415,12 +1402,9 @@ static __init int cxl_test_init(void)
goto err_uport;
pdev->dev.parent = &root_port->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_switch_uport[i]);
+ if (rc)
goto err_uport;
- }
- cxl_switch_uport[i] = pdev;
}
for (i = 0; i < ARRAY_SIZE(cxl_switch_dport); i++) {
@@ -1433,12 +1417,9 @@ static __init int cxl_test_init(void)
goto err_dport;
pdev->dev.parent = &uport->dev;
- rc = platform_device_add(pdev);
- if (rc) {
- platform_device_put(pdev);
+ rc = cxl_mock_platform_device_add(pdev, &cxl_switch_dport[i]);
+ if (rc)
goto err_dport;
- }
- cxl_switch_dport[i] = pdev;
}
rc = cxl_single_topo_init();
@@ -1456,9 +1437,9 @@ static __init int cxl_test_init(void)
mock_companion(&acpi0017_mock, &cxl_acpi->dev);
acpi0017_mock.dev.bus = &platform_bus_type;
- rc = platform_device_add(cxl_acpi);
+ rc = cxl_mock_platform_device_add(cxl_acpi, NULL);
if (rc)
- goto err_root;
+ goto err_rch;
rc = cxl_mem_init();
if (rc)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 070/315] ethtool: tsinfo: dont pass ERR_PTR to genlmsg_cancel on prepare failure
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 069/315] ethtool: tsinfo: fix uninitialized stats on the by-PHC path Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 071/315] ethtool: strset: fix header attribute index in ethnl_req_get_phydev() Greg Kroah-Hartman
` (246 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Kory Maincent,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit c3fc9976f686f9a95baf87db9d387f218fd65394 ]
The goto err label leads to:
genlmsg_cancel(skb, ehdr);
return ret;
If ethnl_tsinfo_prepare_dump() failed, it has not started a genlmsg.
There's nothing to cancel, and passing an error pointer to
genlmsg_cancel() would cause a crash.
Fixes: b9e3f7dc9ed9 ("net: ethtool: tsinfo: Enhance tsinfo to support several hwtstamp by net topology")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-8-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/tsinfo.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/ethtool/tsinfo.c b/net/ethtool/tsinfo.c
index fcc28fca526d82..53f12128a1a580 100644
--- a/net/ethtool/tsinfo.c
+++ b/net/ethtool/tsinfo.c
@@ -405,10 +405,8 @@ static int ethnl_tsinfo_dump_one_netdev(struct sk_buff *skb,
continue;
ehdr = ethnl_tsinfo_prepare_dump(skb, dev, reply_data, cb);
- if (IS_ERR(ehdr)) {
- ret = PTR_ERR(ehdr);
- goto err;
- }
+ if (IS_ERR(ehdr))
+ return PTR_ERR(ehdr);
reply_data->ts_info.phc_qualifier = ctx->pos_phcqualifier;
ret = ops->get_ts_info(dev, &reply_data->ts_info);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 060/307] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 059/307] cxl/test: Update mock dev array before calling platform_device_add() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 061/307] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
` (246 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b4bc94353050b1fa7b702bd4c6600710dd926cff ]
Sashiko found that iptunnel_pmtud_build_icmp() and
iptunnel_pmtud_build_icmpv6() were caching ip_hdr() and ipv6_hdr()
before an skb_cow() call which can reallocate skb->head.
Fix this possible UAF by initializing the local variables
after the skb_cow() call.
Remove skb_reset_network_header() calls which were not needed.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525201335.2361845-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 507f2f9ec400ce..cf496644d3df6c 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -210,7 +210,7 @@ EXPORT_SYMBOL_GPL(iptunnel_handle_offloads);
*/
static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
{
- const struct iphdr *iph = ip_hdr(skb);
+ const struct iphdr *iph;
struct icmphdr *icmph;
struct iphdr *niph;
struct ethhdr eh;
@@ -224,7 +224,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, 576 - sizeof(*niph) - sizeof(*icmph));
if (err)
@@ -234,7 +233,7 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
err = skb_cow(skb, sizeof(*niph) + sizeof(*icmph) + ETH_HLEN);
if (err)
return err;
-
+ iph = ip_hdr(skb);
icmph = skb_push(skb, sizeof(*icmph));
*icmph = (struct icmphdr) {
.type = ICMP_DEST_UNREACH,
@@ -306,7 +305,7 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
{
- const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+ const struct ipv6hdr *ip6h;
struct icmp6hdr *icmp6h;
struct ipv6hdr *nip6h;
struct ethhdr eh;
@@ -321,7 +320,6 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, IPV6_MIN_MTU - sizeof(*nip6h) - sizeof(*icmp6h));
if (err)
@@ -332,6 +330,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
if (err)
return err;
+ ip6h = ipv6_hdr(skb);
icmp6h = skb_push(skb, sizeof(*icmp6h));
*icmp6h = (struct icmp6hdr) {
.icmp6_type = ICMPV6_PKT_TOOBIG,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 071/315] ethtool: strset: fix header attribute index in ethnl_req_get_phydev()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 070/315] ethtool: tsinfo: dont pass ERR_PTR to genlmsg_cancel on prepare failure Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 072/315] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback Greg Kroah-Hartman
` (245 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit a8d8bef6b45bf7cc0b1f6110c5cd8d0160a9bad7 ]
strset_prepare_data() passes ETHTOOL_A_HEADER_FLAGS (3) as the header
attribute to ethnl_req_get_phydev(). This is incorrect, in the main
attr space 3 is ETHTOOL_A_STRSET_COUNTS_ONLY, not the request
header attr. The correct constant is ETHTOOL_A_STRSET_HEADER (1).
ethnl_req_get_phydev() only uses this value for the extack,
so this is not a "functionally visible"(?) bug.
Fixes: e96c93aa4be9 ("net: ethtool: strset: Allow querying phy stats by index")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-9-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/strset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c
index f6a67109beda1b..872ca593b97668 100644
--- a/net/ethtool/strset.c
+++ b/net/ethtool/strset.c
@@ -309,7 +309,7 @@ static int strset_prepare_data(const struct ethnl_req_info *req_base,
return 0;
}
- phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_HEADER_FLAGS,
+ phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_STRSET_HEADER,
info->extack);
/* phydev can be NULL, check for errors only */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 061/307] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 060/307] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 062/307] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
` (245 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7d9ef0cb271555d8cf39fefe6c981e1493b25ecf ]
skb_tunnel_check_pmtu() can change skb->head.
Reusing old_iph afer skb_tunnel_check_pmtu() can cause an UAF.
Use instead ip_hdr(skb) as done in drivers/net/bareudp.c
and drivers/net/geneve.c.
Found by Sashiko.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525203642.2389723-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index ed428293b0e579..765d25eee2fe48 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2541,7 +2541,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
vni, md, flags, udp_sum);
@@ -2601,7 +2601,7 @@ void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip6_dst_hoplimit(ndst);
skb_scrub_packet(skb, xnet);
err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr),
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 072/315] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 071/315] ethtool: strset: fix header attribute index in ethnl_req_get_phydev() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 073/315] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
` (244 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 2376586f85f972fefe701f095bb37dcfe7405d21 ]
All ethtool driver op calls should be sandwiched between
ethnl_ops_begin() / ethnl_ops_complete(). In Netlink eeprom code,
if the paged access failed we fall back to old API, but we
first call _complete() and the fallback never does its own
ethnl_ops_begin(). Move the fallback into the _begin() / _complete()
section.
Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-10-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/eeprom.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
index 3b8209e930fd3a..03cb418a15823b 100644
--- a/net/ethtool/eeprom.c
+++ b/net/ethtool/eeprom.c
@@ -140,12 +140,11 @@ static int eeprom_prepare_data(const struct ethnl_req_info *req_base,
return 0;
err_ops:
+ if (ret == -EOPNOTSUPP)
+ ret = eeprom_fallback(request, reply);
ethnl_ops_complete(dev);
err_free:
kfree(page_data.data);
-
- if (ret == -EOPNOTSUPP)
- return eeprom_fallback(request, reply);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 062/307] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 061/307] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 063/307] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
` (244 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damiano Melotti, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 509323077ef79a26ba0c60bb556e45c12c398b2d ]
In some cases, iptunnel_pmtud_check_icmp() can be called while
skb transport header is not set.
This triggers an out-of-bound access, because
(typeof(skb->transport_header))~0U is 65535.
Access the icmp header based on IPv4 network header,
after making sure icmp->type is present in skb linear part.
Note that iptunnel_pmtud_check_icmpv6()) is fine.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260522115512.1519110-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index cf496644d3df6c..d0ceb86e1687a7 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -278,7 +278,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
{
- const struct icmphdr *icmph = icmp_hdr(skb);
const struct iphdr *iph = ip_hdr(skb);
if (mtu < 576 || iph->frag_off != htons(IP_DF))
@@ -289,9 +288,17 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
ipv4_is_lbcast(iph->saddr) || ipv4_is_multicast(iph->saddr))
return 0;
- if (iph->protocol == IPPROTO_ICMP && icmp_is_err(icmph->type))
- return 0;
+ if (iph->protocol == IPPROTO_ICMP) {
+ const struct icmphdr *icmph;
+ if (!pskb_network_may_pull(skb, iph->ihl * 4 +
+ offsetofend(struct icmphdr, type)))
+ return 0;
+ iph = ip_hdr(skb);
+ icmph = (void *)iph + iph->ihl * 4;
+ if (icmp_is_err(icmph->type))
+ return 0;
+ }
return iptunnel_pmtud_build_icmp(skb, mtu);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 073/315] ethtool: eeprom: add more safeties to EEPROM Netlink fallback
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 072/315] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 074/315] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
` (243 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 67cfdd9210b99f260b3e0afeb9525e0acc7be31e ]
The Netlink fallback path for reading module EEPROM
(fallback_set_params()) validates that offset < eeprom_len,
but does not check that offset + length stays within eeprom_len.
The ioctl equivalent (ethtool_get_any_eeprom() in ioctl.c) has
always enforced both bounds:
if (eeprom.offset + eeprom.len > total_len)
return -EINVAL;
This could lead to surprises in both drivers and device FW.
Add the missing offset + length validation to fallback_set_params(),
mirroring the ioctl.
Similarly - ethtool core in general, and ethtool_get_any_eeprom()
in particular tries to zero-init all buffers passed to the drivers
to avoid any extra work of zeroing things out. eeprom_fallback()
uses a plain kmalloc(), change it to zalloc.
Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-11-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/eeprom.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
index 03cb418a15823b..80af38a6c76acf 100644
--- a/net/ethtool/eeprom.c
+++ b/net/ethtool/eeprom.c
@@ -43,6 +43,9 @@ static int fallback_set_params(struct eeprom_req_info *request,
if (offset >= modinfo->eeprom_len)
return -EINVAL;
+ if (length > modinfo->eeprom_len - offset)
+ return -EINVAL;
+
eeprom->cmd = ETHTOOL_GMODULEEEPROM;
eeprom->len = length;
eeprom->offset = offset;
@@ -68,7 +71,7 @@ static int eeprom_fallback(struct eeprom_req_info *request,
if (err < 0)
return err;
- data = kmalloc(eeprom.len, GFP_KERNEL);
+ data = kzalloc(eeprom.len, GFP_KERNEL);
if (!data)
return -ENOMEM;
err = ethtool_get_module_eeprom_call(dev, &eeprom, data);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 063/307] ASoC: codecs: simple-mux: Fix enum control bounds check
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 062/307] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 064/307] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
` (243 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit f63ad68e18d774a5d15cd7e405ead63f6b322679 ]
simple_mux_control_put() rejects values greater than e->items, but
enum control values are zero based. For the two-entry mux used by this
driver, valid values are 0 and 1, so value 2 must be rejected as well.
Accepting e->items can store an invalid mux state, pass it to the GPIO
setter, and pass it on to the DAPM mux update path where it is used as
an index into the enum text array.
Use the same >= e->items check used by the ASoC enum helpers.
Fixes: 342fbb7578d1 ("ASoC: add simple-mux")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260527-asoc-simple-mux-enum-bounds-v1-1-3f805b9fc671@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/simple-mux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/simple-mux.c b/sound/soc/codecs/simple-mux.c
index 240af0563283e5..4c94087a246e16 100644
--- a/sound/soc/codecs/simple-mux.c
+++ b/sound/soc/codecs/simple-mux.c
@@ -49,7 +49,7 @@ static int simple_mux_control_put(struct snd_kcontrol *kcontrol,
struct snd_soc_component *c = snd_soc_dapm_to_component(dapm);
struct simple_mux *priv = snd_soc_component_get_drvdata(c);
- if (ucontrol->value.enumerated.item[0] > e->items)
+ if (ucontrol->value.enumerated.item[0] >= e->items)
return -EINVAL;
if (priv->mux == ucontrol->value.enumerated.item[0])
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 074/315] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 073/315] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 075/315] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
` (242 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Chandelkar, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rahul Chandelkar <rc@rexion.ai>
[ Upstream commit 9d5e7a46a9f6d8f503b41bfefef70659845f1679 ]
ipv6_rpl_srh_decompress() computes:
outhdr->hdrlen = (((n + 1) * sizeof(struct in6_addr)) >> 3);
hdrlen is __u8. For n >= 127 the result exceeds 255 and silently
truncates. With n=127 (cmpri=15, cmpre=15, pad=0, hdrlen=16):
(128 * 16) >> 3 = 256, truncated to 0 as __u8
The caller in ipv6_rpl_srh_rcv() then places the compressed header
at buf + ((ohdr->hdrlen + 1) << 3). With hdrlen=0 this is buf + 8,
but the decompressed region occupies buf[0..2055] (8-byte header
plus 128 full addresses). The compressed header overlaps the
decompressed data, and ipv6_rpl_srh_compress() writes into this
overlap, corrupting the routing header of the forwarded packet.
The existing guard at exthdrs.c:546 checks (n + 1) > 255, which
prevents n+1 from overflowing unsigned char (the segments_left
field), but does not prevent the computed hdrlen from overflowing
__u8. n=127 passes because 128 <= 255, yet hdrlen=256 does not
fit.
Tighten the bound to (n + 1) > 127. This caps n at 126, giving
hdrlen = (127 * 16) >> 3 = 254, which fits in __u8. The compressed
header then lands at buf + ((254 + 1) << 3) = buf + 2040, exactly
past the decompressed region (buf[0..2039]). No overlap. 127
segments is well beyond any realistic RPL deployment.
Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Signed-off-by: Rahul Chandelkar <rc@rexion.ai>
Link: https://patch.msgid.link/20260525154031.2290876-1-rc@rexion.ai
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/exthdrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index d15e6094382094..830131b427f098 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -544,7 +544,7 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
* unsigned char which is segments_left field. Should not be
* higher than that.
*/
- if (r || (n + 1) > 255) {
+ if (r || (n + 1) > 127) {
kfree_skb(skb);
return -1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 064/307] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 063/307] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 065/307] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
` (242 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhao Dongdong,
Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
[ Upstream commit 3c40d381ce04f9575a5d8b542898183c3b4b38dc ]
The skb_clone() function can return NULL if memory allocation fails.
send_mcast_pkt() calls skb_clone() without checking the return value, which
can lead to a NULL pointer dereference in send_pkt() when it dereferences
skb->data.
Add a NULL check after skb_clone() and skip the peer if the clone fails.
Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/6lowpan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index e5186a438290ae..03f0b5d27b60d3 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -485,6 +485,8 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
int ret;
local_skb = skb_clone(skb, GFP_ATOMIC);
+ if (!local_skb)
+ continue;
BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
netdev->name,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 075/315] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 074/315] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 076/315] net: hibmcge: disable Relaxed Ordering to fix RX packet corruption Greg Kroah-Hartman
` (241 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ji-Soo Chung, Gerlinde, zyc zyc,
Manas Ghandat, Stephen Hemminger, Jamal Hadi Salim, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit eda0b7f203bb166c98d1418b204135bd566ac83b ]
This reverts commit ec8e0e3d7adef940cdf9475e2352c0680189d14e.
The original patch rejects any tree containing two netems when
either has duplication set, even when they sit on unrelated classes
of the same classful parent. That broke configurations that have
worked since netem was introduced.
The re-entrancy problem the original commit was trying to solve is
handled by later patch using tc_depth flag.
Doing this revert will (re)expose the original bug with multiple
netem duplication. When this patch is backported make sure
and get the full series.
Fixes: ec8e0e3d7ade ("net/sched: Restrict conditions for adding duplicating netems to qdisc tree")
Reported-by: Ji-Soo Chung <jschung2@proton.me>
Reported-by: Gerlinde <lrGerlinde@mailfence.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220774
Reported-by: zyc zyc <zyc199902@zohomail.cn>
Closes: https://lore.kernel.org/all/19adda5a1e2.12410b78222774.9191120410578703463@zohomail.cn/
Reported-by: Manas Ghandat <ghandatmanas@gmail.com>
Closes: https://lore.kernel.org/netdev/f69b2c8f-8325-4c2e-a011-6dbc089f30e4@gmail.com/
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-3-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 40 ----------------------------------------
1 file changed, 40 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 47db6da905c585..73b3a8ce2f4350 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -1006,41 +1006,6 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
return 0;
}
-static const struct Qdisc_class_ops netem_class_ops;
-
-static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
- struct netlink_ext_ack *extack)
-{
- struct Qdisc *root, *q;
- unsigned int i;
-
- root = qdisc_root_sleeping(sch);
-
- if (sch != root && root->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
- goto err;
- }
-
- if (!qdisc_dev(root))
- return 0;
-
- hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
- if (sch != q && q->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
- goto err;
- }
- }
-
- return 0;
-
-err:
- NL_SET_ERR_MSG(extack,
- "netem: cannot mix duplicating netems with other netems in tree");
- return -EINVAL;
-}
-
/* Parse netlink message to set options */
static int netem_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
@@ -1117,11 +1082,6 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
q->gap = qopt->gap;
q->counter = 0;
q->loss = qopt->loss;
-
- ret = check_netem_in_tree(sch, qopt->duplicate, extack);
- if (ret)
- goto unlock;
-
q->duplicate = qopt->duplicate;
/* for compatibility with earlier versions.
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 065/307] bonding: refuse to enslave CAN devices
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 064/307] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 066/307] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES Greg Kroah-Hartman
` (241 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8ed98cbd0161632bce95,
Oliver Hartkopp, Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit 8ba68464e4787b6a7ec938826e16124df20fd23d ]
syzbot reported a kernel paging request crash in
can_rx_unregister() inside net/can/af_can.c. The crash occurs
because a virtual CAN device (vxcan) is being enslaved to a
bonding master.
During the enslavement process, the bonding driver mutates
and modifies the network device states to fit an Ethernet-like
aggregation model. However, CAN devices operate on a completely
different Layer 2 architecture, relying on the CAN mid-layer
private data structure (can_ml_priv) instead of standard
Ethernet structures. Since bonding does not initialize or
maintain these CAN structures, subsequent operations on the
half-enslaved interface (such as closing associated sockets
via isotp_release) lead to a null-pointer dereference when
accessing the CAN receiver lists.
Bonding CAN interfaces is architecturally invalid as CAN lacks
MAC addresses, ARP capabilities, and standard Ethernet
link-layer mechanisms. While generic loopback devices are
blocked globally in net/core/dev.c, virtual CAN devices
bypass this check because they do not carry the IFF_LOOPBACK
flag, despite acting as local software-loopbacks.
Fix this by explicitly blocking network devices of type
ARPHRD_CAN from being enslaved at the very beginning of
bond_enslave(). This prevents illegal state mutations,
eliminates the resulting KASAN crashes, and avoids potential
memory leaks from incomplete socket cleanups.
As the CAN support has been added a long time after bonding
the Fixes-tag points to the introduction of ARPHRD_CAN that
would have needed a specific handling in bonding_main.c.
Fixes: cd05acfe65ed ("[CAN]: Allocate protocol numbers for PF_CAN")
Reported-by: syzbot+8ed98cbd0161632bce95@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8ed98cbd0161632bce95
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20260526-bonding-candev-v1-1-ba1df400918a@hartkopp.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 1b2cd7f870353c..c6b114946d9a5a 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1927,6 +1927,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
int link_reporting;
int res = 0, i;
+ if (slave_dev->type == ARPHRD_CAN) {
+ BOND_NL_ERR(bond_dev, extack,
+ "CAN devices cannot be enslaved");
+ return -EPERM;
+ }
+
if (slave_dev->flags & IFF_MASTER &&
!netif_is_bond_master(slave_dev)) {
BOND_NL_ERR(bond_dev, extack,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 076/315] net: hibmcge: disable Relaxed Ordering to fix RX packet corruption
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 075/315] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 073/307] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
` (240 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jijie Shao, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jijie Shao <shaojijie@huawei.com>
[ Upstream commit 463a1271aa26eac992851b9d98cc75bc3cd4a1ed ]
When SMMU is disabled, the hibmcge driver may receive corrupted packets.
The hardware writes packet data and descriptors to the same page, but
with Relaxed Ordering enabled, PCI write transactions may not be
strictly ordered. This can cause the driver to observe a valid
descriptor before the corresponding packet data is fully written.
Fix this by clearing PCI_EXP_DEVCTL_RELAX_EN in the PCI bridge control
register to ensure strict write ordering between packet data and
descriptors.
Fixes: f72e25594061 ("net: hibmcge: Implement rx_poll function to receive packets")
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Link: https://patch.msgid.link/20260525144525.94884-2-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c b/drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c
index 0b92a2e5e98694..cf0f14aa014cf8 100644
--- a/drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c
+++ b/drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c
@@ -420,6 +420,9 @@ static int hbg_pci_init(struct pci_dev *pdev)
return -ENOMEM;
pci_set_master(pdev);
+ pcie_capability_clear_word(pdev, PCI_EXP_DEVCTL,
+ PCI_EXP_DEVCTL_RELAX_EN);
+ pci_save_state(pdev);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 066/307] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 065/307] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 067/307] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error Greg Kroah-Hartman
` (240 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 7281b096b072f6c6e30420e3467d738f2e4c4b57 ]
ethnl_update_profile() walks the ETHTOOL_A_PROFILE_IRQ_MODERATION
nest list with an index 'i' and writes new_profile[i++] without
bounding i. The destination is kmemdup()'d at NET_DIM_PARAMS_NUM_PROFILES
entries (5), but the Netlink nest count is entirely user-controlled.
Netlink policies do not have support for constraining the number
of nested entries (or number of multi-attr entries).
Fixes: f750dfe825b9 ("ethtool: provide customized dim profile management")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/coalesce.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ethtool/coalesce.c b/net/ethtool/coalesce.c
index 3e18ca1ccc5ef6..cace02d964cb21 100644
--- a/net/ethtool/coalesce.c
+++ b/net/ethtool/coalesce.c
@@ -463,6 +463,12 @@ static int ethnl_update_profile(struct net_device *dev,
nla_for_each_nested_type(nest, ETHTOOL_A_PROFILE_IRQ_MODERATION,
nests, rem) {
+ if (i >= NET_DIM_PARAMS_NUM_PROFILES) {
+ NL_SET_BAD_ATTR(extack, nest);
+ ret = -E2BIG;
+ goto err_out;
+ }
+
ret = nla_parse_nested(tb, len_irq_moder - 1, nest,
coalesce_irq_moderation_policy,
extack);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 077/315] net/handshake: Use spin_lock_bh for hn_lock
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
0 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Hannes Reinecke,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit cc993e0927ec8bd98ea33377ada03295fcda0f24 ]
nvmet_tcp_state_change(), a socket callback that runs in BH context,
can reach handshake_req_cancel() via nvmet_tcp_schedule_release_queue()
and tls_handshake_cancel(). handshake_req_cancel() acquires
hn->hn_lock with plain spin_lock(). If a process-context thread on
the same CPU holds hn->hn_lock when a softirq invokes the cancel path,
the lock attempt deadlocks. This is the only caller that invokes
tls_handshake_cancel() from BH context; every other consumer calls it
from process context.
Deferring the cancel to process context in the NVMe target is not
straightforward: nvmet_tcp_schedule_release_queue() must call
tls_handshake_cancel() atomically with its state transition to
DISCONNECTING. If the cancel were deferred, the handshake completion
callback could fire in the window before the cancel runs, observe the
unexpected state, and return without dropping its kref on the queue.
Reworking that interlock is considerably more invasive than hardening
the handshake lock. Convert all hn->hn_lock acquisitions from
spin_lock/spin_unlock to spin_lock_bh/spin_unlock_bh so the lock is
never taken with softirqs enabled.
Fixes: 675b453e0241 ("nvmet-tcp: enable TLS handshake upcall")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-1-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/handshake/netlink.c | 4 ++--
net/handshake/request.c | 14 +++++++-------
net/handshake/tlshd.c | 2 ++
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
index 7e46d130dce2cd..394e270cc505cb 100644
--- a/net/handshake/netlink.c
+++ b/net/handshake/netlink.c
@@ -203,10 +203,10 @@ static void __net_exit handshake_net_exit(struct net *net)
* accepted and are in progress will be destroyed when
* the socket is closed.
*/
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
set_bit(HANDSHAKE_F_NET_DRAINING, &hn->hn_flags);
list_splice_init(&requests, &hn->hn_requests);
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
while (!list_empty(&requests)) {
req = list_first_entry(&requests, struct handshake_req, hr_list);
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 6b7e3e0bf3996e..654e55b141cded 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -167,12 +167,12 @@ static bool remove_pending(struct handshake_net *hn, struct handshake_req *req)
{
bool ret = false;
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
if (!list_empty(&req->hr_list)) {
__remove_pending_locked(hn, req);
ret = true;
}
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
return ret;
}
@@ -182,7 +182,7 @@ struct handshake_req *handshake_req_next(struct handshake_net *hn, int class)
struct handshake_req *req, *pos;
req = NULL;
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
list_for_each_entry(pos, &hn->hn_requests, hr_list) {
if (pos->hr_proto->hp_handler_class != class)
continue;
@@ -190,7 +190,7 @@ struct handshake_req *handshake_req_next(struct handshake_net *hn, int class)
req = pos;
break;
}
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
return req;
}
@@ -249,7 +249,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
if (READ_ONCE(hn->hn_pending) >= hn->hn_pending_max)
goto out_err;
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
ret = -EOPNOTSUPP;
if (test_bit(HANDSHAKE_F_NET_DRAINING, &hn->hn_flags))
goto out_unlock;
@@ -258,7 +258,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
goto out_unlock;
if (!__add_pending_locked(hn, req))
goto out_unlock;
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
ret = handshake_genl_notify(net, req->hr_proto, flags);
if (ret) {
@@ -274,7 +274,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
return 0;
out_unlock:
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
out_err:
/* Restore original destructor so socket teardown still runs on failure */
req->hr_sk->sk_destruct = req->hr_odestruct;
diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c
index 8f9532a15f43f9..af294c6cc71731 100644
--- a/net/handshake/tlshd.c
+++ b/net/handshake/tlshd.c
@@ -425,6 +425,8 @@ EXPORT_SYMBOL(tls_server_hello_psk);
* Request cancellation races with request completion. To determine
* who won, callers examine the return value from this function.
*
+ * Context: May be called from process or softirq context.
+ *
* Return values:
* %true - Uncompleted handshake request was canceled
* %false - Handshake request already completed or not found
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 067/307] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 066/307] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 068/307] ethtool: pse-pd: fix missing ethnl_ops_complete() Greg Kroah-Hartman
` (239 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 596c51ed9e125b12c4d85b4530dfd4c7847634b7 ]
linkstate_prepare_data() calls ethnl_req_get_phydev() before
ethnl_ops_begin(), but routes its error path through "goto out"
which calls ethnl_ops_complete().
Fixes: fe55b1d401c6 ("ethtool: linkstate: migrate linkstate functions to support multi-PHY setups")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-4-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/linkstate.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/ethtool/linkstate.c b/net/ethtool/linkstate.c
index 05a5f72c99fab1..3dc52a39d34525 100644
--- a/net/ethtool/linkstate.c
+++ b/net/ethtool/linkstate.c
@@ -105,10 +105,8 @@ static int linkstate_prepare_data(const struct ethnl_req_info *req_base,
phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_LINKSTATE_HEADER,
info->extack);
- if (IS_ERR(phydev)) {
- ret = PTR_ERR(phydev);
- goto out;
- }
+ if (IS_ERR(phydev))
+ return PTR_ERR(phydev);
ret = ethnl_ops_begin(dev);
if (ret < 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 078/315] nvme-tcp: store negative errno in queue->tls_err
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 073/307] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 079/315] net/handshake: Pass negative errno through handshake_complete() Greg Kroah-Hartman
` (238 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Hannes Reinecke,
Alistair Francis, Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 9015985b5eb1a90eb86caf5bce1dfcf1aa38f8ad ]
nvme_tcp_tls_done() assigns queue->tls_err in three branches. The
ENOKEY lookup failure and the EOPNOTSUPP initializer both store
negative errnos. The third branch, reached when the handshake
layer reports a non-zero status, stores -status.
The handshake layer delivers status to the consumer callback as a
negative errno; the other in-tree consumers --
xs_tls_handshake_done() and the nvmet target callback -- treat
their status argument that way. The extra negation in
nvme_tcp_tls_done() flips the sign, leaving tls_err as a positive
value (for instance, +EIO), which nvme_tcp_start_tls() then
returns to its caller.
Drop the extra negation so queue->tls_err uniformly carries a
negative errno on failure.
Fixes: be8e82caa685 ("nvme-tcp: enable TLS handshake upcall")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-2-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/tcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 9a96df1a511c02..afdbcff3d4821e 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -1687,7 +1687,7 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid)
qid, pskid, status);
if (status) {
- queue->tls_err = -status;
+ queue->tls_err = status;
goto out_complete;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 068/307] ethtool: pse-pd: fix missing ethnl_ops_complete()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 067/307] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 069/307] ethtool: strset: fix header attribute index in ethnl_req_get_phydev() Greg Kroah-Hartman
` (238 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit ab5bf428fb6bd361163c7247b92750d1d24ca2ed ]
pse_prepare_data() is missing ethnl_ops_complete() if
ethnl_req_get_phydev() returned an error. Move getting
phydev up so that we don't have to worry about this
(similar order to linkstate_prepare_data()).
Note that phydev may still be NULL (this is checked in
pse_get_pse_attributes()), the goal isn't really to avoid
the _begin() / _complete() calls, only to simplify the error
handling.
While at it propagate the original error. Why this code
overrides the error with -ENODEV but !phydev generates
-EOPNOTSUPP is unclear to me...
Fixes: 31748765bed3 ("net: ethtool: pse-pd: Target the command to the requested PHY")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/pse-pd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/ethtool/pse-pd.c b/net/ethtool/pse-pd.c
index 71843de832cca7..01517c53113def 100644
--- a/net/ethtool/pse-pd.c
+++ b/net/ethtool/pse-pd.c
@@ -60,14 +60,14 @@ static int pse_prepare_data(const struct ethnl_req_info *req_base,
struct phy_device *phydev;
int ret;
- ret = ethnl_ops_begin(dev);
- if (ret < 0)
- return ret;
-
phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_PSE_HEADER,
info->extack);
if (IS_ERR(phydev))
- return -ENODEV;
+ return PTR_ERR(phydev);
+
+ ret = ethnl_ops_begin(dev);
+ if (ret < 0)
+ return ret;
ret = pse_get_pse_attributes(phydev, info->extack, data);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 079/315] net/handshake: Pass negative errno through handshake_complete()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 078/315] nvme-tcp: store negative errno in queue->tls_err Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 080/315] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
` (237 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Hannes Reinecke,
Paolo Abeni, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 6b22d433aa13f68e3cd9534ca9a5f4277bfa01c2 ]
handshake_complete() declares status as unsigned int and
tls_handshake_done() negates that value (-status) before handing
it to the TLS consumer. Consumers match on negative errno
constants -- xs_tls_handshake_done() has
switch (status) {
case 0:
case -EACCES:
case -ETIMEDOUT:
lower_transport->xprt_err = status;
break;
default:
lower_transport->xprt_err = -EACCES;
}
so the API as designed expects callers to pass positive errno
values that the tlshd shim then negates.
Three internal callers in handshake_nl_accept_doit(), the
net-exit drain, and a kunit test follow kernel convention and
pass negative errnos -- -EIO, -ETIMEDOUT, -ETIMEDOUT. The
implicit conversion to unsigned int turns -ETIMEDOUT into
0xFFFFFF92; the subsequent -status in tls_handshake_done()
wraps back to 110, the consumer's switch falls through, and
the xprt reports -EACCES on what should be -ETIMEDOUT or -EIO.
Fix the API rather than the call sites. The natural kernel
convention is negative errno in, negative errno out. Change
handshake_complete() and hp_done to take int status, drop the
negation in tls_handshake_done(), and negate once in
handshake_nl_done_doit() where status arrives from the wire
as an unsigned netlink attribute. The three internal callers
were already correct under that convention and need no change.
At the same wire boundary, declare MAX_ERRNO as the netlink
policy upper bound for HANDSHAKE_A_DONE_STATUS. Attribute
validation rejects out-of-range values before
handshake_nl_done_doit() runs, and negating a bounded u32 there
stays within int range -- closing the UBSAN-visible signed-
integer overflow that an unconstrained u32 would invoke.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-3-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/netlink/specs/handshake.yaml | 8 ++++++++
net/handshake/genl.c | 3 ++-
net/handshake/genl.h | 1 +
net/handshake/handshake-test.c | 2 +-
net/handshake/handshake.h | 4 ++--
net/handshake/netlink.c | 2 +-
net/handshake/request.c | 2 +-
net/handshake/tlshd.c | 4 ++--
8 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/netlink/specs/handshake.yaml
index 95c3fade7a8d7b..1024297b38513a 100644
--- a/Documentation/netlink/specs/handshake.yaml
+++ b/Documentation/netlink/specs/handshake.yaml
@@ -12,6 +12,12 @@ protocol: genetlink
doc: Netlink protocol to request a transport layer security handshake.
definitions:
+ -
+ type: const
+ name: max-errno
+ value: 4095
+ header: linux/err.h
+ scope: kernel
-
type: enum
name: handler-class
@@ -80,6 +86,8 @@ attribute-sets:
-
name: status
type: u32
+ checks:
+ max: max-errno
-
name: sockfd
type: s32
diff --git a/net/handshake/genl.c b/net/handshake/genl.c
index f55d14d7b7269d..a5fa8b27f22423 100644
--- a/net/handshake/genl.c
+++ b/net/handshake/genl.c
@@ -9,6 +9,7 @@
#include "genl.h"
#include <uapi/linux/handshake.h>
+#include <linux/err.h>
/* HANDSHAKE_CMD_ACCEPT - do */
static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HANDLER_CLASS + 1] = {
@@ -17,7 +18,7 @@ static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN
/* HANDSHAKE_CMD_DONE - do */
static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = {
- [HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, },
+ [HANDSHAKE_A_DONE_STATUS] = NLA_POLICY_MAX(NLA_U32, MAX_ERRNO),
[HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, },
[HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, },
};
diff --git a/net/handshake/genl.h b/net/handshake/genl.h
index ae72a596f6cc3e..684e5fd684481b 100644
--- a/net/handshake/genl.h
+++ b/net/handshake/genl.h
@@ -10,6 +10,7 @@
#include <net/genetlink.h>
#include <uapi/linux/handshake.h>
+#include <linux/err.h>
int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info);
int handshake_nl_done_doit(struct sk_buff *skb, struct genl_info *info);
diff --git a/net/handshake/handshake-test.c b/net/handshake/handshake-test.c
index 55442b2f518afb..df3948e807a0fd 100644
--- a/net/handshake/handshake-test.c
+++ b/net/handshake/handshake-test.c
@@ -25,7 +25,7 @@ static int test_accept_func(struct handshake_req *req, struct genl_info *info,
return 0;
}
-static void test_done_func(struct handshake_req *req, unsigned int status,
+static void test_done_func(struct handshake_req *req, int status,
struct genl_info *info)
{
}
diff --git a/net/handshake/handshake.h b/net/handshake/handshake.h
index a48163765a7a1d..2289b0e274f40a 100644
--- a/net/handshake/handshake.h
+++ b/net/handshake/handshake.h
@@ -57,7 +57,7 @@ struct handshake_proto {
int (*hp_accept)(struct handshake_req *req,
struct genl_info *info, int fd);
void (*hp_done)(struct handshake_req *req,
- unsigned int status,
+ int status,
struct genl_info *info);
void (*hp_destroy)(struct handshake_req *req);
};
@@ -86,7 +86,7 @@ struct handshake_req *handshake_req_hash_lookup(struct sock *sk);
struct handshake_req *handshake_req_next(struct handshake_net *hn, int class);
int handshake_req_submit(struct socket *sock, struct handshake_req *req,
gfp_t flags);
-void handshake_complete(struct handshake_req *req, unsigned int status,
+void handshake_complete(struct handshake_req *req, int status,
struct genl_info *info);
bool handshake_req_cancel(struct sock *sk);
diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
index 394e270cc505cb..d8211e0ba75c69 100644
--- a/net/handshake/netlink.c
+++ b/net/handshake/netlink.c
@@ -161,7 +161,7 @@ int handshake_nl_done_doit(struct sk_buff *skb, struct genl_info *info)
status = -EIO;
if (info->attrs[HANDSHAKE_A_DONE_STATUS])
- status = nla_get_u32(info->attrs[HANDSHAKE_A_DONE_STATUS]);
+ status = -(int)nla_get_u32(info->attrs[HANDSHAKE_A_DONE_STATUS]);
handshake_complete(req, status, info);
sockfd_put(sock);
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 654e55b141cded..62efb7e32730ea 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -284,7 +284,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
}
EXPORT_SYMBOL(handshake_req_submit);
-void handshake_complete(struct handshake_req *req, unsigned int status,
+void handshake_complete(struct handshake_req *req, int status,
struct genl_info *info)
{
struct sock *sk = req->hr_sk;
diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c
index af294c6cc71731..7567150c2a4f95 100644
--- a/net/handshake/tlshd.c
+++ b/net/handshake/tlshd.c
@@ -93,7 +93,7 @@ static void tls_handshake_remote_peerids(struct tls_handshake_req *treq,
*
*/
static void tls_handshake_done(struct handshake_req *req,
- unsigned int status, struct genl_info *info)
+ int status, struct genl_info *info)
{
struct tls_handshake_req *treq = handshake_req_private(req);
@@ -104,7 +104,7 @@ static void tls_handshake_done(struct handshake_req *req,
if (!status)
set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags);
- treq->th_consumer_done(treq->th_consumer_data, -status,
+ treq->th_consumer_done(treq->th_consumer_data, status,
treq->th_peerid[0]);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 069/307] ethtool: strset: fix header attribute index in ethnl_req_get_phydev()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 068/307] ethtool: pse-pd: fix missing ethnl_ops_complete() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 070/307] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback Greg Kroah-Hartman
` (237 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit a8d8bef6b45bf7cc0b1f6110c5cd8d0160a9bad7 ]
strset_prepare_data() passes ETHTOOL_A_HEADER_FLAGS (3) as the header
attribute to ethnl_req_get_phydev(). This is incorrect, in the main
attr space 3 is ETHTOOL_A_STRSET_COUNTS_ONLY, not the request
header attr. The correct constant is ETHTOOL_A_STRSET_HEADER (1).
ethnl_req_get_phydev() only uses this value for the extack,
so this is not a "functionally visible"(?) bug.
Fixes: e96c93aa4be9 ("net: ethtool: strset: Allow querying phy stats by index")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-9-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/strset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c
index b9400d18f01d58..73597f0bc923a3 100644
--- a/net/ethtool/strset.c
+++ b/net/ethtool/strset.c
@@ -299,7 +299,7 @@ static int strset_prepare_data(const struct ethnl_req_info *req_base,
return 0;
}
- phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_HEADER_FLAGS,
+ phydev = ethnl_req_get_phydev(req_base, tb, ETHTOOL_A_STRSET_HEADER,
info->extack);
/* phydev can be NULL, check for errors only */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 080/315] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 079/315] net/handshake: Pass negative errno through handshake_complete() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 081/315] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
` (236 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao,
Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit 00e1950716c6ed67d74777b2db286b0fa23b4be9 ]
l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.
A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).
Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 87ebe81277c510..57f5e3c7429e79 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5466,14 +5466,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
BT_DBG("result 0x%4.4x", result);
- if (!result)
+ if (!result) {
+ list_for_each_entry(chan, &conn->chan_l, list) {
+ if (chan->ident == cmd->ident)
+ chan->ident = 0;
+ }
return 0;
+ }
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
if (chan->ident != cmd->ident)
continue;
- l2cap_chan_hold(chan);
+ if (!l2cap_chan_hold_unless_zero(chan))
+ continue;
l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 070/307] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 069/307] ethtool: strset: fix header attribute index in ethnl_req_get_phydev() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 071/307] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
` (236 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 2376586f85f972fefe701f095bb37dcfe7405d21 ]
All ethtool driver op calls should be sandwiched between
ethnl_ops_begin() / ethnl_ops_complete(). In Netlink eeprom code,
if the paged access failed we fall back to old API, but we
first call _complete() and the fallback never does its own
ethnl_ops_begin(). Move the fallback into the _begin() / _complete()
section.
Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-10-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/eeprom.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
index 3b8209e930fd3a..03cb418a15823b 100644
--- a/net/ethtool/eeprom.c
+++ b/net/ethtool/eeprom.c
@@ -140,12 +140,11 @@ static int eeprom_prepare_data(const struct ethnl_req_info *req_base,
return 0;
err_ops:
+ if (ret == -EOPNOTSUPP)
+ ret = eeprom_fallback(request, reply);
ethnl_ops_complete(dev);
err_free:
kfree(page_data.data);
-
- if (ret == -EOPNOTSUPP)
- return eeprom_fallback(request, reply);
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 081/315] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 080/315] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 082/315] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Greg Kroah-Hartman
` (235 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 41c2713b204e6cb6a94587bc6bf6935107df5479 ]
If dcid is received for an already-assigned destination CID the spec
requires that both channels to be discarded, but calling l2cap_chan_del
may invalidate the tmp cursor created by list_for_each_entry_safe and
in fact it is the wrong procedure as the chan->dcid may be assigned
previously it really needs to be disconnected.
Calling l2cap_chan_clone directly may still lead to l2cap_chan_del so
instead schedule l2cap_chan_timeout with delay 0 to close the channel
asynchronously.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 57f5e3c7429e79..9805908e6c6a06 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5268,6 +5268,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
cmd_len -= sizeof(*rsp);
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+ struct l2cap_chan *orig;
u16 dcid;
if (chan->ident != cmd->ident ||
@@ -5289,8 +5290,10 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
+ orig = __l2cap_get_chan_by_dcid(conn, dcid);
+
/* Check if dcid is already in use */
- if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
+ if (dcid && orig) {
/* If a device receives a
* L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
* already-assigned Destination CID, then both the
@@ -5299,10 +5302,24 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
*/
l2cap_chan_del(chan, ECONNREFUSED);
l2cap_chan_unlock(chan);
- chan = __l2cap_get_chan_by_dcid(conn, dcid);
- l2cap_chan_lock(chan);
- l2cap_chan_del(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
+
+ /* Check that the dcid channel mode is
+ * L2CAP_MODE_EXT_FLOWCTL since this procedure is only
+ * valid for that mode and shouldn't disconnect a dcid
+ * in other modes.
+ */
+ if (orig->mode == L2CAP_MODE_EXT_FLOWCTL) {
+ l2cap_chan_lock(orig);
+ /* Disconnect the original channel as it may be
+ * considered connected since dcid has already
+ * been assigned; don't call l2cap_chan_close
+ * directly since that could lead to
+ * l2cap_chan_del and then removing the channel
+ * from the list while we're iterating over it.
+ */
+ __set_chan_timer(orig, 0);
+ l2cap_chan_unlock(orig);
+ }
continue;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 071/307] ethtool: eeprom: add more safeties to EEPROM Netlink fallback
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 070/307] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 072/307] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
` (235 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 67cfdd9210b99f260b3e0afeb9525e0acc7be31e ]
The Netlink fallback path for reading module EEPROM
(fallback_set_params()) validates that offset < eeprom_len,
but does not check that offset + length stays within eeprom_len.
The ioctl equivalent (ethtool_get_any_eeprom() in ioctl.c) has
always enforced both bounds:
if (eeprom.offset + eeprom.len > total_len)
return -EINVAL;
This could lead to surprises in both drivers and device FW.
Add the missing offset + length validation to fallback_set_params(),
mirroring the ioctl.
Similarly - ethtool core in general, and ethtool_get_any_eeprom()
in particular tries to zero-init all buffers passed to the drivers
to avoid any extra work of zeroing things out. eeprom_fallback()
uses a plain kmalloc(), change it to zalloc.
Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-11-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/eeprom.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
index 03cb418a15823b..80af38a6c76acf 100644
--- a/net/ethtool/eeprom.c
+++ b/net/ethtool/eeprom.c
@@ -43,6 +43,9 @@ static int fallback_set_params(struct eeprom_req_info *request,
if (offset >= modinfo->eeprom_len)
return -EINVAL;
+ if (length > modinfo->eeprom_len - offset)
+ return -EINVAL;
+
eeprom->cmd = ETHTOOL_GMODULEEEPROM;
eeprom->len = length;
eeprom->offset = offset;
@@ -68,7 +71,7 @@ static int eeprom_fallback(struct eeprom_req_info *request,
if (err < 0)
return err;
- data = kmalloc(eeprom.len, GFP_KERNEL);
+ data = kzalloc(eeprom.len, GFP_KERNEL);
if (!data)
return -ENOMEM;
err = ethtool_get_module_eeprom_call(dev, &eeprom, data);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 072/307] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 071/307] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 074/307] net/sched: fix packet loop on netem when duplicate is on Greg Kroah-Hartman
` (234 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Chandelkar, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rahul Chandelkar <rc@rexion.ai>
[ Upstream commit 9d5e7a46a9f6d8f503b41bfefef70659845f1679 ]
ipv6_rpl_srh_decompress() computes:
outhdr->hdrlen = (((n + 1) * sizeof(struct in6_addr)) >> 3);
hdrlen is __u8. For n >= 127 the result exceeds 255 and silently
truncates. With n=127 (cmpri=15, cmpre=15, pad=0, hdrlen=16):
(128 * 16) >> 3 = 256, truncated to 0 as __u8
The caller in ipv6_rpl_srh_rcv() then places the compressed header
at buf + ((ohdr->hdrlen + 1) << 3). With hdrlen=0 this is buf + 8,
but the decompressed region occupies buf[0..2055] (8-byte header
plus 128 full addresses). The compressed header overlaps the
decompressed data, and ipv6_rpl_srh_compress() writes into this
overlap, corrupting the routing header of the forwarded packet.
The existing guard at exthdrs.c:546 checks (n + 1) > 255, which
prevents n+1 from overflowing unsigned char (the segments_left
field), but does not prevent the computed hdrlen from overflowing
__u8. n=127 passes because 128 <= 255, yet hdrlen=256 does not
fit.
Tighten the bound to (n + 1) > 127. This caps n at 126, giving
hdrlen = (127 * 16) >> 3 = 254, which fits in __u8. The compressed
header then lands at buf + ((254 + 1) << 3) = buf + 2040, exactly
past the decompressed region (buf[0..2039]). No overlap. 127
segments is well beyond any realistic RPL deployment.
Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Signed-off-by: Rahul Chandelkar <rc@rexion.ai>
Link: https://patch.msgid.link/20260525154031.2290876-1-rc@rexion.ai
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/exthdrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 5ef6fbc66beb11..43e34fe448ffe5 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -546,7 +546,7 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
* unsigned char which is segments_left field. Should not be
* higher than that.
*/
- if (r || (n + 1) > 255) {
+ if (r || (n + 1) > 127) {
kfree_skb(skb);
return -1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 082/315] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 081/315] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 083/315] Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync() Greg Kroah-Hartman
` (234 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heitor Alves de Siqueira,
Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
[ Upstream commit 525daaea459fc215f432de1b8debbd9144bf97b0 ]
Since hci_dev_close_sync() can now be called during the reset path, we
should also set HCI_CMD_DRAIN_WORKQUEUE. This avoids queuing timeouts
while the hdev workqueue is being drained.
Fixes: 877afadad2dc ("Bluetooth: When HCI work queue is drained, only queue chained work")
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index f498ab28f1aa06..73e429c41e17b5 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5246,6 +5246,12 @@ int hci_dev_close_sync(struct hci_dev *hdev)
bt_dev_dbg(hdev, "");
+ /* Set HCI_DRAIN_WORKQUEUE flag to prevent queuing work during
+ * reset/close. See hci_cmd_work() and handle_cmd_cnt_and_timer().
+ */
+ hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
+ synchronize_rcu();
+
if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
disable_delayed_work(&hdev->power_off);
disable_delayed_work(&hdev->ncmd_timer);
@@ -5269,6 +5275,7 @@ int hci_dev_close_sync(struct hci_dev *hdev)
if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
cancel_delayed_work_sync(&hdev->cmd_timer);
+ hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
return err;
}
@@ -5368,6 +5375,7 @@ int hci_dev_close_sync(struct hci_dev *hdev)
/* Clear flags */
hdev->flags &= BIT(HCI_RAW);
hci_dev_clear_volatile_flags(hdev);
+ hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
memset(hdev->eir, 0, sizeof(hdev->eir));
memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 083/315] Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 082/315] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 084/315] gpio: adnp: fix flow control regression caused by scoped_guard() Greg Kroah-Hartman
` (233 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heitor Alves de Siqueira,
Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
[ Upstream commit cdf88b35e06f1b385f7f6228060ae541d44fbb72 ]
Before resetting or closing the device, protocol counters should also be
zeroed.
Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages")
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 73e429c41e17b5..277de808ebeb5a 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5338,6 +5338,10 @@ int hci_dev_close_sync(struct hci_dev *hdev)
/* Reset device */
skb_queue_purge(&hdev->cmd_q);
atomic_set(&hdev->cmd_cnt, 1);
+ hdev->acl_cnt = 0;
+ hdev->sco_cnt = 0;
+ hdev->le_cnt = 0;
+ hdev->iso_cnt = 0;
if (hci_test_quirk(hdev, HCI_QUIRK_RESET_ON_CLOSE) &&
!auto_off && !hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
set_bit(HCI_INIT, &hdev->flags);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 073/307] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
0 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ji-Soo Chung, Gerlinde, zyc zyc,
Manas Ghandat, Stephen Hemminger, Jamal Hadi Salim, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit eda0b7f203bb166c98d1418b204135bd566ac83b ]
This reverts commit ec8e0e3d7adef940cdf9475e2352c0680189d14e.
The original patch rejects any tree containing two netems when
either has duplication set, even when they sit on unrelated classes
of the same classful parent. That broke configurations that have
worked since netem was introduced.
The re-entrancy problem the original commit was trying to solve is
handled by later patch using tc_depth flag.
Doing this revert will (re)expose the original bug with multiple
netem duplication. When this patch is backported make sure
and get the full series.
Fixes: ec8e0e3d7ade ("net/sched: Restrict conditions for adding duplicating netems to qdisc tree")
Reported-by: Ji-Soo Chung <jschung2@proton.me>
Reported-by: Gerlinde <lrGerlinde@mailfence.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220774
Reported-by: zyc zyc <zyc199902@zohomail.cn>
Closes: https://lore.kernel.org/all/19adda5a1e2.12410b78222774.9191120410578703463@zohomail.cn/
Reported-by: Manas Ghandat <ghandatmanas@gmail.com>
Closes: https://lore.kernel.org/netdev/f69b2c8f-8325-4c2e-a011-6dbc089f30e4@gmail.com/
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-3-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 40 ----------------------------------------
1 file changed, 40 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 498c18d7d9c39b..1fdebf2ab7ee46 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -1005,41 +1005,6 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
return 0;
}
-static const struct Qdisc_class_ops netem_class_ops;
-
-static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
- struct netlink_ext_ack *extack)
-{
- struct Qdisc *root, *q;
- unsigned int i;
-
- root = qdisc_root_sleeping(sch);
-
- if (sch != root && root->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
- goto err;
- }
-
- if (!qdisc_dev(root))
- return 0;
-
- hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
- if (sch != q && q->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
- goto err;
- }
- }
-
- return 0;
-
-err:
- NL_SET_ERR_MSG(extack,
- "netem: cannot mix duplicating netems with other netems in tree");
- return -EINVAL;
-}
-
/* Parse netlink message to set options */
static int netem_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
@@ -1116,11 +1081,6 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
q->gap = qopt->gap;
q->counter = 0;
q->loss = qopt->loss;
-
- ret = check_netem_in_tree(sch, qopt->duplicate, extack);
- if (ret)
- goto unlock;
-
q->duplicate = qopt->duplicate;
/* for compatibility with earlier versions.
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 084/315] gpio: adnp: fix flow control regression caused by scoped_guard()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 083/315] Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 085/315] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write() Greg Kroah-Hartman
` (232 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Linus Walleij,
Bartosz Golaszewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
[ Upstream commit a5c627d90809b793fc053849b3a00609db305776 ]
scoped_guard() is implemented as a for loop. Using it to protect code
using the continue statement changes the flow as we now only break out
of the hidden loop inside scoped_guard(), not the original for loop. Use
a regular code block instead.
Fixes: c7fe19ed3973 ("gpio: adnp: use lock guards for the I2C lock")
Reported-by: David Lechner <dlechner@baylibre.com>
Closes: https://lore.kernel.org/all/cde2abb2-4cc8-4fc9-b34a-0c5d2b95779f@baylibre.com/
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20260522073527.9812-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-adnp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-adnp.c b/drivers/gpio/gpio-adnp.c
index e5ac2d2110137f..fe5bcaa90496aa 100644
--- a/drivers/gpio/gpio-adnp.c
+++ b/drivers/gpio/gpio-adnp.c
@@ -237,7 +237,9 @@ static irqreturn_t adnp_irq(int irq, void *data)
unsigned long pending;
int err;
- scoped_guard(mutex, &adnp->i2c_lock) {
+ {
+ guard(mutex)(&adnp->i2c_lock);
+
err = adnp_read(adnp, GPIO_PLR(adnp) + i, &level);
if (err < 0)
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 074/307] net/sched: fix packet loop on netem when duplicate is on
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 072/307] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 075/307] net/sched: act_mirred: Move the recursion counter struct netdev_xmit Greg Kroah-Hartman
` (233 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Liu, Savino Dicanosa,
Victor Nogueira, Stephen Hemminger, Jamal Hadi Salim, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 9552b11e3edabc97cfcd9f29103d5afbce7ae183 ]
When netem duplicates a packet it re-enqueues the copy at the root qdisc.
If another netem sits in the tree the copy can be duplicated
again, recursing until the stack or memory is exhausted.
The original duplication guard temporarily zeroed q->duplicate around
the re-enqueue, but that does not cover all cases because it is
per-qdisc state shared across all concurrent enqueue paths
and is not safe without additional locking.
Use the skb tc_depth field introduced in an earlier patch:
- increment it on the duplicate before re-enqueue
- skip duplication for any skb whose tc_depth is already non-zero.
This marks the packet itself rather than mutating qdisc state,
therefore it is safe regardless of tree topology or concurrency.
Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication")
Reported-by: William Liu <will@willsroot.io>
Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
Closes: https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/
Co-developed-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: William Liu <will@willsroot.io>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-5-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 1fdebf2ab7ee46..136b7d81296eff 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -459,7 +459,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
skb->prev = NULL;
/* Random duplication */
- if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor, &q->prng))
+ if (q->duplicate && skb->tc_depth == 0 &&
+ q->duplicate >= get_crandom(&q->dup_cor, &q->prng))
++count;
/* Drop packet? */
@@ -538,11 +539,9 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
*/
if (skb2) {
struct Qdisc *rootq = qdisc_root_bh(sch);
- u32 dupsave = q->duplicate; /* prevent duplicating a dup... */
- q->duplicate = 0;
+ skb2->tc_depth++; /* prevent duplicating a dup... */
rootq->enqueue(skb2, rootq, to_free);
- q->duplicate = dupsave;
skb2 = NULL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 085/315] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 084/315] gpio: adnp: fix flow control regression caused by scoped_guard() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 086/315] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
` (231 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Bartosz Golaszewski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit 8a122b5e72cc0043705f0d524bcd15f0c0b3ec15 ]
If *ppos is non-zero (user-space write split over multiple calls to
write()) then simple_write_to_buffer() won't initialize the start of the
buffer. Really, non-zero values for *ppos aren't going to work at all.
Check for that and return -EINVAL at the start of the function.
Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GPIO API")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/ahP3BJWWy-m_qI0X@stanley.mountain
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-virtuser.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-virtuser.c b/drivers/gpio/gpio-virtuser.c
index 252fec5ea38354..1901b4ba558f0c 100644
--- a/drivers/gpio/gpio-virtuser.c
+++ b/drivers/gpio/gpio-virtuser.c
@@ -399,7 +399,7 @@ static ssize_t gpio_virtuser_direction_do_write(struct file *file,
char buf[32], *trimmed;
int ret, dir, val = 0;
- if (count >= sizeof(buf))
+ if (*ppos != 0 || count >= sizeof(buf))
return -EINVAL;
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
@@ -626,7 +626,7 @@ static ssize_t gpio_virtuser_consumer_write(struct file *file,
char buf[GPIO_VIRTUSER_NAME_BUF_LEN + 2];
int ret;
- if (count >= sizeof(buf))
+ if (*ppos != 0 || count >= sizeof(buf))
return -EINVAL;
ret = simple_write_to_buffer(buf, GPIO_VIRTUSER_NAME_BUF_LEN, ppos,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 075/307] net/sched: act_mirred: Move the recursion counter struct netdev_xmit
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 074/307] net/sched: fix packet loop on netem when duplicate is on Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 076/307] net/sched: act_mirred: add loop detection Greg Kroah-Hartman
` (232 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Sebastian Andrzej Siewior, Juri Lelli, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 7fe70c06a182a140be9996b02256d907e114479a ]
mirred_nest_level is a per-CPU variable and relies on disabled BH for its
locking. Without per-CPU locking in local_bh_disable() on PREEMPT_RT
this data structure requires explicit locking.
Move mirred_nest_level to struct netdev_xmit as u8, provide wrappers.
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Link: https://patch.msgid.link/20250512092736.229935-11-bigeasy@linutronix.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: e80ad525fc7e ("net/sched: act_mirred: Fix return code in early mirred redirect error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice_xmit.h | 3 +++
net/sched/act_mirred.c | 28 +++++++++++++++++++++++++---
2 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/include/linux/netdevice_xmit.h b/include/linux/netdevice_xmit.h
index 38325e07029685..848735b3a7c02d 100644
--- a/include/linux/netdevice_xmit.h
+++ b/include/linux/netdevice_xmit.h
@@ -8,6 +8,9 @@ struct netdev_xmit {
#ifdef CONFIG_NET_EGRESS
u8 skip_txqueue;
#endif
+#if IS_ENABLED(CONFIG_NET_ACT_MIRRED)
+ u8 sched_mirred_nest;
+#endif
};
#endif
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index b1b0049d7a0e9d..18d9378a9c1134 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -30,7 +30,29 @@ static LIST_HEAD(mirred_list);
static DEFINE_SPINLOCK(mirred_list_lock);
#define MIRRED_NEST_LIMIT 4
-static DEFINE_PER_CPU(unsigned int, mirred_nest_level);
+
+#ifndef CONFIG_PREEMPT_RT
+static u8 tcf_mirred_nest_level_inc_return(void)
+{
+ return __this_cpu_inc_return(softnet_data.xmit.sched_mirred_nest);
+}
+
+static void tcf_mirred_nest_level_dec(void)
+{
+ __this_cpu_dec(softnet_data.xmit.sched_mirred_nest);
+}
+
+#else
+static u8 tcf_mirred_nest_level_inc_return(void)
+{
+ return current->net_xmit.sched_mirred_nest++;
+}
+
+static void tcf_mirred_nest_level_dec(void)
+{
+ current->net_xmit.sched_mirred_nest--;
+}
+#endif
static bool tcf_mirred_is_act_redirect(int action)
{
@@ -423,7 +445,7 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
int m_eaction;
u32 blockid;
- nest_level = __this_cpu_inc_return(mirred_nest_level);
+ nest_level = tcf_mirred_nest_level_inc_return();
if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {
net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
netdev_name(skb->dev));
@@ -454,7 +476,7 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
retval);
dec_nest_level:
- __this_cpu_dec(mirred_nest_level);
+ tcf_mirred_nest_level_dec();
return retval;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 086/315] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 085/315] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 087/315] gpio: rockchip: teardown bugs and resource leaks Greg Kroah-Hartman
` (230 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Scardovi, Bartosz Golaszewski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Scardovi <scardracs@disroot.org>
[ Upstream commit 3e46c18d5d87f063a93ae0fe7662fbf6660459d5 ]
The bank->clk was previously obtained via of_clk_get() and manually
prepared/enabled. However, it was missing a corresponding clk_put() in
both the error paths and the remove function, leading to a reference leak.
Convert the allocation to devm_clk_get_enabled(), which also properly
propagates failures from clk_prepare_enable() that were previously ignored.
The GPIO bank device uses the same OF node as the previous of_clk_get()
call, so devm_clk_get_enabled(dev, NULL) correctly resolves the same
clock provider entry.
Fix the reference leak and simplify the code by removing the manual
clk_disable_unprepare() calls in the probe error paths and in the
remove function.
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@disroot.org>
Link: https://patch.msgid.link/20260526171050.12785-2-scardracs@disroot.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-rockchip.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c
index 0fff4a699f12d1..f910220141f712 100644
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -656,11 +656,10 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
if (!bank->irq)
return -EINVAL;
- bank->clk = of_clk_get(bank->of_node, 0);
+ bank->clk = devm_clk_get_enabled(bank->dev, NULL);
if (IS_ERR(bank->clk))
return PTR_ERR(bank->clk);
- clk_prepare_enable(bank->clk);
id = readl(bank->reg_base + gpio_regs_v2.version_id);
switch (id) {
@@ -672,7 +671,6 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
bank->db_clk = of_clk_get(bank->of_node, 1);
if (IS_ERR(bank->db_clk)) {
dev_err(bank->dev, "cannot find debounce clk\n");
- clk_disable_unprepare(bank->clk);
return -EINVAL;
}
break;
@@ -751,7 +749,6 @@ static int rockchip_gpio_probe(struct platform_device *pdev)
ret = rockchip_gpiolib_register(bank);
if (ret) {
- clk_disable_unprepare(bank->clk);
mutex_unlock(&bank->deferred_lock);
return ret;
}
@@ -792,7 +789,6 @@ static void rockchip_gpio_remove(struct platform_device *pdev)
{
struct rockchip_pin_bank *bank = platform_get_drvdata(pdev);
- clk_disable_unprepare(bank->clk);
gpiochip_remove(&bank->gpio_chip);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 076/307] net/sched: act_mirred: add loop detection
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 075/307] net/sched: act_mirred: Move the recursion counter struct netdev_xmit Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 077/307] net: Introduce skb tc depth field to track packet loops Greg Kroah-Hartman
` (231 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Toke Høiland-Jørgensen, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit fe946a751d9b52b7c45ca34899723b314b79b249 ]
Commit 0f022d32c3ec ("net/sched: Fix mirred deadlock on device recursion")
added code in the fast path, even when act_mirred is not used.
Prepare its revert by implementing loop detection in act_mirred.
Adds an array of device pointers in struct netdev_xmit.
tcf_mirred_is_act_redirect() can detect if the array
already contains the target device.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Tested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20251014171907.3554413-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: e80ad525fc7e ("net/sched: act_mirred: Fix return code in early mirred redirect error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice_xmit.h | 9 ++++-
net/sched/act_mirred.c | 62 +++++++++++++---------------------
2 files changed, 31 insertions(+), 40 deletions(-)
diff --git a/include/linux/netdevice_xmit.h b/include/linux/netdevice_xmit.h
index 848735b3a7c02d..59726e6cd2cc67 100644
--- a/include/linux/netdevice_xmit.h
+++ b/include/linux/netdevice_xmit.h
@@ -2,6 +2,12 @@
#ifndef _LINUX_NETDEVICE_XMIT_H
#define _LINUX_NETDEVICE_XMIT_H
+#if IS_ENABLED(CONFIG_NET_ACT_MIRRED)
+#define MIRRED_NEST_LIMIT 4
+#endif
+
+struct net_device;
+
struct netdev_xmit {
u16 recursion;
u8 more;
@@ -9,7 +15,8 @@ struct netdev_xmit {
u8 skip_txqueue;
#endif
#if IS_ENABLED(CONFIG_NET_ACT_MIRRED)
- u8 sched_mirred_nest;
+ u8 sched_mirred_nest;
+ struct net_device *sched_mirred_dev[MIRRED_NEST_LIMIT];
#endif
};
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 18d9378a9c1134..35812b6808e0a8 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -29,31 +29,6 @@
static LIST_HEAD(mirred_list);
static DEFINE_SPINLOCK(mirred_list_lock);
-#define MIRRED_NEST_LIMIT 4
-
-#ifndef CONFIG_PREEMPT_RT
-static u8 tcf_mirred_nest_level_inc_return(void)
-{
- return __this_cpu_inc_return(softnet_data.xmit.sched_mirred_nest);
-}
-
-static void tcf_mirred_nest_level_dec(void)
-{
- __this_cpu_dec(softnet_data.xmit.sched_mirred_nest);
-}
-
-#else
-static u8 tcf_mirred_nest_level_inc_return(void)
-{
- return current->net_xmit.sched_mirred_nest++;
-}
-
-static void tcf_mirred_nest_level_dec(void)
-{
- current->net_xmit.sched_mirred_nest--;
-}
-#endif
-
static bool tcf_mirred_is_act_redirect(int action)
{
return action == TCA_EGRESS_REDIR || action == TCA_INGRESS_REDIR;
@@ -439,44 +414,53 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
{
struct tcf_mirred *m = to_mirred(a);
int retval = READ_ONCE(m->tcf_action);
- unsigned int nest_level;
+ struct netdev_xmit *xmit;
bool m_mac_header_xmit;
struct net_device *dev;
- int m_eaction;
+ int i, m_eaction;
u32 blockid;
- nest_level = tcf_mirred_nest_level_inc_return();
- if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {
+#ifdef CONFIG_PREEMPT_RT
+ xmit = ¤t->net_xmit;
+#else
+ xmit = this_cpu_ptr(&softnet_data.xmit);
+#endif
+ if (unlikely(xmit->sched_mirred_nest >= MIRRED_NEST_LIMIT)) {
net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
netdev_name(skb->dev));
- retval = TC_ACT_SHOT;
- goto dec_nest_level;
+ return TC_ACT_SHOT;
}
tcf_lastuse_update(&m->tcf_tm);
tcf_action_update_bstats(&m->common, skb);
blockid = READ_ONCE(m->tcfm_blockid);
- if (blockid) {
- retval = tcf_blockcast(skb, m, blockid, res, retval);
- goto dec_nest_level;
- }
+ if (blockid)
+ return tcf_blockcast(skb, m, blockid, res, retval);
dev = rcu_dereference_bh(m->tcfm_dev);
if (unlikely(!dev)) {
pr_notice_once("tc mirred: target device is gone\n");
tcf_action_inc_overlimit_qstats(&m->common);
- goto dec_nest_level;
+ return retval;
}
+ for (i = 0; i < xmit->sched_mirred_nest; i++) {
+ if (xmit->sched_mirred_dev[i] != dev)
+ continue;
+ pr_notice_once("tc mirred: loop on device %s\n",
+ netdev_name(dev));
+ tcf_action_inc_overlimit_qstats(&m->common);
+ return retval;
+ }
+
+ xmit->sched_mirred_dev[xmit->sched_mirred_nest++] = dev;
m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit);
m_eaction = READ_ONCE(m->tcfm_eaction);
retval = tcf_mirred_to_dev(skb, m, dev, m_mac_header_xmit, m_eaction,
retval);
-
-dec_nest_level:
- tcf_mirred_nest_level_dec();
+ xmit->sched_mirred_nest--;
return retval;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 087/315] gpio: rockchip: teardown bugs and resource leaks
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 086/315] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 088/315] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
` (229 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Scardovi, Bartosz Golaszewski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Scardovi <scardracs@disroot.org>
[ Upstream commit 9500077678230e36d22bf16d2b9539c13e59a801 ]
Address several teardown issues and resource leaks in the driver's remove
path and error handling:
1. Debounce clock reference leak: The debounce clock (bank->db_clk) is
obtained using of_clk_get() which increments the clock's reference
count, but clk_put() is never called. Register a devm action to
cleanly release it on unbind. Note that of_clk_get(..., 1) remains
necessary over devm_clk_get() because the DT binding does not define
clock-names, precluding name-based lookup.
2. Unregistered chained IRQ handler: The chained IRQ handler is not
disconnected in remove(). If a stray interrupt fires after the driver
is removed, the kernel attempts to execute a stale handler, leading
to a panic. Fix this by clearing the handler in remove().
3. IRQ domain leak: The linear IRQ domain and its generic chips are
allocated manually during probe but never removed. Remove the IRQ
domain during driver teardown to free the associated generic chips
and mappings.
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@disroot.org>
Link: https://patch.msgid.link/20260526171050.12785-3-scardracs@disroot.org
[Bartosz: don't emit an error message on devres allocation failure]
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-rockchip.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c
index f910220141f712..1ef0ba956cfd8c 100644
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -638,10 +638,17 @@ static int rockchip_gpiolib_register(struct rockchip_pin_bank *bank)
return ret;
}
+static void rockchip_clk_put(void *data)
+{
+ struct clk *clk = data;
+
+ clk_put(clk);
+}
+
static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
{
struct resource res;
- int id = 0;
+ int id = 0, ret;
if (of_address_to_resource(bank->of_node, 0, &res)) {
dev_err(bank->dev, "cannot find IO resource for bank\n");
@@ -673,6 +680,11 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
dev_err(bank->dev, "cannot find debounce clk\n");
return -EINVAL;
}
+
+ ret = devm_add_action_or_reset(bank->dev, rockchip_clk_put,
+ bank->db_clk);
+ if (ret)
+ return ret;
break;
case GPIO_TYPE_V1:
bank->gpio_regs = &gpio_regs_v1;
@@ -789,6 +801,9 @@ static void rockchip_gpio_remove(struct platform_device *pdev)
{
struct rockchip_pin_bank *bank = platform_get_drvdata(pdev);
+ irq_set_chained_handler_and_data(bank->irq, NULL, NULL);
+ if (bank->domain)
+ irq_domain_remove(bank->domain);
gpiochip_remove(&bank->gpio_chip);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 077/307] net: Introduce skb tc depth field to track packet loops
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 076/307] net/sched: act_mirred: add loop detection Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 078/307] net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop Greg Kroah-Hartman
` (230 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Hemminger, Jamal Hadi Salim,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 98b34f3e8c3492cfc89ff943c9d92b4d52863d1d ]
Add a 2-bit per-skb tc depth field to track packet loops across the stack.
The previous per-CPU loop counters like MIRRED_NEST_LIMIT
assume a single call stack and lose state in two cases:
1) When a packet is queued and reprocessed later (e.g., egress->ingress
via backlog), the per-cpu state is gone by the time it is dequeued.
2) With XPS/RPS a packet may arrive on one CPU and be processed on
another.
A per-skb field solves both by travelling with the packet itself.
The field fits in existing padding, using 2 bits that were previously a
hole:
pahole before(-) and after (+) diff looks like:
__u8 slow_gro:1; /* 132: 3 1 */
__u8 csum_not_inet:1; /* 132: 4 1 */
__u8 unreadable:1; /* 132: 5 1 */
+ __u8 tc_depth:2; /* 132: 6 1 */
- /* XXX 2 bits hole, try to pack */
/* XXX 1 byte hole, try to pack */
__u16 tc_index; /* 134 2 */
There used to be a ttl field which was removed as part of tc_verd in commit
aec745e2c520 ("net-tc: remove unused tc_verd fields"). It was already
unused by that time, due to remove earlier in commit c19ae86a510c ("tc: remove
unused redirect ttl").
The first user of this field is netem, which increments tc_depth on
duplicated packets before re-enqueueing them at the root qdisc. On
re-entry, netem skips duplication for any skb with tc_depth already set,
bounding recursion to a single level regardless of tree topology.
The other user is mirred which increments it on each pass
and limits to depth to MIRRED_DEFER_LIMIT (3).
The new field was called ttl in earlier versions of this patch
but renamed to tc_depth to avoid confusion with IP ttl.
Note (looking at you Sashiko! Dont ignore me and continue bringing this up):
1. Since both mirred and netem utilize the same 2-bit tc_depth field it is
possible when netem and mirred are used together that netem qdisc to skip
the duplication step. This is a known trade-off, as a 2-bit field cannot
independently track both features' recursion depths and it is not considered
sane to have a setup that addresses both features on at the same time.
2. skb_scrub_packet does not clear tc_depth. This means a packet's loop history
is preserved even across namespaces. While this might be restrictive for
some topologies, it is also design intent to provide robustness against loops
across namespaces.
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-2-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: e80ad525fc7e ("net/sched: act_mirred: Fix return code in early mirred redirect error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/skbuff.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 4344724a978212..107a8c3ff07fa2 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -802,6 +802,7 @@ enum skb_tstamp_type {
* @_sk_redir: socket redirection information for skmsg
* @_nfct: Associated connection, if any (with nfctinfo bits)
* @skb_iif: ifindex of device we arrived on
+ * @tc_depth: counter for packet duplication
* @tc_index: Traffic control index
* @hash: the packet hash
* @queue_mapping: Queue mapping for multiqueue devices
@@ -1011,6 +1012,7 @@ struct sk_buff {
__u8 csum_not_inet:1;
#endif
__u8 unreadable:1;
+ __u8 tc_depth:2;
#if defined(CONFIG_NET_SCHED) || defined(CONFIG_NET_XGRESS)
__u16 tc_index; /* traffic control index */
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 088/315] net: mana: Add NULL guards in teardown path to prevent panic on attach failure
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 087/315] gpio: rockchip: teardown bugs and resource leaks Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 089/315] net: mana: Skip redundant detach on already-detached port Greg Kroah-Hartman
` (228 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Dipayaan Roy,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
[ Upstream commit 17bfe0a8c014ee1d542ad352cd6a0a505361664a ]
When queue allocation fails partway through, the error cleanup frees
and NULLs apc->tx_qp and apc->rxqs. Multiple teardown paths such as
mana_remove(), mana_change_mtu() recovery, and internal error handling
in mana_alloc_queues() can subsequently call into functions that
dereference these pointers without NULL checks:
- mana_chn_setxdp() dereferences apc->rxqs[0], causing a NULL pointer
dereference panic (CR2: 0000000000000000 at mana_chn_setxdp+0x26).
- mana_destroy_vport() iterates apc->rxqs without a NULL check.
- mana_fence_rqs() iterates apc->rxqs without a NULL check.
- mana_dealloc_queues() iterates apc->tx_qp without a NULL check.
Add NULL guards for apc->rxqs in mana_fence_rqs(),
mana_destroy_vport(), and before the mana_chn_setxdp() call. Add a
NULL guard for apc->tx_qp in mana_dealloc_queues() to skip TX queue
draining when TX queues were never allocated or already freed.
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Link: https://patch.msgid.link/20260525081129.1230035-2-dipayanroy@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 70 +++++++++++--------
1 file changed, 41 insertions(+), 29 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index d1eb77d540427d..6ef2a3ee44c6b0 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1720,6 +1720,9 @@ static void mana_fence_rqs(struct mana_port_context *apc)
struct mana_rxq *rxq;
int err;
+ if (!apc->rxqs)
+ return;
+
for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
rxq = apc->rxqs[rxq_idx];
err = mana_fence_rq(apc, rxq);
@@ -2830,13 +2833,16 @@ static void mana_destroy_vport(struct mana_port_context *apc)
struct mana_rxq *rxq;
u32 rxq_idx;
- for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
- rxq = apc->rxqs[rxq_idx];
- if (!rxq)
- continue;
+ if (apc->rxqs) {
- mana_destroy_rxq(apc, rxq, true);
- apc->rxqs[rxq_idx] = NULL;
+ for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
+ rxq = apc->rxqs[rxq_idx];
+ if (!rxq)
+ continue;
+
+ mana_destroy_rxq(apc, rxq, true);
+ apc->rxqs[rxq_idx] = NULL;
+ }
}
mana_destroy_txq(apc);
@@ -3241,7 +3247,8 @@ static int mana_dealloc_queues(struct net_device *ndev)
if (apc->port_is_up)
return -EINVAL;
- mana_chn_setxdp(apc, NULL);
+ if (apc->rxqs)
+ mana_chn_setxdp(apc, NULL);
if (gd->gdma_context->is_pf && !apc->ac->bm_hostmode)
mana_pf_deregister_filter(apc);
@@ -3259,33 +3266,38 @@ static int mana_dealloc_queues(struct net_device *ndev)
* number of queues.
*/
- for (i = 0; i < apc->num_queues; i++) {
- txq = &apc->tx_qp[i].txq;
- tsleep = 1000;
- while (atomic_read(&txq->pending_sends) > 0 &&
- time_before(jiffies, timeout)) {
- usleep_range(tsleep, tsleep + 1000);
- tsleep <<= 1;
- }
- if (atomic_read(&txq->pending_sends)) {
- err = pcie_flr(to_pci_dev(gd->gdma_context->dev));
- if (err) {
- netdev_err(ndev, "flr failed %d with %d pkts pending in txq %u\n",
- err, atomic_read(&txq->pending_sends),
- txq->gdma_txq_id);
+ if (apc->tx_qp) {
+ for (i = 0; i < apc->num_queues; i++) {
+ txq = &apc->tx_qp[i].txq;
+ tsleep = 1000;
+ while (atomic_read(&txq->pending_sends) > 0 &&
+ time_before(jiffies, timeout)) {
+ usleep_range(tsleep, tsleep + 1000);
+ tsleep <<= 1;
+ }
+ if (atomic_read(&txq->pending_sends)) {
+ err =
+ pcie_flr(to_pci_dev(gd->gdma_context->dev));
+ if (err) {
+ netdev_err(ndev, "flr failed %d with %d pkts pending in txq %u\n",
+ err,
+ atomic_read(&txq->pending_sends),
+ txq->gdma_txq_id);
+ }
+ break;
}
- break;
}
- }
- for (i = 0; i < apc->num_queues; i++) {
- txq = &apc->tx_qp[i].txq;
- while ((skb = skb_dequeue(&txq->pending_skbs))) {
- mana_unmap_skb(skb, apc);
- dev_kfree_skb_any(skb);
+ for (i = 0; i < apc->num_queues; i++) {
+ txq = &apc->tx_qp[i].txq;
+ while ((skb = skb_dequeue(&txq->pending_skbs))) {
+ mana_unmap_skb(skb, apc);
+ dev_kfree_skb_any(skb);
+ }
+ atomic_set(&txq->pending_sends, 0);
}
- atomic_set(&txq->pending_sends, 0);
}
+
/* We're 100% sure the queues can no longer be woken up, because
* we're sure now mana_poll_tx_cq() can't be running.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 078/307] net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 077/307] net: Introduce skb tc depth field to track packet loops Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 079/307] net/sched: act_mirred: Fix return code in early mirred redirect error paths Greg Kroah-Hartman
` (229 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Nogueira, Stephen Hemminger,
Jamal Hadi Salim, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit db875221ab08d213a83bf30196ae8b64d55a3403 ]
When mirred redirects to ingress (from either ingress or egress) the loop
state from sched_mirred_dev array dev is lost because of 1) the packet
deferral into the backlog and 2) the fact the sched_mirred_dev array is
cleared. In such cases, if there was a loop we won't discover it.
Here's a simple test to reproduce:
ip a add dev port0 10.10.10.11/24
tc qdisc add dev port0 clsact
tc filter add dev port0 egress protocol ip \
prio 10 matchall action mirred ingress redirect dev port1
tc qdisc add dev port1 clsact
tc filter add dev port1 ingress protocol ip \
prio 10 matchall action mirred egress redirect dev port0
ping -c 1 -W0.01 10.10.10.10
Fixes: fe946a751d9b ("net/sched: act_mirred: add loop detection")
Tested-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-6-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: e80ad525fc7e ("net/sched: act_mirred: Fix return code in early mirred redirect error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_mirred.c | 47 +++++++++++++++++++++++++++---------------
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 35812b6808e0a8..ae9b307ad66e0d 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -26,6 +26,10 @@
#include <net/tc_act/tc_mirred.h>
#include <net/tc_wrapper.h>
+#define MIRRED_DEFER_LIMIT 3
+_Static_assert(MIRRED_DEFER_LIMIT <= 3,
+ "MIRRED_DEFER_LIMIT exceeds tc_depth bitfield width");
+
static LIST_HEAD(mirred_list);
static DEFINE_SPINLOCK(mirred_list_lock);
@@ -234,12 +238,15 @@ tcf_mirred_forward(bool at_ingress, bool want_ingress, struct sk_buff *skb)
{
int err;
- if (!want_ingress)
+ if (!want_ingress) {
err = tcf_dev_queue_xmit(skb, dev_queue_xmit);
- else if (!at_ingress)
- err = netif_rx(skb);
- else
- err = netif_receive_skb(skb);
+ } else {
+ skb->tc_depth++;
+ if (!at_ingress)
+ err = netif_rx(skb);
+ else
+ err = netif_receive_skb(skb);
+ }
return err;
}
@@ -417,6 +424,7 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
struct netdev_xmit *xmit;
bool m_mac_header_xmit;
struct net_device *dev;
+ bool want_ingress;
int i, m_eaction;
u32 blockid;
@@ -425,7 +433,8 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
#else
xmit = this_cpu_ptr(&softnet_data.xmit);
#endif
- if (unlikely(xmit->sched_mirred_nest >= MIRRED_NEST_LIMIT)) {
+ if (unlikely(xmit->sched_mirred_nest >= MIRRED_NEST_LIMIT ||
+ skb->tc_depth >= MIRRED_DEFER_LIMIT)) {
net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
netdev_name(skb->dev));
return TC_ACT_SHOT;
@@ -444,23 +453,27 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
tcf_action_inc_overlimit_qstats(&m->common);
return retval;
}
- for (i = 0; i < xmit->sched_mirred_nest; i++) {
- if (xmit->sched_mirred_dev[i] != dev)
- continue;
- pr_notice_once("tc mirred: loop on device %s\n",
- netdev_name(dev));
- tcf_action_inc_overlimit_qstats(&m->common);
- return retval;
- }
- xmit->sched_mirred_dev[xmit->sched_mirred_nest++] = dev;
+ m_eaction = READ_ONCE(m->tcfm_eaction);
+ want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+ if (!want_ingress) {
+ for (i = 0; i < xmit->sched_mirred_nest; i++) {
+ if (xmit->sched_mirred_dev[i] != dev)
+ continue;
+ pr_notice_once("tc mirred: loop on device %s\n",
+ netdev_name(dev));
+ tcf_action_inc_overlimit_qstats(&m->common);
+ return retval;
+ }
+ xmit->sched_mirred_dev[xmit->sched_mirred_nest++] = dev;
+ }
m_mac_header_xmit = READ_ONCE(m->tcfm_mac_header_xmit);
- m_eaction = READ_ONCE(m->tcfm_eaction);
retval = tcf_mirred_to_dev(skb, m, dev, m_mac_header_xmit, m_eaction,
retval);
- xmit->sched_mirred_nest--;
+ if (!want_ingress)
+ xmit->sched_mirred_nest--;
return retval;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 089/315] net: mana: Skip redundant detach on already-detached port
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 088/315] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 090/315] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
` (227 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Dipayaan Roy,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
[ Upstream commit 5b05aa36ee24297d7296ca58dfd8c448d0e4cda3 ]
When mana_per_port_queue_reset_work_handler() runs after a previous
detach succeeded but attach failed, the port is left in a detached
state with apc->tx_qp and apc->rxqs already freed. Calling
mana_detach() again unconditionally leads to NULL pointer dereferences
during queue teardown.
Add an early exit in mana_detach() when the port is already in
detached state (!netif_device_present) for non-close callers, making
it safe to call idempotently. This allows the queue reset handler and
other recovery paths to simply retry mana_attach() without redundant
teardown.
Fixes: 3b194343c250 ("net: mana: Implement ndo_tx_timeout and serialize queue resets per port.")
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Link: https://patch.msgid.link/20260525081129.1230035-3-dipayanroy@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 6ef2a3ee44c6b0..1f723c0ea12837 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -3322,6 +3322,12 @@ int mana_detach(struct net_device *ndev, bool from_close)
ASSERT_RTNL();
+ /* If already detached (indicates detach succeeded but attach failed
+ * previously). Now skip mana detach and just retry mana_attach.
+ */
+ if (!from_close && !netif_device_present(ndev))
+ return 0;
+
apc->port_st_save = apc->port_is_up;
apc->port_is_up = false;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 079/307] net/sched: act_mirred: Fix return code in early mirred redirect error paths
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 078/307] net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 080/307] net/handshake: Use spin_lock_bh for hn_lock Greg Kroah-Hartman
` (228 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Victor Nogueira,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
[ Upstream commit e80ad525fc7e8c933ad78478c5dda286cfd55c60 ]
Since retval is set as TC_ACT_STOLEN in the mirred redirect case, returning
retval in cases where redirect failed will make the callers not register
the skb as being dropped.
Fix this by returning TC_ACT_SHOT instead in such scenarios.
Fixes: 16085e48cb48 ("net/sched: act_mirred: Create function tcf_mirred_to_dev and improve readability")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260413082027.2244884-1-hxzene%40gmail.com
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-8-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_mirred.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index ae9b307ad66e0d..41b731176dfe77 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -363,7 +363,8 @@ static int tcf_blockcast_redir(struct sk_buff *skb, struct tcf_mirred *m,
dev_is_mac_header_xmit(dev_prev),
m_eaction, retval);
- return retval;
+ /* If the packet wasn't redirected, we have to register as a drop */
+ return TC_ACT_SHOT;
}
static int tcf_blockcast_mirror(struct sk_buff *skb, struct tcf_mirred *m,
@@ -403,7 +404,7 @@ static int tcf_blockcast(struct sk_buff *skb, struct tcf_mirred *m,
block = tcf_block_lookup(dev_net(skb->dev), blockid);
if (!block || xa_empty(&block->ports)) {
tcf_action_inc_overlimit_qstats(&m->common);
- return retval;
+ return is_redirect ? TC_ACT_SHOT : retval;
}
if (is_redirect)
@@ -421,8 +422,8 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
{
struct tcf_mirred *m = to_mirred(a);
int retval = READ_ONCE(m->tcf_action);
+ bool m_mac_header_xmit, is_redirect;
struct netdev_xmit *xmit;
- bool m_mac_header_xmit;
struct net_device *dev;
bool want_ingress;
int i, m_eaction;
@@ -447,11 +448,13 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
if (blockid)
return tcf_blockcast(skb, m, blockid, res, retval);
+ is_redirect = tcf_mirred_is_act_redirect(m_eaction);
+
dev = rcu_dereference_bh(m->tcfm_dev);
if (unlikely(!dev)) {
pr_notice_once("tc mirred: target device is gone\n");
tcf_action_inc_overlimit_qstats(&m->common);
- return retval;
+ goto err_out;
}
m_eaction = READ_ONCE(m->tcfm_eaction);
@@ -463,7 +466,7 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
pr_notice_once("tc mirred: loop on device %s\n",
netdev_name(dev));
tcf_action_inc_overlimit_qstats(&m->common);
- return retval;
+ goto err_out;
}
xmit->sched_mirred_dev[xmit->sched_mirred_nest++] = dev;
}
@@ -476,6 +479,11 @@ TC_INDIRECT_SCOPE int tcf_mirred_act(struct sk_buff *skb,
xmit->sched_mirred_nest--;
return retval;
+
+err_out:
+ if (is_redirect)
+ retval = TC_ACT_SHOT;
+ return retval;
}
static void tcf_stats_update(struct tc_action *a, u64 bytes, u64 packets,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 090/315] sctp: fix race between sctp_wait_for_connect and peeloff
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 089/315] net: mana: Skip redundant detach on already-detached port Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 087/307] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
` (226 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Xin Long,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit f14fe6395a8b3d961a61e138ad7b36ba3626dd4e ]
sctp_wait_for_connect() drops and re-acquires the socket lock while
waiting for the association to reach ESTABLISHED state. During this
window, another thread can peeloff the association to a new socket via
getsockopt(SCTP_SOCKOPT_PEELOFF), changing asoc->base.sk. After
re-acquiring the old socket lock, sctp_wait_for_connect() returns
success without noticing the migration — the caller then accesses
the association under the wrong lock in sctp_datamsg_from_user().
Add the same sk != asoc->base.sk check that sctp_wait_for_sndbuf()
already has, returning an error if the association was migrated while
we slept.
Fixes: 668c9beb9020 ("sctp: implement assign_number for sctp_stream_interleave")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260527032411.60959-1-kipreyyy@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 2c5ad53984906c..c763eb3296b3ee 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9350,6 +9350,8 @@ static int sctp_wait_for_connect(struct sctp_association *asoc, long *timeo_p)
release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
lock_sock(sk);
+ if (sk != asoc->base.sk)
+ goto do_error;
*timeo_p = current_timeo;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 080/307] net/handshake: Use spin_lock_bh for hn_lock
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 079/307] net/sched: act_mirred: Fix return code in early mirred redirect error paths Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 081/307] nvme-tcp: store negative errno in queue->tls_err Greg Kroah-Hartman
` (227 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Hannes Reinecke,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit cc993e0927ec8bd98ea33377ada03295fcda0f24 ]
nvmet_tcp_state_change(), a socket callback that runs in BH context,
can reach handshake_req_cancel() via nvmet_tcp_schedule_release_queue()
and tls_handshake_cancel(). handshake_req_cancel() acquires
hn->hn_lock with plain spin_lock(). If a process-context thread on
the same CPU holds hn->hn_lock when a softirq invokes the cancel path,
the lock attempt deadlocks. This is the only caller that invokes
tls_handshake_cancel() from BH context; every other consumer calls it
from process context.
Deferring the cancel to process context in the NVMe target is not
straightforward: nvmet_tcp_schedule_release_queue() must call
tls_handshake_cancel() atomically with its state transition to
DISCONNECTING. If the cancel were deferred, the handshake completion
callback could fire in the window before the cancel runs, observe the
unexpected state, and return without dropping its kref on the queue.
Reworking that interlock is considerably more invasive than hardening
the handshake lock. Convert all hn->hn_lock acquisitions from
spin_lock/spin_unlock to spin_lock_bh/spin_unlock_bh so the lock is
never taken with softirqs enabled.
Fixes: 675b453e0241 ("nvmet-tcp: enable TLS handshake upcall")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-1-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/handshake/netlink.c | 4 ++--
net/handshake/request.c | 14 +++++++-------
net/handshake/tlshd.c | 2 ++
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
index 7e46d130dce2cd..394e270cc505cb 100644
--- a/net/handshake/netlink.c
+++ b/net/handshake/netlink.c
@@ -203,10 +203,10 @@ static void __net_exit handshake_net_exit(struct net *net)
* accepted and are in progress will be destroyed when
* the socket is closed.
*/
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
set_bit(HANDSHAKE_F_NET_DRAINING, &hn->hn_flags);
list_splice_init(&requests, &hn->hn_requests);
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
while (!list_empty(&requests)) {
req = list_first_entry(&requests, struct handshake_req, hr_list);
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 5df102534a596f..75562f6629e050 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -168,12 +168,12 @@ static bool remove_pending(struct handshake_net *hn, struct handshake_req *req)
{
bool ret = false;
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
if (!list_empty(&req->hr_list)) {
__remove_pending_locked(hn, req);
ret = true;
}
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
return ret;
}
@@ -183,7 +183,7 @@ struct handshake_req *handshake_req_next(struct handshake_net *hn, int class)
struct handshake_req *req, *pos;
req = NULL;
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
list_for_each_entry(pos, &hn->hn_requests, hr_list) {
if (pos->hr_proto->hp_handler_class != class)
continue;
@@ -191,7 +191,7 @@ struct handshake_req *handshake_req_next(struct handshake_net *hn, int class)
req = pos;
break;
}
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
return req;
}
@@ -250,7 +250,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
if (READ_ONCE(hn->hn_pending) >= hn->hn_pending_max)
goto out_err;
- spin_lock(&hn->hn_lock);
+ spin_lock_bh(&hn->hn_lock);
ret = -EOPNOTSUPP;
if (test_bit(HANDSHAKE_F_NET_DRAINING, &hn->hn_flags))
goto out_unlock;
@@ -259,7 +259,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
goto out_unlock;
if (!__add_pending_locked(hn, req))
goto out_unlock;
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
ret = handshake_genl_notify(net, req->hr_proto, flags);
if (ret) {
@@ -275,7 +275,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
return 0;
out_unlock:
- spin_unlock(&hn->hn_lock);
+ spin_unlock_bh(&hn->hn_lock);
out_err:
/* Restore original destructor so socket teardown still runs on failure */
req->hr_sk->sk_destruct = req->hr_odestruct;
diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c
index 822507b87447c0..fd71ef2d18ceb2 100644
--- a/net/handshake/tlshd.c
+++ b/net/handshake/tlshd.c
@@ -419,6 +419,8 @@ EXPORT_SYMBOL(tls_server_hello_psk);
* Request cancellation races with request completion. To determine
* who won, callers examine the return value from this function.
*
+ * Context: May be called from process or softirq context.
+ *
* Return values:
* %true - Uncompleted handshake request was canceled
* %false - Handshake request already completed or not found
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 091/315] vsock/virtio: bind uarg before filling zerocopy skb
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
0 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Rongzhen Cui, Jingguo Tan,
Arseniy Krasnov, Michael S. Tsirkin, Stefano Garzarella,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingguo Tan <tanjingguo@huawei.com>
[ Upstream commit 1e584c304cfb94a759417130b1fc6d30b30c4cce ]
virtio_transport_send_pkt_info() allocates or reuses the zerocopy uarg
before entering the send loop, but virtio_transport_alloc_skb() still
fills the skb before it inherits that uarg. When fixed-buffer vectored
zerocopy hits MAX_SKB_FRAGS, io_sg_from_iter() may partially attach
managed frags and return -EMSGSIZE. The rollback path call kfree_skb()
to free an skb that carries SKBFL_MANAGED_FRAG_REFS but no uarg, so
skb_release_data() falls through to ordinary frag unref.
Pass the uarg into virtio_transport_alloc_skb() and bind it immediately
before virtio_transport_fill_skb(). This keeps control or no-payload skbs
untouched while ensuring success and rollback share one lifetime rule.
Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Rongzhen Cui <cuirongzhen@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Acked-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260527023301.1075581-1-malin89@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/virtio_transport_common.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index 1e07d3b1a0e800..c925b5c5b35a57 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -207,6 +207,7 @@ static u16 virtio_transport_get_type(struct sock *sk)
static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *info,
size_t payload_len,
bool zcopy,
+ struct ubuf_info *uarg,
u32 src_cid,
u32 src_port,
u32 dst_cid,
@@ -247,6 +248,12 @@ static struct sk_buff *virtio_transport_alloc_skb(struct virtio_vsock_pkt_info *
if (info->msg && payload_len > 0) {
int err;
+ /* Bind the zerocopy lifetime before filling frags so error
+ * rollback frees managed fixed-buffer pages through
+ * the uarg-aware path.
+ */
+ skb_zcopy_set(skb, uarg, NULL);
+
err = virtio_transport_fill_skb(skb, info, payload_len, zcopy);
if (err)
goto out;
@@ -366,6 +373,7 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
skb_len = min(max_skb_len, rest_len);
skb = virtio_transport_alloc_skb(info, skb_len, can_zcopy,
+ uarg,
src_cid, src_port,
dst_cid, dst_port);
if (!skb) {
@@ -373,8 +381,6 @@ static int virtio_transport_send_pkt_info(struct vsock_sock *vsk,
break;
}
- skb_zcopy_set(skb, uarg, NULL);
-
virtio_transport_inc_tx_pkt(vvs, skb);
ret = t_ops->send_pkt(skb);
@@ -1161,7 +1167,7 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t,
if (!t)
return -ENOTCONN;
- reply = virtio_transport_alloc_skb(&info, 0, false,
+ reply = virtio_transport_alloc_skb(&info, 0, false, NULL,
le64_to_cpu(hdr->dst_cid),
le32_to_cpu(hdr->dst_port),
le64_to_cpu(hdr->src_cid),
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 081/307] nvme-tcp: store negative errno in queue->tls_err
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 080/307] net/handshake: Use spin_lock_bh for hn_lock Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 082/307] net/handshake: Pass negative errno through handshake_complete() Greg Kroah-Hartman
` (226 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Hannes Reinecke,
Alistair Francis, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 9015985b5eb1a90eb86caf5bce1dfcf1aa38f8ad ]
nvme_tcp_tls_done() assigns queue->tls_err in three branches. The
ENOKEY lookup failure and the EOPNOTSUPP initializer both store
negative errnos. The third branch, reached when the handshake
layer reports a non-zero status, stores -status.
The handshake layer delivers status to the consumer callback as a
negative errno; the other in-tree consumers --
xs_tls_handshake_done() and the nvmet target callback -- treat
their status argument that way. The extra negation in
nvme_tcp_tls_done() flips the sign, leaving tls_err as a positive
value (for instance, +EIO), which nvme_tcp_start_tls() then
returns to its caller.
Drop the extra negation so queue->tls_err uniformly carries a
negative errno on failure.
Fixes: be8e82caa685 ("nvme-tcp: enable TLS handshake upcall")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-2-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/tcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
index 77df3432dfb78e..31406438e3ff2d 100644
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -1719,7 +1719,7 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid)
qid, pskid, status);
if (status) {
- queue->tls_err = -status;
+ queue->tls_err = status;
goto out_complete;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 092/315] ipv6: fix possible infinite loop in rt6_fill_node()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 087/307] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 093/315] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
` (224 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 9f72412bcf60144f252b0d6205106abf14344abc ]
Sashiko reported this issue [1]. Apply the same fix as
commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&rt->fib6_siblings)
without waiting for RCU readers; rt->fib6_siblings.next then still
points into the old ring and this softirq-side walker never reaches
&rt->fib6_siblings, causing a CPU stall. fib6_del_route() always
WRITE_ONCE()s rt->fib6_nsiblings to 0 before list_del_rcu(), so an
inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 446f4de7d6a227..cf9546047b5749 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5892,6 +5892,8 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
goto nla_put_failure;
}
+ if (!READ_ONCE(rt->fib6_nsiblings))
+ break;
}
rcu_read_unlock();
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 082/307] net/handshake: Pass negative errno through handshake_complete()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 081/307] nvme-tcp: store negative errno in queue->tls_err Greg Kroah-Hartman
@ 2026-06-07 9:57 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 083/307] remove pointless includes of <linux/fdtable.h> Greg Kroah-Hartman
` (225 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Hannes Reinecke,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 6b22d433aa13f68e3cd9534ca9a5f4277bfa01c2 ]
handshake_complete() declares status as unsigned int and
tls_handshake_done() negates that value (-status) before handing
it to the TLS consumer. Consumers match on negative errno
constants -- xs_tls_handshake_done() has
switch (status) {
case 0:
case -EACCES:
case -ETIMEDOUT:
lower_transport->xprt_err = status;
break;
default:
lower_transport->xprt_err = -EACCES;
}
so the API as designed expects callers to pass positive errno
values that the tlshd shim then negates.
Three internal callers in handshake_nl_accept_doit(), the
net-exit drain, and a kunit test follow kernel convention and
pass negative errnos -- -EIO, -ETIMEDOUT, -ETIMEDOUT. The
implicit conversion to unsigned int turns -ETIMEDOUT into
0xFFFFFF92; the subsequent -status in tls_handshake_done()
wraps back to 110, the consumer's switch falls through, and
the xprt reports -EACCES on what should be -ETIMEDOUT or -EIO.
Fix the API rather than the call sites. The natural kernel
convention is negative errno in, negative errno out. Change
handshake_complete() and hp_done to take int status, drop the
negation in tls_handshake_done(), and negate once in
handshake_nl_done_doit() where status arrives from the wire
as an unsigned netlink attribute. The three internal callers
were already correct under that convention and need no change.
At the same wire boundary, declare MAX_ERRNO as the netlink
policy upper bound for HANDSHAKE_A_DONE_STATUS. Attribute
validation rejects out-of-range values before
handshake_nl_done_doit() runs, and negating a bounded u32 there
stays within int range -- closing the UBSAN-visible signed-
integer overflow that an unconstrained u32 would invoke.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-3-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/netlink/specs/handshake.yaml | 8 ++++++++
net/handshake/genl.c | 3 ++-
net/handshake/genl.h | 1 +
net/handshake/handshake-test.c | 2 +-
net/handshake/handshake.h | 4 ++--
net/handshake/netlink.c | 2 +-
net/handshake/request.c | 2 +-
net/handshake/tlshd.c | 4 ++--
8 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/Documentation/netlink/specs/handshake.yaml b/Documentation/netlink/specs/handshake.yaml
index b934cc513e3d6f..090fc11da4604a 100644
--- a/Documentation/netlink/specs/handshake.yaml
+++ b/Documentation/netlink/specs/handshake.yaml
@@ -12,6 +12,12 @@ protocol: genetlink
doc: Netlink protocol to request a transport layer security handshake.
definitions:
+ -
+ type: const
+ name: max-errno
+ value: 4095
+ header: linux/err.h
+ scope: kernel
-
type: enum
name: handler-class
@@ -77,6 +83,8 @@ attribute-sets:
-
name: status
type: u32
+ checks:
+ max: max-errno
-
name: sockfd
type: s32
diff --git a/net/handshake/genl.c b/net/handshake/genl.c
index f55d14d7b7269d..a5fa8b27f22423 100644
--- a/net/handshake/genl.c
+++ b/net/handshake/genl.c
@@ -9,6 +9,7 @@
#include "genl.h"
#include <uapi/linux/handshake.h>
+#include <linux/err.h>
/* HANDSHAKE_CMD_ACCEPT - do */
static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HANDLER_CLASS + 1] = {
@@ -17,7 +18,7 @@ static const struct nla_policy handshake_accept_nl_policy[HANDSHAKE_A_ACCEPT_HAN
/* HANDSHAKE_CMD_DONE - do */
static const struct nla_policy handshake_done_nl_policy[HANDSHAKE_A_DONE_REMOTE_AUTH + 1] = {
- [HANDSHAKE_A_DONE_STATUS] = { .type = NLA_U32, },
+ [HANDSHAKE_A_DONE_STATUS] = NLA_POLICY_MAX(NLA_U32, MAX_ERRNO),
[HANDSHAKE_A_DONE_SOCKFD] = { .type = NLA_S32, },
[HANDSHAKE_A_DONE_REMOTE_AUTH] = { .type = NLA_U32, },
};
diff --git a/net/handshake/genl.h b/net/handshake/genl.h
index ae72a596f6cc3e..684e5fd684481b 100644
--- a/net/handshake/genl.h
+++ b/net/handshake/genl.h
@@ -10,6 +10,7 @@
#include <net/genetlink.h>
#include <uapi/linux/handshake.h>
+#include <linux/err.h>
int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info);
int handshake_nl_done_doit(struct sk_buff *skb, struct genl_info *info);
diff --git a/net/handshake/handshake-test.c b/net/handshake/handshake-test.c
index 34fd1d9b2db861..a331b308aaa240 100644
--- a/net/handshake/handshake-test.c
+++ b/net/handshake/handshake-test.c
@@ -25,7 +25,7 @@ static int test_accept_func(struct handshake_req *req, struct genl_info *info,
return 0;
}
-static void test_done_func(struct handshake_req *req, unsigned int status,
+static void test_done_func(struct handshake_req *req, int status,
struct genl_info *info)
{
}
diff --git a/net/handshake/handshake.h b/net/handshake/handshake.h
index a48163765a7a1d..2289b0e274f40a 100644
--- a/net/handshake/handshake.h
+++ b/net/handshake/handshake.h
@@ -57,7 +57,7 @@ struct handshake_proto {
int (*hp_accept)(struct handshake_req *req,
struct genl_info *info, int fd);
void (*hp_done)(struct handshake_req *req,
- unsigned int status,
+ int status,
struct genl_info *info);
void (*hp_destroy)(struct handshake_req *req);
};
@@ -86,7 +86,7 @@ struct handshake_req *handshake_req_hash_lookup(struct sock *sk);
struct handshake_req *handshake_req_next(struct handshake_net *hn, int class);
int handshake_req_submit(struct socket *sock, struct handshake_req *req,
gfp_t flags);
-void handshake_complete(struct handshake_req *req, unsigned int status,
+void handshake_complete(struct handshake_req *req, int status,
struct genl_info *info);
bool handshake_req_cancel(struct sock *sk);
diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
index 394e270cc505cb..d8211e0ba75c69 100644
--- a/net/handshake/netlink.c
+++ b/net/handshake/netlink.c
@@ -161,7 +161,7 @@ int handshake_nl_done_doit(struct sk_buff *skb, struct genl_info *info)
status = -EIO;
if (info->attrs[HANDSHAKE_A_DONE_STATUS])
- status = nla_get_u32(info->attrs[HANDSHAKE_A_DONE_STATUS]);
+ status = -(int)nla_get_u32(info->attrs[HANDSHAKE_A_DONE_STATUS]);
handshake_complete(req, status, info);
sockfd_put(sock);
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 75562f6629e050..2f58d74f16554b 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -285,7 +285,7 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
}
EXPORT_SYMBOL(handshake_req_submit);
-void handshake_complete(struct handshake_req *req, unsigned int status,
+void handshake_complete(struct handshake_req *req, int status,
struct genl_info *info)
{
struct sock *sk = req->hr_sk;
diff --git a/net/handshake/tlshd.c b/net/handshake/tlshd.c
index fd71ef2d18ceb2..5464e57c347b9c 100644
--- a/net/handshake/tlshd.c
+++ b/net/handshake/tlshd.c
@@ -93,7 +93,7 @@ static void tls_handshake_remote_peerids(struct tls_handshake_req *treq,
*
*/
static void tls_handshake_done(struct handshake_req *req,
- unsigned int status, struct genl_info *info)
+ int status, struct genl_info *info)
{
struct tls_handshake_req *treq = handshake_req_private(req);
@@ -104,7 +104,7 @@ static void tls_handshake_done(struct handshake_req *req,
if (!status)
set_bit(HANDSHAKE_F_REQ_SESSION, &req->hr_flags);
- treq->th_consumer_done(treq->th_consumer_data, -status,
+ treq->th_consumer_done(treq->th_consumer_data, status,
treq->th_peerid[0]);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 093/315] ipv6: fix possible infinite loop in fib6_select_path()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.18 092/315] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 094/315] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
` (223 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 9c7da87c2dc860bb17ca1ece942495d28b1ce3b9 ]
Found while auditing the same pattern Sashiko reported in
rt6_fill_node() [1]. Apply the same fix as
commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&first->fib6_siblings)
without waiting for RCU readers; first->fib6_siblings.next then
still points into the old ring and this softirq-side walker never
reaches &first->fib6_siblings as its terminator. fib6_purge_rt()
always WRITE_ONCE()s first->fib6_nsiblings to 0 before
list_del_rcu(), so an inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index cf9546047b5749..f89220929c4e24 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -481,6 +481,9 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
const struct fib6_nh *nh = sibling->fib6_nh;
int nh_upper_bound;
+ if (!READ_ONCE(first->fib6_nsiblings))
+ break;
+
nh_upper_bound = atomic_read(&nh->fib_nh_upper_bound);
if (hash > nh_upper_bound)
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 083/307] remove pointless includes of <linux/fdtable.h>
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-06-07 9:57 ` [PATCH 6.12 082/307] net/handshake: Pass negative errno through handshake_complete() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 084/307] net/handshake: Take a long-lived file reference at submit Greg Kroah-Hartman
` (224 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner, Al Viro,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit be5498cac2ddb112c5bd7433d5e834a1a2493427 ]
some of those used to be needed, some had been cargo-culted for
no reason...
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Stable-dep-of: ea5fe6a73ca5 ("net/handshake: Drain pending requests at net namespace exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fcntl.c | 1 -
fs/file_table.c | 1 -
fs/notify/fanotify/fanotify.c | 1 -
fs/notify/fanotify/fanotify_user.c | 1 -
fs/overlayfs/copy_up.c | 1 -
fs/proc/base.c | 1 -
io_uring/io_uring.c | 1 -
kernel/bpf/bpf_inode_storage.c | 1 -
kernel/bpf/bpf_task_storage.c | 1 -
kernel/bpf/token.c | 1 -
kernel/exit.c | 1 -
kernel/module/dups.c | 1 -
kernel/module/kmod.c | 1 -
kernel/umh.c | 1 -
net/handshake/request.c | 1 -
security/apparmor/domain.c | 1 -
16 files changed, 16 deletions(-)
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 3d89de31066ae0..a7947a615db6b4 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -12,7 +12,6 @@
#include <linux/fs.h>
#include <linux/filelock.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/capability.h>
#include <linux/dnotify.h>
#include <linux/slab.h>
diff --git a/fs/file_table.c b/fs/file_table.c
index f7661a70874640..2a08bc93b0b9c1 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -9,7 +9,6 @@
#include <linux/string.h>
#include <linux/slab.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/fs.h>
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index bb00e1e1683838..4d86a05258b970 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -1,6 +1,5 @@
// SPDX-License-Identifier: GPL-2.0
#include <linux/fanotify.h>
-#include <linux/fdtable.h>
#include <linux/fsnotify_backend.h>
#include <linux/init.h>
#include <linux/jiffies.h>
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 93c1619cdad659..b89ad128bf09cf 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1,7 +1,6 @@
// SPDX-License-Identifier: GPL-2.0
#include <linux/fanotify.h>
#include <linux/fcntl.h>
-#include <linux/fdtable.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/anon_inodes.h>
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index 57f635d050eb5a..75e804bc152ccf 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -16,7 +16,6 @@
#include <linux/sched/signal.h>
#include <linux/cred.h>
#include <linux/namei.h>
-#include <linux/fdtable.h>
#include <linux/ratelimit.h>
#include <linux/exportfs.h>
#include "overlayfs.h"
diff --git a/fs/proc/base.c b/fs/proc/base.c
index d060af34a6e837..704cf6a0612ede 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -58,7 +58,6 @@
#include <linux/init.h>
#include <linux/capability.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/generic-radix-tree.h>
#include <linux/string.h>
#include <linux/seq_file.h>
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index eef59b9eccfab1..e515aeafa87813 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -51,7 +51,6 @@
#include <linux/sched/signal.h>
#include <linux/fs.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/mm.h>
#include <linux/mman.h>
#include <linux/percpu.h>
diff --git a/kernel/bpf/bpf_inode_storage.c b/kernel/bpf/bpf_inode_storage.c
index 29da6d3838f678..e16e79f8cd6dc3 100644
--- a/kernel/bpf/bpf_inode_storage.c
+++ b/kernel/bpf/bpf_inode_storage.c
@@ -16,7 +16,6 @@
#include <uapi/linux/btf.h>
#include <linux/bpf_lsm.h>
#include <linux/btf_ids.h>
-#include <linux/fdtable.h>
#include <linux/rcupdate_trace.h>
DEFINE_BPF_STORAGE_CACHE(inode_cache);
diff --git a/kernel/bpf/bpf_task_storage.c b/kernel/bpf/bpf_task_storage.c
index adf6dfe0ba68a4..1eb9852a9f8ebb 100644
--- a/kernel/bpf/bpf_task_storage.c
+++ b/kernel/bpf/bpf_task_storage.c
@@ -16,7 +16,6 @@
#include <linux/filter.h>
#include <uapi/linux/btf.h>
#include <linux/btf_ids.h>
-#include <linux/fdtable.h>
#include <linux/rcupdate_trace.h>
DEFINE_BPF_STORAGE_CACHE(task_cache);
diff --git a/kernel/bpf/token.c b/kernel/bpf/token.c
index dcbec1a0dfb33f..26057aa1350398 100644
--- a/kernel/bpf/token.c
+++ b/kernel/bpf/token.c
@@ -1,6 +1,5 @@
#include <linux/bpf.h>
#include <linux/vmalloc.h>
-#include <linux/fdtable.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/kernel.h>
diff --git a/kernel/exit.c b/kernel/exit.c
index b91124b2d334ee..e798078f958c89 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -25,7 +25,6 @@
#include <linux/acct.h>
#include <linux/tsacct_kern.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/freezer.h>
#include <linux/binfmts.h>
#include <linux/nsproxy.h>
diff --git a/kernel/module/dups.c b/kernel/module/dups.c
index 9a92f2f8c9d382..bd2149fbe11738 100644
--- a/kernel/module/dups.c
+++ b/kernel/module/dups.c
@@ -18,7 +18,6 @@
#include <linux/completion.h>
#include <linux/cred.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/workqueue.h>
#include <linux/security.h>
#include <linux/mount.h>
diff --git a/kernel/module/kmod.c b/kernel/module/kmod.c
index 0800d989169219..25f25381251281 100644
--- a/kernel/module/kmod.c
+++ b/kernel/module/kmod.c
@@ -15,7 +15,6 @@
#include <linux/completion.h>
#include <linux/cred.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/workqueue.h>
#include <linux/security.h>
#include <linux/mount.h>
diff --git a/kernel/umh.c b/kernel/umh.c
index ff1f13a27d29fd..be923427077731 100644
--- a/kernel/umh.c
+++ b/kernel/umh.c
@@ -13,7 +13,6 @@
#include <linux/completion.h>
#include <linux/cred.h>
#include <linux/file.h>
-#include <linux/fdtable.h>
#include <linux/fs_struct.h>
#include <linux/workqueue.h>
#include <linux/security.h>
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 2f58d74f16554b..62efb7e32730ea 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -13,7 +13,6 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/inet.h>
-#include <linux/fdtable.h>
#include <linux/rhashtable.h>
#include <net/sock.h>
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index cccd61cca509ce..fbfb1d48dc88f2 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -9,7 +9,6 @@
*/
#include <linux/errno.h>
-#include <linux/fdtable.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/mount.h>
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 094/315] net: skbuff: fix pskb_carve leaking zcopy pages
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 093/315] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 095/315] media: rc: fix race between unregister and urb/irq callbacks Greg Kroah-Hartman
` (222 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Willem de Bruijn,
Pavel Begunkov, Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
[ Upstream commit ff6e798c2eac3ebd0501ad7e796f583fab928de8 ]
When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but
their lifetime is controlled by the attached ubuf_info. To make a copy
of the skb_shared_info, we either should clear the flag and reference
the frags, or keep the flag and have frags unreferenced.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't
follow the rule and thus can leak page references. Let's clear
SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the
simplest way to address it, but there are more performant ways to do
that if it ever becomes a problem.
Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/
Fixes: 753f1ca4e1e50 ("net: introduce managed frags infrastructure")
Reported-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6618bfa70ca444..a52aa79b0fdbaf 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6772,6 +6772,11 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
skb_copy_from_linear_data_offset(skb, off, data, new_hlen);
skb->len -= off;
+ /* Remove SKBFL_MANAGED_FRAG_REFS instead of trying to honour it
+ * while refcounting frags below.
+ */
+ skb_zcopy_downgrade_managed(skb);
+
memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb),
offsetof(struct skb_shared_info,
@@ -6883,6 +6888,11 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
return -ENOMEM;
size = SKB_WITH_OVERHEAD(size);
+ /* Remove SKBFL_MANAGED_FRAG_REFS instead of trying to honour it
+ * while refcounting frags below.
+ */
+ skb_zcopy_downgrade_managed(skb);
+
memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0]));
if (skb_orphan_frags(skb, gfp_mask)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 084/307] net/handshake: Take a long-lived file reference at submit
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 083/307] remove pointless includes of <linux/fdtable.h> Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 085/307] net/handshake: Drain pending requests at net namespace exit Greg Kroah-Hartman
` (223 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 09dba37eee70d0596e26645015f1aa95a9848e9d ]
handshake_nl_accept_doit() needs the file pointer backing
req->hr_sk->sk_socket to survive the window between
handshake_req_next() and the subsequent FD_PREPARE() and get_file().
The submit-side sock_hold() does not provide that. sk_refcnt keeps
struct sock alive, but struct socket is owned by sock->file: when
the consumer fputs the last file reference, sock_release() tears
the socket down regardless of any sock_hold.
Add an hr_file pointer to struct handshake_req and acquire an
explicit reference on sock->file during handshake_req_submit().
handshake_complete() and handshake_req_cancel() release the
reference on the completion-bit-winning path.
The submit error path must also release the file reference, but
after rhashtable insertion a concurrent handshake_req_cancel() can
discover the request and race the error path. Gate the error-path
cleanup -- sk_destruct restoration, fput, and request destruction
-- with test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED), the same
serialization handshake_complete() and handshake_req_cancel()
already use. When cancel has already claimed ownership, the submit
error path returns without touching the request; socket teardown
handles final destruction.
The accept-side dereferences are not yet retargeted; that change
comes in the next patch.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-4-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: ea5fe6a73ca5 ("net/handshake: Drain pending requests at net namespace exit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/handshake/handshake.h | 2 ++
net/handshake/netlink.c | 6 ------
net/handshake/request.c | 42 ++++++++++++++++++++++++++++++++-------
3 files changed, 37 insertions(+), 13 deletions(-)
diff --git a/net/handshake/handshake.h b/net/handshake/handshake.h
index 2289b0e274f40a..da61cadd1ad3e7 100644
--- a/net/handshake/handshake.h
+++ b/net/handshake/handshake.h
@@ -24,6 +24,7 @@ enum hn_flags_bits {
HANDSHAKE_F_NET_DRAINING,
};
+struct file;
struct handshake_proto;
/* One handshake request */
@@ -32,6 +33,7 @@ struct handshake_req {
struct rhash_head hr_rhash;
unsigned long hr_flags;
const struct handshake_proto *hr_proto;
+ struct file *hr_file;
struct sock *hr_sk;
void (*hr_odestruct)(struct sock *sk);
diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
index d8211e0ba75c69..86a12c9125d403 100644
--- a/net/handshake/netlink.c
+++ b/net/handshake/netlink.c
@@ -211,12 +211,6 @@ static void __net_exit handshake_net_exit(struct net *net)
while (!list_empty(&requests)) {
req = list_first_entry(&requests, struct handshake_req, hr_list);
list_del(&req->hr_list);
-
- /*
- * Requests on this list have not yet been
- * accepted, so they do not have an fd to put.
- */
-
handshake_complete(req, -ETIMEDOUT, NULL);
}
}
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 62efb7e32730ea..35bc6290e12033 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -13,6 +13,7 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/inet.h>
+#include <linux/file.h>
#include <linux/rhashtable.h>
#include <net/sock.h>
@@ -215,9 +216,16 @@ EXPORT_SYMBOL_IF_KUNIT(handshake_req_next);
* A zero return value from handshake_req_submit() means that
* exactly one subsequent completion callback is guaranteed.
*
- * A negative return value from handshake_req_submit() means that
- * no completion callback will be done and that @req has been
- * destroyed.
+ * A negative return value from handshake_req_submit() guarantees that
+ * no completion callback will occur and that @req is no longer owned by
+ * the caller. If cancellation wins the completion race after the request
+ * has been published, final destruction is deferred until socket teardown.
+ *
+ * The caller must hold a reference on @sock->file for the duration
+ * of this call. Once the request is published to the accept side, a
+ * concurrent completion or cancellation may release the request's pin on
+ * @sock->file; the caller's reference is what keeps @sock->sk valid until
+ * handshake_req_submit() returns.
*/
int handshake_req_submit(struct socket *sock, struct handshake_req *req,
gfp_t flags)
@@ -236,6 +244,14 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
kfree(req);
return -EINVAL;
}
+
+ /*
+ * Pin sock->file for the lifetime of the request so the
+ * accept side does not race a consumer that releases the
+ * socket while a handshake is pending.
+ */
+ req->hr_file = get_file(sock->file);
+
req->hr_odestruct = req->hr_sk->sk_destruct;
req->hr_sk->sk_destruct = handshake_sk_destruct;
@@ -267,7 +283,11 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
goto out_err;
}
- /* Prevent socket release while a handshake request is pending */
+ /*
+ * Pin struct sock so sk_destruct does not run until the
+ * handshake completion path releases it; struct socket is
+ * held separately via hr_file above.
+ */
sock_hold(req->hr_sk);
trace_handshake_submit(net, req, req->hr_sk);
@@ -276,10 +296,13 @@ int handshake_req_submit(struct socket *sock, struct handshake_req *req,
out_unlock:
spin_unlock_bh(&hn->hn_lock);
out_err:
- /* Restore original destructor so socket teardown still runs on failure */
- req->hr_sk->sk_destruct = req->hr_odestruct;
trace_handshake_submit_err(net, req, req->hr_sk, ret);
- handshake_req_destroy(req);
+ if (!test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED, &req->hr_flags)) {
+ /* Restore original destructor so socket teardown still runs. */
+ req->hr_sk->sk_destruct = req->hr_odestruct;
+ fput(req->hr_file);
+ handshake_req_destroy(req);
+ }
return ret;
}
EXPORT_SYMBOL(handshake_req_submit);
@@ -291,11 +314,15 @@ void handshake_complete(struct handshake_req *req, int status,
struct net *net = sock_net(sk);
if (!test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED, &req->hr_flags)) {
+ struct file *file = req->hr_file;
+
trace_handshake_complete(net, req, sk, status);
req->hr_proto->hp_done(req, status, info);
/* Handshake request is no longer pending */
sock_put(sk);
+
+ fput(file);
}
}
EXPORT_SYMBOL_IF_KUNIT(handshake_complete);
@@ -344,6 +371,7 @@ bool handshake_req_cancel(struct sock *sk)
/* Handshake request is no longer pending */
sock_put(sk);
+ fput(req->hr_file);
return true;
}
EXPORT_SYMBOL(handshake_req_cancel);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 095/315] media: rc: fix race between unregister and urb/irq callbacks
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 094/315] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 096/315] media: rc: ttusbir: fix inverted error logic Greg Kroah-Hartman
` (221 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Patrice Chotard,
Sean Young, Hans Verkuil, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
[ Upstream commit dccc0c3ddf8f16071736f98a7d6dd46a2d43e037 ]
Some rc device drivers have a race condition between rc_unregister_device()
and irq or urb callbacks. This is because rc_unregister_device() does two
things, it marks the device as unregistered so no new commands can be
issued and then it calls rc_free_device(). This means the driver has no
chance to cancel any pending urb callbacks or interrupts after the device
has been marked as unregistered. Those callbacks may access struct rc_dev
or its members (e.g. struct ir_raw_event_ctrl), which have been freed by
rc_free_device().
This change removes the implicit call to rc_free_device() from
rc_unregister_device(). This means that device drivers can call
rc_unregister_device() in their remove or disconnect function, then cancel
all the urbs and interrupts before explicitly calling rc_free_device().
Note this is an alternative fix for an issue found by Haotian Zhang, see
the Closes: tags.
Reported-by: Haotian Zhang <vulab@iscas.ac.cn>
Closes: https://lore.kernel.org/linux-media/20251114101432.2566-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114101418.2548-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114101346.2530-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114090605.2413-1-vulab@iscas.ac.cn/
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Stable-dep-of: 646ebdd31058 ("media: rc: ttusbir: fix inverted error logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/sil-sii8620.c | 1 +
drivers/hid/hid-picolcd_cir.c | 1 +
drivers/media/cec/core/cec-core.c | 2 +-
drivers/media/common/siano/smsir.c | 1 +
drivers/media/i2c/ir-kbd-i2c.c | 2 ++
drivers/media/pci/bt8xx/bttv-input.c | 3 ++-
drivers/media/pci/cx23885/cx23885-input.c | 1 +
drivers/media/pci/cx88/cx88-input.c | 3 ++-
drivers/media/pci/dm1105/dm1105.c | 1 +
drivers/media/pci/mantis/mantis_input.c | 1 +
drivers/media/pci/saa7134/saa7134-input.c | 1 +
drivers/media/pci/smipcie/smipcie-ir.c | 1 +
drivers/media/pci/ttpci/budget-ci.c | 1 +
drivers/media/rc/ati_remote.c | 6 +++---
drivers/media/rc/ene_ir.c | 2 +-
drivers/media/rc/fintek-cir.c | 3 ++-
drivers/media/rc/igorplugusb.c | 1 +
drivers/media/rc/iguanair.c | 1 +
drivers/media/rc/img-ir/img-ir-hw.c | 3 ++-
drivers/media/rc/img-ir/img-ir-raw.c | 3 ++-
drivers/media/rc/imon.c | 3 ++-
drivers/media/rc/ir-hix5hd2.c | 2 +-
drivers/media/rc/ir_toy.c | 1 +
drivers/media/rc/ite-cir.c | 2 +-
drivers/media/rc/mceusb.c | 1 +
drivers/media/rc/rc-ir-raw.c | 5 -----
drivers/media/rc/rc-loopback.c | 1 +
drivers/media/rc/rc-main.c | 6 +-----
drivers/media/rc/redrat3.c | 4 +++-
drivers/media/rc/st_rc.c | 2 +-
drivers/media/rc/streamzap.c | 7 ++++---
drivers/media/rc/sunxi-cir.c | 1 +
drivers/media/rc/ttusbir.c | 2 +-
drivers/media/rc/winbond-cir.c | 2 +-
drivers/media/rc/xbox_remote.c | 5 +++--
drivers/media/usb/au0828/au0828-input.c | 1 +
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 1 +
drivers/media/usb/dvb-usb/dvb-usb-remote.c | 6 ++++--
drivers/media/usb/em28xx/em28xx-input.c | 1 +
drivers/staging/media/av7110/av7110_ir.c | 1 +
include/media/rc-core.h | 2 --
41 files changed, 58 insertions(+), 36 deletions(-)
diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
index 9e48ad39e1cc99..923e2ed30624b7 100644
--- a/drivers/gpu/drm/bridge/sil-sii8620.c
+++ b/drivers/gpu/drm/bridge/sil-sii8620.c
@@ -2221,6 +2221,7 @@ static void sii8620_detach(struct drm_bridge *bridge)
return;
rc_unregister_device(ctx->rc_dev);
+ rc_free_device(ctx->rc_dev);
}
static int sii8620_is_packing_required(struct sii8620 *ctx,
diff --git a/drivers/hid/hid-picolcd_cir.c b/drivers/hid/hid-picolcd_cir.c
index d6faa0e00f95ac..6d4c636e1c9f7e 100644
--- a/drivers/hid/hid-picolcd_cir.c
+++ b/drivers/hid/hid-picolcd_cir.c
@@ -134,5 +134,6 @@ void picolcd_exit_cir(struct picolcd_data *data)
data->rc_dev = NULL;
rc_unregister_device(rdev);
+ rc_free_device(rdev);
}
diff --git a/drivers/media/cec/core/cec-core.c b/drivers/media/cec/core/cec-core.c
index dd6e24a0899bda..1b8a33c05b3c92 100644
--- a/drivers/media/cec/core/cec-core.c
+++ b/drivers/media/cec/core/cec-core.c
@@ -338,8 +338,8 @@ int cec_register_adapter(struct cec_adapter *adap,
res = cec_devnode_register(&adap->devnode, adap->owner);
if (res) {
#ifdef CONFIG_MEDIA_CEC_RC
- /* Note: rc_unregister also calls rc_free */
rc_unregister_device(adap->rc);
+ rc_free_device(adap->rc);
adap->rc = NULL;
#endif
return res;
diff --git a/drivers/media/common/siano/smsir.c b/drivers/media/common/siano/smsir.c
index d85c78c104b990..5f4c0aa7a0d72a 100644
--- a/drivers/media/common/siano/smsir.c
+++ b/drivers/media/common/siano/smsir.c
@@ -92,6 +92,7 @@ int sms_ir_init(struct smscore_device_t *coredev)
void sms_ir_exit(struct smscore_device_t *coredev)
{
rc_unregister_device(coredev->ir.dev);
+ rc_free_device(coredev->ir.dev);
pr_debug("\n");
}
diff --git a/drivers/media/i2c/ir-kbd-i2c.c b/drivers/media/i2c/ir-kbd-i2c.c
index 5588cdd7ec20de..60474531700433 100644
--- a/drivers/media/i2c/ir-kbd-i2c.c
+++ b/drivers/media/i2c/ir-kbd-i2c.c
@@ -355,6 +355,7 @@ static void ir_work(struct work_struct *work)
mutex_unlock(&ir->lock);
if (rc == -ENODEV) {
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
ir->rc = NULL;
return;
}
@@ -972,6 +973,7 @@ static void ir_remove(struct i2c_client *client)
i2c_unregister_device(ir->tx_c);
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
}
static const struct i2c_device_id ir_kbd_id[] = {
diff --git a/drivers/media/pci/bt8xx/bttv-input.c b/drivers/media/pci/bt8xx/bttv-input.c
index 84aa269248fd36..f84fcf96eca983 100644
--- a/drivers/media/pci/bt8xx/bttv-input.c
+++ b/drivers/media/pci/bt8xx/bttv-input.c
@@ -572,8 +572,9 @@ void bttv_input_fini(struct bttv *btv)
if (btv->remote == NULL)
return;
- bttv_ir_stop(btv);
rc_unregister_device(btv->remote->dev);
+ bttv_ir_stop(btv);
+ rc_free_device(btv->remote->dev);
kfree(btv->remote);
btv->remote = NULL;
}
diff --git a/drivers/media/pci/cx23885/cx23885-input.c b/drivers/media/pci/cx23885/cx23885-input.c
index d2e84c6457e0ab..722329ef3fd2cc 100644
--- a/drivers/media/pci/cx23885/cx23885-input.c
+++ b/drivers/media/pci/cx23885/cx23885-input.c
@@ -402,6 +402,7 @@ void cx23885_input_fini(struct cx23885_dev *dev)
if (dev->kernel_ir == NULL)
return;
rc_unregister_device(dev->kernel_ir->rc);
+ rc_free_device(dev->kernel_ir->rc);
kfree(dev->kernel_ir->phys);
kfree(dev->kernel_ir->name);
kfree(dev->kernel_ir);
diff --git a/drivers/media/pci/cx88/cx88-input.c b/drivers/media/pci/cx88/cx88-input.c
index b9f2c14d62b408..4757787c3f5935 100644
--- a/drivers/media/pci/cx88/cx88-input.c
+++ b/drivers/media/pci/cx88/cx88-input.c
@@ -509,8 +509,9 @@ int cx88_ir_fini(struct cx88_core *core)
if (!ir)
return 0;
- cx88_ir_stop(core);
rc_unregister_device(ir->dev);
+ cx88_ir_stop(core);
+ rc_free_device(ir->dev);
kfree(ir);
/* done */
diff --git a/drivers/media/pci/dm1105/dm1105.c b/drivers/media/pci/dm1105/dm1105.c
index 9e9c7c071accce..e1185aa669f480 100644
--- a/drivers/media/pci/dm1105/dm1105.c
+++ b/drivers/media/pci/dm1105/dm1105.c
@@ -763,6 +763,7 @@ static int dm1105_ir_init(struct dm1105_dev *dm1105)
static void dm1105_ir_exit(struct dm1105_dev *dm1105)
{
rc_unregister_device(dm1105->ir.dev);
+ rc_free_device(dm1105->ir.dev);
}
static int dm1105_hw_init(struct dm1105_dev *dev)
diff --git a/drivers/media/pci/mantis/mantis_input.c b/drivers/media/pci/mantis/mantis_input.c
index 34c0d979240fda..edb4cacf55d229 100644
--- a/drivers/media/pci/mantis/mantis_input.c
+++ b/drivers/media/pci/mantis/mantis_input.c
@@ -72,5 +72,6 @@ EXPORT_SYMBOL_GPL(mantis_input_init);
void mantis_input_exit(struct mantis_pci *mantis)
{
rc_unregister_device(mantis->rc);
+ rc_free_device(mantis->rc);
}
EXPORT_SYMBOL_GPL(mantis_input_exit);
diff --git a/drivers/media/pci/saa7134/saa7134-input.c b/drivers/media/pci/saa7134/saa7134-input.c
index 468dbe8d552f82..d39537c95d9d3b 100644
--- a/drivers/media/pci/saa7134/saa7134-input.c
+++ b/drivers/media/pci/saa7134/saa7134-input.c
@@ -834,6 +834,7 @@ void saa7134_input_fini(struct saa7134_dev *dev)
return;
rc_unregister_device(dev->remote->dev);
+ rc_free_device(dev->remote->dev);
kfree(dev->remote);
dev->remote = NULL;
}
diff --git a/drivers/media/pci/smipcie/smipcie-ir.c b/drivers/media/pci/smipcie/smipcie-ir.c
index c0604d9c70119a..0bbe4fa2d5a84e 100644
--- a/drivers/media/pci/smipcie/smipcie-ir.c
+++ b/drivers/media/pci/smipcie/smipcie-ir.c
@@ -181,5 +181,6 @@ void smi_ir_exit(struct smi_dev *dev)
rc_unregister_device(rc_dev);
smi_ir_stop(ir);
+ rc_free_device(rc_dev);
ir->rc_dev = NULL;
}
diff --git a/drivers/media/pci/ttpci/budget-ci.c b/drivers/media/pci/ttpci/budget-ci.c
index 33f08adf4feb10..16973ac8e6a920 100644
--- a/drivers/media/pci/ttpci/budget-ci.c
+++ b/drivers/media/pci/ttpci/budget-ci.c
@@ -249,6 +249,7 @@ static void msp430_ir_deinit(struct budget_ci *budget_ci)
cancel_work_sync(&budget_ci->ir.msp430_irq_bh_work);
rc_unregister_device(budget_ci->ir.dev);
+ rc_free_device(budget_ci->ir.dev);
}
static int ciintf_read_attribute_mem(struct dvb_ca_en50221 *ca, int slot, int address)
diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c
index a733914a257424..f1fd4765651cac 100644
--- a/drivers/media/rc/ati_remote.c
+++ b/drivers/media/rc/ati_remote.c
@@ -921,7 +921,6 @@ static int ati_remote_probe(struct usb_interface *interface,
input_free_device(input_dev);
exit_unregister_device:
rc_unregister_device(rc_dev);
- rc_dev = NULL;
exit_kill_urbs:
usb_kill_urb(ati_remote->irq_urb);
usb_kill_urb(ati_remote->out_urb);
@@ -941,18 +940,19 @@ static void ati_remote_disconnect(struct usb_interface *interface)
struct ati_remote *ati_remote;
ati_remote = usb_get_intfdata(interface);
- usb_set_intfdata(interface, NULL);
if (!ati_remote) {
dev_warn(&interface->dev, "%s - null device?\n", __func__);
return;
}
+ rc_unregister_device(ati_remote->rdev);
+ usb_set_intfdata(interface, NULL);
usb_kill_urb(ati_remote->irq_urb);
usb_kill_urb(ati_remote->out_urb);
if (ati_remote->idev)
input_unregister_device(ati_remote->idev);
- rc_unregister_device(ati_remote->rdev);
ati_remote_free_buffers(ati_remote);
+ rc_free_device(ati_remote->rdev);
kfree(ati_remote);
}
diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c
index d6c54a3bccc26d..136fc4192265da 100644
--- a/drivers/media/rc/ene_ir.c
+++ b/drivers/media/rc/ene_ir.c
@@ -1090,7 +1090,6 @@ static int ene_probe(struct pnp_dev *pnp_dev, const struct pnp_device_id *id)
release_region(dev->hw_io, ENE_IO_SIZE);
exit_unregister_device:
rc_unregister_device(rdev);
- rdev = NULL;
exit_free_dev_rdev:
rc_free_device(rdev);
kfree(dev);
@@ -1110,6 +1109,7 @@ static void ene_remove(struct pnp_dev *pnp_dev)
ene_rx_restore_hw_buffer(dev);
spin_unlock_irqrestore(&dev->hw_lock, flags);
+ rc_free_device(dev->rdev);
free_irq(dev->irq, dev);
release_region(dev->hw_io, ENE_IO_SIZE);
kfree(dev);
diff --git a/drivers/media/rc/fintek-cir.c b/drivers/media/rc/fintek-cir.c
index 3fb0968efd57d3..9b789097cdd4c3 100644
--- a/drivers/media/rc/fintek-cir.c
+++ b/drivers/media/rc/fintek-cir.c
@@ -568,6 +568,7 @@ static void fintek_remove(struct pnp_dev *pdev)
struct fintek_dev *fintek = pnp_get_drvdata(pdev);
unsigned long flags;
+ rc_unregister_device(fintek->rdev);
spin_lock_irqsave(&fintek->fintek_lock, flags);
/* disable CIR */
fintek_disable_cir(fintek);
@@ -580,7 +581,7 @@ static void fintek_remove(struct pnp_dev *pdev)
free_irq(fintek->cir_irq, fintek);
release_region(fintek->cir_addr, fintek->cir_port_len);
- rc_unregister_device(fintek->rdev);
+ rc_free_device(fintek->rdev);
kfree(fintek);
}
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index e7e31776453c11..439f95e6879fc4 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -247,6 +247,7 @@ static void igorplugusb_disconnect(struct usb_interface *intf)
usb_set_intfdata(intf, NULL);
usb_unpoison_urb(ir->urb);
usb_free_urb(ir->urb);
+ rc_free_device(ir->rc);
kfree(ir->buf_in);
kfree(ir->request);
}
diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
index 8af94246e5916e..7bd6dd7254157a 100644
--- a/drivers/media/rc/iguanair.c
+++ b/drivers/media/rc/iguanair.c
@@ -500,6 +500,7 @@ static void iguanair_disconnect(struct usb_interface *intf)
usb_set_intfdata(intf, NULL);
usb_kill_urb(ir->urb_in);
usb_kill_urb(ir->urb_out);
+ rc_free_device(ir->rc);
usb_free_urb(ir->urb_in);
usb_free_urb(ir->urb_out);
usb_free_coherent(ir->udev, MAX_IN_PACKET, ir->buf_in, ir->dma_in);
diff --git a/drivers/media/rc/img-ir/img-ir-hw.c b/drivers/media/rc/img-ir/img-ir-hw.c
index 63f6f5b36838d0..f30adf4d8444dd 100644
--- a/drivers/media/rc/img-ir/img-ir-hw.c
+++ b/drivers/media/rc/img-ir/img-ir-hw.c
@@ -1118,9 +1118,10 @@ void img_ir_remove_hw(struct img_ir_priv *priv)
struct rc_dev *rdev = hw->rdev;
if (!rdev)
return;
+ rc_unregister_device(rdev);
img_ir_set_decoder(priv, NULL, 0);
hw->rdev = NULL;
- rc_unregister_device(rdev);
+ rc_free_device(rdev);
#ifdef CONFIG_COMMON_CLK
if (!IS_ERR(priv->clk))
clk_notifier_unregister(priv->clk, &hw->clk_nb);
diff --git a/drivers/media/rc/img-ir/img-ir-raw.c b/drivers/media/rc/img-ir/img-ir-raw.c
index 92fb7b555a0f65..f1460d4acf3e8a 100644
--- a/drivers/media/rc/img-ir/img-ir-raw.c
+++ b/drivers/media/rc/img-ir/img-ir-raw.c
@@ -136,6 +136,7 @@ void img_ir_remove_raw(struct img_ir_priv *priv)
if (!rdev)
return;
+ rc_unregister_device(rdev);
/* switch off and disable raw (edge) interrupts */
spin_lock_irq(&priv->lock);
raw->rdev = NULL;
@@ -145,7 +146,7 @@ void img_ir_remove_raw(struct img_ir_priv *priv)
img_ir_write(priv, IMG_IR_IRQ_CLEAR, IMG_IR_IRQ_EDGE);
spin_unlock_irq(&priv->lock);
- rc_unregister_device(rdev);
+ rc_free_device(rdev);
timer_delete_sync(&raw->timer);
}
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index 35b9e07003d889..48534bb52e4d04 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -2541,9 +2541,10 @@ static void imon_disconnect(struct usb_interface *interface)
if (ifnum == 0) {
ictx->dev_present_intf0 = false;
+ rc_unregister_device(ictx->rdev);
usb_kill_urb(ictx->rx_urb_intf0);
input_unregister_device(ictx->idev);
- rc_unregister_device(ictx->rdev);
+ rc_free_device(ictx->rdev);
if (ictx->display_supported) {
if (ictx->display_type == IMON_DISPLAY_TYPE_LCD)
usb_deregister_dev(interface, &imon_lcd_class);
diff --git a/drivers/media/rc/ir-hix5hd2.c b/drivers/media/rc/ir-hix5hd2.c
index afd80d2350c6d3..bb0f95833df57e 100644
--- a/drivers/media/rc/ir-hix5hd2.c
+++ b/drivers/media/rc/ir-hix5hd2.c
@@ -331,7 +331,6 @@ static int hix5hd2_ir_probe(struct platform_device *pdev)
regerr:
rc_unregister_device(rdev);
- rdev = NULL;
clkerr:
clk_disable_unprepare(priv->clock);
err:
@@ -346,6 +345,7 @@ static void hix5hd2_ir_remove(struct platform_device *pdev)
clk_disable_unprepare(priv->clock);
rc_unregister_device(priv->rdev);
+ rc_free_device(priv->rdev);
}
#ifdef CONFIG_PM_SLEEP
diff --git a/drivers/media/rc/ir_toy.c b/drivers/media/rc/ir_toy.c
index 533faa11751744..e79de56997a426 100644
--- a/drivers/media/rc/ir_toy.c
+++ b/drivers/media/rc/ir_toy.c
@@ -536,6 +536,7 @@ static void irtoy_disconnect(struct usb_interface *intf)
usb_free_urb(ir->urb_out);
usb_kill_urb(ir->urb_in);
usb_free_urb(ir->urb_in);
+ rc_free_device(ir->rc);
kfree(ir->in);
kfree(ir->out);
kfree(ir);
diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
index 2bacecb022623e..23afbafb557488 100644
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -1414,7 +1414,6 @@ static int ite_probe(struct pnp_dev *pdev, const struct pnp_device_id
release_region(itdev->cir_addr, itdev->params->io_region_size);
exit_unregister_device:
rc_unregister_device(rdev);
- rdev = NULL;
exit_free_dev_rdev:
rc_free_device(rdev);
kfree(itdev);
@@ -1439,6 +1438,7 @@ static void ite_remove(struct pnp_dev *pdev)
release_region(dev->cir_addr, dev->params->io_region_size);
rc_unregister_device(dev->rdev);
+ rc_free_device(dev->rdev);
kfree(dev);
}
diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index 044767eb3a38c9..a4c94fdf767ca1 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1850,6 +1850,7 @@ static void mceusb_dev_disconnect(struct usb_interface *intf)
usb_free_urb(ir->urb_in);
usb_free_coherent(dev, ir->len_in, ir->buf_in, ir->dma_in);
usb_put_dev(dev);
+ rc_free_device(ir->rc);
kfree(ir);
}
diff --git a/drivers/media/rc/rc-ir-raw.c b/drivers/media/rc/rc-ir-raw.c
index 5dafe11f61c6b1..76c3d1307f9f1b 100644
--- a/drivers/media/rc/rc-ir-raw.c
+++ b/drivers/media/rc/rc-ir-raw.c
@@ -648,9 +648,6 @@ int ir_raw_event_register(struct rc_dev *dev)
void ir_raw_event_free(struct rc_dev *dev)
{
- if (!dev)
- return;
-
kfree(dev->raw);
dev->raw = NULL;
}
@@ -674,8 +671,6 @@ void ir_raw_event_unregister(struct rc_dev *dev)
lirc_bpf_free(dev);
- ir_raw_event_free(dev);
-
/*
* A user can be calling bpf(BPF_PROG_{QUERY|ATTACH|DETACH}), so
* ensure that the raw member is null on unlock; this is how
diff --git a/drivers/media/rc/rc-loopback.c b/drivers/media/rc/rc-loopback.c
index 8288366f891fc9..a108b057b5fd56 100644
--- a/drivers/media/rc/rc-loopback.c
+++ b/drivers/media/rc/rc-loopback.c
@@ -263,6 +263,7 @@ static int __init loop_init(void)
static void __exit loop_exit(void)
{
rc_unregister_device(loopdev.dev);
+ rc_free_device(loopdev.dev);
}
module_init(loop_init);
diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index b9bf5cdcde4ae3..6bdf32cb4a17d8 100644
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -1611,6 +1611,7 @@ static void rc_dev_release(struct device *device)
{
struct rc_dev *dev = to_rc_dev(device);
+ ir_raw_event_free(dev);
kfree(dev);
}
@@ -1773,7 +1774,6 @@ struct rc_dev *devm_rc_allocate_device(struct device *dev,
}
rc->dev.parent = dev;
- rc->managed_alloc = true;
*dr = rc;
devres_add(dev, dr);
@@ -2042,11 +2042,7 @@ void rc_unregister_device(struct rc_dev *dev)
device_del(&dev->dev);
ida_free(&rc_ida, dev->minor);
-
- if (!dev->managed_alloc)
- rc_free_device(dev);
}
-
EXPORT_SYMBOL_GPL(rc_unregister_device);
/*
diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c
index a49173f54a4d0e..b8289327f6a206 100644
--- a/drivers/media/rc/redrat3.c
+++ b/drivers/media/rc/redrat3.c
@@ -1133,11 +1133,13 @@ static void redrat3_dev_disconnect(struct usb_interface *intf)
{
struct usb_device *udev = interface_to_usbdev(intf);
struct redrat3_dev *rr3 = usb_get_intfdata(intf);
+ struct rc_dev *rc = rr3->rc;
usb_set_intfdata(intf, NULL);
- rc_unregister_device(rr3->rc);
+ rc_unregister_device(rc);
led_classdev_unregister(&rr3->led);
redrat3_delete(rr3, udev);
+ rc_free_device(rc);
}
static int redrat3_dev_suspend(struct usb_interface *intf, pm_message_t message)
diff --git a/drivers/media/rc/st_rc.c b/drivers/media/rc/st_rc.c
index 6b70bac5f45d6c..0ba06bfc9e14b6 100644
--- a/drivers/media/rc/st_rc.c
+++ b/drivers/media/rc/st_rc.c
@@ -203,6 +203,7 @@ static void st_rc_remove(struct platform_device *pdev)
device_init_wakeup(&pdev->dev, false);
clk_disable_unprepare(rc_dev->sys_clock);
rc_unregister_device(rc_dev->rdev);
+ rc_free_device(rc_dev->rdev);
}
static int st_rc_open(struct rc_dev *rdev)
@@ -334,7 +335,6 @@ static int st_rc_probe(struct platform_device *pdev)
return ret;
rcerr:
rc_unregister_device(rdev);
- rdev = NULL;
clkerr:
clk_disable_unprepare(rc_dev->sys_clock);
err:
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index 8e9b156e430022..8c85b9f30a3a96 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -392,15 +392,16 @@ static void streamzap_disconnect(struct usb_interface *interface)
struct streamzap_ir *sz = usb_get_intfdata(interface);
struct usb_device *usbdev = interface_to_usbdev(interface);
- usb_set_intfdata(interface, NULL);
-
if (!sz)
return;
- usb_kill_urb(sz->urb_in);
rc_unregister_device(sz->rdev);
+ usb_set_intfdata(interface, NULL);
+
+ usb_kill_urb(sz->urb_in);
usb_free_urb(sz->urb_in);
usb_free_coherent(usbdev, sz->buf_in_len, sz->buf_in, sz->dma_in);
+ rc_free_device(sz->rdev);
kfree(sz);
}
diff --git a/drivers/media/rc/sunxi-cir.c b/drivers/media/rc/sunxi-cir.c
index 92ef4e7c6f69fc..cb4c56bf0752a8 100644
--- a/drivers/media/rc/sunxi-cir.c
+++ b/drivers/media/rc/sunxi-cir.c
@@ -371,6 +371,7 @@ static void sunxi_ir_remove(struct platform_device *pdev)
struct sunxi_ir *ir = platform_get_drvdata(pdev);
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
sunxi_ir_hw_exit(&pdev->dev);
}
diff --git a/drivers/media/rc/ttusbir.c b/drivers/media/rc/ttusbir.c
index dde446a95eaa93..a670d4b008cb0d 100644
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -336,7 +336,6 @@ static int ttusbir_probe(struct usb_interface *intf,
return 0;
out3:
rc_unregister_device(rc);
- rc = NULL;
out2:
led_classdev_unregister(&tt->led);
out:
@@ -378,6 +377,7 @@ static void ttusbir_disconnect(struct usb_interface *intf)
usb_kill_urb(tt->bulk_urb);
usb_free_urb(tt->bulk_urb);
kfree(tt->bulk_buffer);
+ rc_free_device(tt->rc);
usb_set_intfdata(intf, NULL);
kfree(tt);
}
diff --git a/drivers/media/rc/winbond-cir.c b/drivers/media/rc/winbond-cir.c
index 25884a79985c8a..14d8b58e283980 100644
--- a/drivers/media/rc/winbond-cir.c
+++ b/drivers/media/rc/winbond-cir.c
@@ -1132,7 +1132,6 @@ wbcir_probe(struct pnp_dev *device, const struct pnp_device_id *dev_id)
release_region(data->wbase, WAKEUP_IOMEM_LEN);
exit_unregister_device:
rc_unregister_device(data->dev);
- data->dev = NULL;
exit_free_rc:
rc_free_device(data->dev);
exit_unregister_led:
@@ -1163,6 +1162,7 @@ wbcir_remove(struct pnp_dev *device)
wbcir_set_bits(data->wbase + WBCIR_REG_WCEIR_EV_EN, 0x00, 0x07);
rc_unregister_device(data->dev);
+ rc_free_device(data->dev);
led_classdev_unregister(&data->led);
diff --git a/drivers/media/rc/xbox_remote.c b/drivers/media/rc/xbox_remote.c
index 0c9c855ced729c..80b7c247932a8f 100644
--- a/drivers/media/rc/xbox_remote.c
+++ b/drivers/media/rc/xbox_remote.c
@@ -283,14 +283,15 @@ static void xbox_remote_disconnect(struct usb_interface *interface)
struct xbox_remote *xbox_remote;
xbox_remote = usb_get_intfdata(interface);
- usb_set_intfdata(interface, NULL);
if (!xbox_remote) {
dev_warn(&interface->dev, "%s - null device?\n", __func__);
return;
}
- usb_kill_urb(xbox_remote->irq_urb);
rc_unregister_device(xbox_remote->rdev);
+ usb_set_intfdata(interface, NULL);
+ usb_kill_urb(xbox_remote->irq_urb);
+ rc_free_device(xbox_remote->rdev);
usb_free_urb(xbox_remote->irq_urb);
kfree(xbox_remote->inbuf);
kfree(xbox_remote);
diff --git a/drivers/media/usb/au0828/au0828-input.c b/drivers/media/usb/au0828/au0828-input.c
index 3d3368202cd018..283ad2c6288cd5 100644
--- a/drivers/media/usb/au0828/au0828-input.c
+++ b/drivers/media/usb/au0828/au0828-input.c
@@ -357,6 +357,7 @@ void au0828_rc_unregister(struct au0828_dev *dev)
return;
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
/* done */
kfree(ir);
diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
index f1c79f351ec8de..17e8961179d14b 100644
--- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
+++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
@@ -187,6 +187,7 @@ static int dvb_usbv2_remote_exit(struct dvb_usb_device *d)
if (d->rc_dev) {
cancel_delayed_work_sync(&d->rc_query_work);
rc_unregister_device(d->rc_dev);
+ rc_free_device(d->rc_dev);
d->rc_dev = NULL;
}
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-remote.c b/drivers/media/usb/dvb-usb/dvb-usb-remote.c
index 65e2c9e2cdc99f..6dc11718dfb985 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-remote.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-remote.c
@@ -347,10 +347,12 @@ int dvb_usb_remote_exit(struct dvb_usb_device *d)
{
if (d->state & DVB_USB_STATE_REMOTE) {
cancel_delayed_work_sync(&d->rc_query_work);
- if (d->props.rc.mode == DVB_RC_LEGACY)
+ if (d->props.rc.mode == DVB_RC_LEGACY) {
input_unregister_device(d->input_dev);
- else
+ } else {
rc_unregister_device(d->rc_dev);
+ rc_free_device(d->rc_dev);
+ }
}
d->state &= ~DVB_USB_STATE_REMOTE;
return 0;
diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
index 5f3b00869bdbc9..26f333b5be7325 100644
--- a/drivers/media/usb/em28xx/em28xx-input.c
+++ b/drivers/media/usb/em28xx/em28xx-input.c
@@ -853,6 +853,7 @@ static int em28xx_ir_fini(struct em28xx *dev)
goto ref_put;
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
kfree(ir->i2c_client);
diff --git a/drivers/staging/media/av7110/av7110_ir.c b/drivers/staging/media/av7110/av7110_ir.c
index 68b3979ba5f20c..fdae467fd7ab81 100644
--- a/drivers/staging/media/av7110/av7110_ir.c
+++ b/drivers/staging/media/av7110/av7110_ir.c
@@ -151,6 +151,7 @@ int av7110_ir_init(struct av7110 *av7110)
void av7110_ir_exit(struct av7110 *av7110)
{
rc_unregister_device(av7110->ir.rcdev);
+ rc_free_device(av7110->ir.rcdev);
}
//MODULE_AUTHOR("Holger Waechtler <holger@convergence.de>, Oliver Endriss <o.endriss@gmx.de>");
diff --git a/include/media/rc-core.h b/include/media/rc-core.h
index 35c7a0546f02ee..7c964b5ad79269 100644
--- a/include/media/rc-core.h
+++ b/include/media/rc-core.h
@@ -81,7 +81,6 @@ struct lirc_fh {
/**
* struct rc_dev - represents a remote control device
* @dev: driver model's view of this device
- * @managed_alloc: devm_rc_allocate_device was used to create rc_dev
* @registered: set to true by rc_register_device(), false by
* rc_unregister_device
* @idle: used to keep track of RX state
@@ -156,7 +155,6 @@ struct lirc_fh {
*/
struct rc_dev {
struct device dev;
- bool managed_alloc;
bool registered;
bool idle;
bool encode_wakeup;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 085/307] net/handshake: Drain pending requests at net namespace exit
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 084/307] net/handshake: Take a long-lived file reference at submit Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 086/307] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
` (222 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Hannes Reinecke,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit ea5fe6a73ca57e5150b8a38b341aef2636eb72f0 ]
The arguments to list_splice_init() in handshake_net_exit() are
reversed. The call moves the local empty "requests" list onto
hn->hn_requests, leaving the local list empty, so the subsequent
drain loop runs zero iterations. Pending handshake requests that
had not yet been accepted are not torn down when the net namespace
is destroyed; each one keeps a reference on a socket file and on
the handshake_req allocation.
Pass the source and destination in the documented order
(list_splice_init(list, head) moves list onto head) so the pending
list is transferred to the local scratch list and drained through
handshake_complete().
Fixing the splice direction exposes a list-corruption race. After
the splice each req->hr_list still has non-empty link pointers,
threading the stack-local scratch list rather than hn_requests.
A concurrent handshake_req_cancel() -- for example, from sunrpc's
TLS timeout on a kernel socket whose netns reference was not
taken -- finds the request through the rhashtable, calls
remove_pending(), and sees !list_empty(&req->hr_list).
__remove_pending_locked() then list_del_init()s an entry off the
scratch list while the drain iterates, corrupting it. The same
call arriving after the drain loop has run list_del() on an
entry hits LIST_POISON instead.
Have remove_pending() check HANDSHAKE_F_NET_DRAINING under
hn_lock and report not-found when drain is in progress. The
drain has already taken ownership; handshake_complete()'s existing
test_and_set on HANDSHAKE_F_REQ_COMPLETED still arbitrates
between drain and cancel for who calls the consumer's hp_done. Use
list_del_init() rather than list_del() in the drain so req->hr_list
does not carry LIST_POISON after drain releases the entry.
The DRAINING guard in remove_pending() makes cancel return false,
but cancel still falls through to test_and_set_bit on
HANDSHAKE_F_REQ_COMPLETED and drops the request's hr_file reference.
Without another pin, if that is the last reference, sk_destruct frees
the request while it is still linked on the drain loop's local list.
Pin each request's hr_file under hn_lock before releasing the list,
and drop that drain pin after the loop finishes with the request.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260525-handshake-file-pin-v3-8-66c616906ead@oracle.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/handshake/netlink.c | 10 ++++++++--
net/handshake/request.c | 5 ++++-
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
index 86a12c9125d403..e49041cc0f9d70 100644
--- a/net/handshake/netlink.c
+++ b/net/handshake/netlink.c
@@ -205,13 +205,19 @@ static void __net_exit handshake_net_exit(struct net *net)
*/
spin_lock_bh(&hn->hn_lock);
set_bit(HANDSHAKE_F_NET_DRAINING, &hn->hn_flags);
- list_splice_init(&requests, &hn->hn_requests);
+ list_splice_init(&hn->hn_requests, &requests);
+ list_for_each_entry(req, &requests, hr_list)
+ get_file(req->hr_file);
spin_unlock_bh(&hn->hn_lock);
while (!list_empty(&requests)) {
+ struct file *file;
+
req = list_first_entry(&requests, struct handshake_req, hr_list);
- list_del(&req->hr_list);
+ file = req->hr_file;
+ list_del_init(&req->hr_list);
handshake_complete(req, -ETIMEDOUT, NULL);
+ fput(file);
}
}
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 35bc6290e12033..96f80e0df67b50 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -163,13 +163,16 @@ static void __remove_pending_locked(struct handshake_net *hn,
* otherwise %false.
*
* If @req was on a pending list, it has not yet been accepted.
+ * Returns %false when the net namespace is draining; the drain
+ * loop has taken ownership of the pending list.
*/
static bool remove_pending(struct handshake_net *hn, struct handshake_req *req)
{
bool ret = false;
spin_lock_bh(&hn->hn_lock);
- if (!list_empty(&req->hr_list)) {
+ if (!test_bit(HANDSHAKE_F_NET_DRAINING, &hn->hn_flags) &&
+ !list_empty(&req->hr_list)) {
__remove_pending_locked(hn, req);
ret = true;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 096/315] media: rc: ttusbir: fix inverted error logic
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 095/315] media: rc: fix race between unregister and urb/irq callbacks Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 097/315] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
` (220 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 646ebdd3105809d84ed04aa9e92e47e89cc44502 ]
We have to report ENOMEM if no buffer is allocated.
Typo dropped a "!". Restore it.
Fixes: 50acaad3d202 ("media: rc: ttusbir: respect DMA coherency rules")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/ttusbir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/rc/ttusbir.c b/drivers/media/rc/ttusbir.c
index a670d4b008cb0d..3452b5aefd2848 100644
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -191,7 +191,7 @@ static int ttusbir_probe(struct usb_interface *intf,
tt = kzalloc(sizeof(*tt), GFP_KERNEL);
buffer = kzalloc(5, GFP_KERNEL);
rc = rc_allocate_device(RC_DRIVER_IR_RAW);
- if (!tt || !rc || buffer) {
+ if (!tt || !rc || !buffer) {
ret = -ENOMEM;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 086/307] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 085/307] net/handshake: Drain pending requests at net namespace exit Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 088/307] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Greg Kroah-Hartman
` (221 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao,
Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit 00e1950716c6ed67d74777b2db286b0fa23b4be9 ]
l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.
A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).
Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b24e4d8130ddb1..9de5d545966d60 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5392,14 +5392,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
BT_DBG("result 0x%4.4x", result);
- if (!result)
+ if (!result) {
+ list_for_each_entry(chan, &conn->chan_l, list) {
+ if (chan->ident == cmd->ident)
+ chan->ident = 0;
+ }
return 0;
+ }
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
if (chan->ident != cmd->ident)
continue;
- l2cap_chan_hold(chan);
+ if (!l2cap_chan_hold_unless_zero(chan))
+ continue;
l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 097/315] smb: client: validate the whole DACL before rewriting it in cifsacl
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 096/315] media: rc: ttusbir: fix inverted error logic Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 098/315] Revert "x86/fpu: Refine and simplify the magic number check during signal return" Greg Kroah-Hartman
` (219 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 0a8cf165566ba55a39fd0f4de172119dd646d39a ]
build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
server-supplied dacloffset and then use the incoming ACL to rebuild the
chmod/chown security descriptor.
The original fix only checked that the struct smb_acl header fits before
reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate
header-field OOB read, but the rewrite helpers still walk ACEs based on
pdacl->num_aces with no structural validation of the incoming DACL body.
A malicious server can return a truncated DACL that still contains a
header, claims one or more ACEs, and then drive
replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
extent while they compare or copy attacker-controlled ACEs.
Factor the DACL structural checks into validate_dacl(), extend them to
validate each ACE against the DACL bounds, and use the shared validator
before the chmod/chown rebuild paths. parse_dacl() reuses the same
validator so the read-side parser and write-side rewrite paths agree on
what constitutes a well-formed incoming DACL.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/cifsacl.c | 116 +++++++++++++++++++++++++++++-----------
1 file changed, 85 insertions(+), 31 deletions(-)
diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c
index e2948835587094..d17912beb28ec5 100644
--- a/fs/smb/client/cifsacl.c
+++ b/fs/smb/client/cifsacl.c
@@ -757,6 +757,77 @@ static void dump_ace(struct smb_ace *pace, char *end_of_acl)
}
#endif
+static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl)
+{
+ int i, ace_hdr_size, ace_size, min_ace_size;
+ u16 dacl_size, num_aces;
+ char *acl_base, *end_of_dacl;
+ struct smb_ace *pace;
+
+ if (!pdacl)
+ return 0;
+
+ if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ dacl_size = le16_to_cpu(pdacl->size);
+ if (dacl_size < sizeof(struct smb_acl) ||
+ end_of_acl < (char *)pdacl + dacl_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ num_aces = le16_to_cpu(pdacl->num_aces);
+ if (!num_aces)
+ return 0;
+
+ ace_hdr_size = offsetof(struct smb_ace, sid) +
+ offsetof(struct smb_sid, sub_auth);
+ min_ace_size = ace_hdr_size + sizeof(__le32);
+ if (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ end_of_dacl = (char *)pdacl + dacl_size;
+ acl_base = (char *)pdacl;
+ ace_size = sizeof(struct smb_acl);
+
+ for (i = 0; i < num_aces; ++i) {
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ pace = (struct smb_ace *)(acl_base + ace_size);
+ acl_base = (char *)pace;
+
+ if (end_of_dacl - acl_base < ace_hdr_size ||
+ pace->sid.num_subauth == 0 ||
+ pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth;
+ if (end_of_dacl - acl_base < ace_size ||
+ le16_to_cpu(pace->size) < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = le16_to_cpu(pace->size);
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
+
static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
struct smb_sid *pownersid, struct smb_sid *pgrpsid,
struct cifs_fattr *fattr, bool mode_from_special_sid)
@@ -764,7 +835,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
int i;
u16 num_aces = 0;
int acl_size;
- char *acl_base;
+ char *acl_base, *end_of_dacl;
struct smb_ace **ppace;
/* BB need to add parm so we can store the SID BB */
@@ -776,12 +847,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
return;
}
- /* validate that we do not go past end of acl */
- if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) ||
- end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
- cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ if (validate_dacl(pdacl, end_of_acl))
return;
- }
cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
@@ -792,6 +859,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
user/group/other have no permissions */
fattr->cf_mode &= ~(0777);
+ end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size);
acl_base = (char *)pdacl;
acl_size = sizeof(struct smb_acl);
@@ -799,36 +867,16 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
if (num_aces > 0) {
umode_t denied_mode = 0;
- if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) /
- (offsetof(struct smb_ace, sid) +
- offsetof(struct smb_sid, sub_auth) + sizeof(__le16)))
- return;
-
ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *),
GFP_KERNEL);
if (!ppace)
return;
for (i = 0; i < num_aces; ++i) {
- if (end_of_acl - acl_base < acl_size)
- break;
-
ppace[i] = (struct smb_ace *) (acl_base + acl_size);
- acl_base = (char *)ppace[i];
- acl_size = offsetof(struct smb_ace, sid) +
- offsetof(struct smb_sid, sub_auth);
-
- if (end_of_acl - acl_base < acl_size ||
- ppace[i]->sid.num_subauth == 0 ||
- ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
- (end_of_acl - acl_base <
- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) ||
- (le16_to_cpu(ppace[i]->size) <
- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth))
- break;
#ifdef CONFIG_CIFS_DEBUG2
- dump_ace(ppace[i], end_of_acl);
+ dump_ace(ppace[i], end_of_dacl);
#endif
if (mode_from_special_sid &&
ppace[i]->sid.num_subauth >= 3 &&
@@ -871,6 +919,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl,
(void *)ppace[i],
sizeof(struct smb_ace)); */
+ acl_base = (char *)ppace[i];
acl_size = le16_to_cpu(ppace[i]->size);
}
@@ -1316,10 +1365,9 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd,
}
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
- if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
- cifs_dbg(VFS, "Server returned illegal ACL size\n");
- return -EINVAL;
- }
+ rc = validate_dacl(dacl_ptr, end_of_acl);
+ if (rc)
+ return rc;
}
owner_sid_ptr = (struct smb_sid *)((char *)pntsd +
@@ -1698,6 +1746,12 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
}
dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset);
+ rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
+ if (rc) {
+ kfree(pntsd);
+ cifs_put_tlink(tlink);
+ return rc;
+ }
if (mode_from_sid)
nsecdesclen +=
le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 087/307] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
0 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 41c2713b204e6cb6a94587bc6bf6935107df5479 ]
If dcid is received for an already-assigned destination CID the spec
requires that both channels to be discarded, but calling l2cap_chan_del
may invalidate the tmp cursor created by list_for_each_entry_safe and
in fact it is the wrong procedure as the chan->dcid may be assigned
previously it really needs to be disconnected.
Calling l2cap_chan_clone directly may still lead to l2cap_chan_del so
instead schedule l2cap_chan_timeout with delay 0 to close the channel
asynchronously.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 9de5d545966d60..f0b0f347ebc10a 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5194,6 +5194,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
cmd_len -= sizeof(*rsp);
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+ struct l2cap_chan *orig;
u16 dcid;
if (chan->ident != cmd->ident ||
@@ -5215,8 +5216,10 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
+ orig = __l2cap_get_chan_by_dcid(conn, dcid);
+
/* Check if dcid is already in use */
- if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
+ if (dcid && orig) {
/* If a device receives a
* L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
* already-assigned Destination CID, then both the
@@ -5225,10 +5228,24 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
*/
l2cap_chan_del(chan, ECONNREFUSED);
l2cap_chan_unlock(chan);
- chan = __l2cap_get_chan_by_dcid(conn, dcid);
- l2cap_chan_lock(chan);
- l2cap_chan_del(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
+
+ /* Check that the dcid channel mode is
+ * L2CAP_MODE_EXT_FLOWCTL since this procedure is only
+ * valid for that mode and shouldn't disconnect a dcid
+ * in other modes.
+ */
+ if (orig->mode == L2CAP_MODE_EXT_FLOWCTL) {
+ l2cap_chan_lock(orig);
+ /* Disconnect the original channel as it may be
+ * considered connected since dcid has already
+ * been assigned; don't call l2cap_chan_close
+ * directly since that could lead to
+ * l2cap_chan_del and then removing the channel
+ * from the list while we're iterating over it.
+ */
+ __set_chan_timer(orig, 0);
+ l2cap_chan_unlock(orig);
+ }
continue;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 098/315] Revert "x86/fpu: Refine and simplify the magic number check during signal return"
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 097/315] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 099/315] s390/cio: Restore GFP_DMA for CHSC allocation Greg Kroah-Hartman
` (218 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrei Vagin, Borislav Petkov (AMD),
Chang S. Bae, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrei Vagin <avagin@google.com>
[ Upstream commit 44eeff9bc467bc7d1fec34fc3f6001f385fe462c ]
This reverts
dc8aa31a7ac2 ("x86/fpu: Refine and simplify the magic number check during signal return").
The aforementioned commit broke applications that construct signal frames in
userspace (such as CRIU and gVisor) if the frame's xstate size is smaller than
the kernel's fpstate->user_size.
Furthermore, this introduces a critical issue for checkpoint/restore tools
like CRIU. If a process is checkpointed while inside a signal handler, its
stack contains a signal frame formatted according to the source host's xstate
capabilities.
If that process is later restored on a destination host with larger xstate
capabilities (e.g., a newer CPU with more features enabled, resulting in
a larger fpstate->user_size), the kernel will look for FP_XSTATE_MAGIC2 at the
destination host's larger user_size offset instead of the offset encoded in
the frame's fx_sw->xstate_size.
This causes the magic2 check to fail, forcing sigreturn to silently fall back
to "FX-only" mode. Upon return from the signal handler, the process's extended
state is reset to initial values instead of being restored, leading to silent
data corruption.
The aforementioned commit cited
d877550eaf2d ("x86/fpu: Stop relying on userspace for info to fault in xsave buffer")
as justification to stop relying on userspace for the magic number check.
However, these two changes are fundamentally different. The last one only
changed how much memory the kernel ensures is paged-in before running XRSTOR
to prevent an infinite loop. It did not change the signal frame format or how
the layout is validated.
Reverting this change restores the use of fx_sw->xstate_size for
locating magic2 and restores the necessary sanity checks, ensuring that
the signal frame remains self-describing and portable.
[ bp: Massage commit message. ]
Fixes: dc8aa31a7ac2 ("x86/fpu: Refine and simplify the magic number check during signal return")
Signed-off-by: Andrei Vagin <avagin@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Chang S. Bae <chang.seok.bae@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20260429000623.3356606-1-avagin@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/fpu/signal.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index c3ec2512f2bbe4..20b638c507ca2d 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -27,14 +27,19 @@
static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf,
struct _fpx_sw_bytes *fx_sw)
{
+ int min_xstate_size = sizeof(struct fxregs_state) +
+ sizeof(struct xstate_header);
void __user *fpstate = fxbuf;
unsigned int magic2;
if (__copy_from_user(fx_sw, &fxbuf->sw_reserved[0], sizeof(*fx_sw)))
return false;
- /* Check for the first magic field */
- if (fx_sw->magic1 != FP_XSTATE_MAGIC1)
+ /* Check for the first magic field and other error scenarios. */
+ if (fx_sw->magic1 != FP_XSTATE_MAGIC1 ||
+ fx_sw->xstate_size < min_xstate_size ||
+ fx_sw->xstate_size > x86_task_fpu(current)->fpstate->user_size ||
+ fx_sw->xstate_size > fx_sw->extended_size)
goto setfx;
/*
@@ -43,7 +48,7 @@ static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf,
* fpstate layout with out copying the extended state information
* in the memory layout.
*/
- if (__get_user(magic2, (__u32 __user *)(fpstate + x86_task_fpu(current)->fpstate->user_size)))
+ if (__get_user(magic2, (__u32 __user *)(fpstate + fx_sw->xstate_size)))
return false;
if (likely(magic2 == FP_XSTATE_MAGIC2))
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 088/307] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 086/307] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 089/307] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write() Greg Kroah-Hartman
` (220 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heitor Alves de Siqueira,
Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
[ Upstream commit 525daaea459fc215f432de1b8debbd9144bf97b0 ]
Since hci_dev_close_sync() can now be called during the reset path, we
should also set HCI_CMD_DRAIN_WORKQUEUE. This avoids queuing timeouts
while the hdev workqueue is being drained.
Fixes: 877afadad2dc ("Bluetooth: When HCI work queue is drained, only queue chained work")
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index fbcb3bbfef4fde..f6e133756bd9ba 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5223,6 +5223,12 @@ int hci_dev_close_sync(struct hci_dev *hdev)
bt_dev_dbg(hdev, "");
+ /* Set HCI_DRAIN_WORKQUEUE flag to prevent queuing work during
+ * reset/close. See hci_cmd_work() and handle_cmd_cnt_and_timer().
+ */
+ hci_dev_set_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
+ synchronize_rcu();
+
if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
disable_delayed_work(&hdev->power_off);
disable_delayed_work(&hdev->ncmd_timer);
@@ -5246,6 +5252,7 @@ int hci_dev_close_sync(struct hci_dev *hdev)
if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
cancel_delayed_work_sync(&hdev->cmd_timer);
+ hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
return err;
}
@@ -5345,6 +5352,7 @@ int hci_dev_close_sync(struct hci_dev *hdev)
/* Clear flags */
hdev->flags &= BIT(HCI_RAW);
hci_dev_clear_volatile_flags(hdev);
+ hci_dev_clear_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE);
memset(hdev->eir, 0, sizeof(hdev->eir));
memset(hdev->dev_class, 0, sizeof(hdev->dev_class));
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 099/315] s390/cio: Restore GFP_DMA for CHSC allocation
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 098/315] Revert "x86/fpu: Refine and simplify the magic number check during signal return" Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 100/315] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
` (217 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Oberparleiter, Heiko Carstens,
Alexander Gordeev, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit ea34567db0a6b3a7ce78ba421592344315c8f90e ]
Re-add GFP_DMA when allocating memory for CHSC control blocks.
On some supported machines, CHSC cannot access memory outside
the DMA zone, causing CHSC command failures.
Cc: stable@vger.kernel.org
Fixes: a3a64a4def8d ("s390/cio: remove unneeded DMA zone allocation")
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
[ adjusted context to account for missing commit bf4afc53b77ae ]
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/chsc.c | 4 ++--
drivers/s390/cio/chsc_sch.c | 20 ++++++++++----------
drivers/s390/cio/scm.c | 2 +-
3 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c
index 239c92d4ec11e5..b5f6eb18ebadb2 100644
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -1143,8 +1143,8 @@ int __init chsc_init(void)
{
int ret;
- sei_page = (void *)get_zeroed_page(GFP_KERNEL);
- chsc_page = (void *)get_zeroed_page(GFP_KERNEL);
+ sei_page = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
+ chsc_page = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sei_page || !chsc_page) {
ret = -ENOMEM;
goto out_err;
diff --git a/drivers/s390/cio/chsc_sch.c b/drivers/s390/cio/chsc_sch.c
index 1e58ee3cc87db1..9131ce3af1b8eb 100644
--- a/drivers/s390/cio/chsc_sch.c
+++ b/drivers/s390/cio/chsc_sch.c
@@ -293,7 +293,7 @@ static int chsc_ioctl_start(void __user *user_area)
if (!css_general_characteristics.dynio)
/* It makes no sense to try. */
return -EOPNOTSUPP;
- chsc_area = (void *)get_zeroed_page(GFP_KERNEL);
+ chsc_area = (void *)get_zeroed_page(GFP_DMA | GFP_KERNEL);
if (!chsc_area)
return -ENOMEM;
request = kzalloc(sizeof(*request), GFP_KERNEL);
@@ -341,7 +341,7 @@ static int chsc_ioctl_on_close_set(void __user *user_area)
ret = -ENOMEM;
goto out_unlock;
}
- on_close_chsc_area = (void *)get_zeroed_page(GFP_KERNEL);
+ on_close_chsc_area = (void *)get_zeroed_page(GFP_DMA | GFP_KERNEL);
if (!on_close_chsc_area) {
ret = -ENOMEM;
goto out_free_request;
@@ -393,7 +393,7 @@ static int chsc_ioctl_start_sync(void __user *user_area)
struct chsc_sync_area *chsc_area;
int ret, ccode;
- chsc_area = (void *)get_zeroed_page(GFP_KERNEL);
+ chsc_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!chsc_area)
return -ENOMEM;
if (copy_from_user(chsc_area, user_area, PAGE_SIZE)) {
@@ -439,7 +439,7 @@ static int chsc_ioctl_info_channel_path(void __user *user_cd)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *scpcd_area;
- scpcd_area = (void *)get_zeroed_page(GFP_KERNEL);
+ scpcd_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!scpcd_area)
return -ENOMEM;
cd = kzalloc(sizeof(*cd), GFP_KERNEL);
@@ -501,7 +501,7 @@ static int chsc_ioctl_info_cu(void __user *user_cd)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *scucd_area;
- scucd_area = (void *)get_zeroed_page(GFP_KERNEL);
+ scucd_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!scucd_area)
return -ENOMEM;
cd = kzalloc(sizeof(*cd), GFP_KERNEL);
@@ -564,7 +564,7 @@ static int chsc_ioctl_info_sch_cu(void __user *user_cud)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *sscud_area;
- sscud_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sscud_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sscud_area)
return -ENOMEM;
cud = kzalloc(sizeof(*cud), GFP_KERNEL);
@@ -626,7 +626,7 @@ static int chsc_ioctl_conf_info(void __user *user_ci)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *sci_area;
- sci_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sci_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sci_area)
return -ENOMEM;
ci = kzalloc(sizeof(*ci), GFP_KERNEL);
@@ -697,7 +697,7 @@ static int chsc_ioctl_conf_comp_list(void __user *user_ccl)
u32 res;
} __attribute__ ((packed)) *cssids_parm;
- sccl_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sccl_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sccl_area)
return -ENOMEM;
ccl = kzalloc(sizeof(*ccl), GFP_KERNEL);
@@ -757,7 +757,7 @@ static int chsc_ioctl_chpd(void __user *user_chpd)
int ret;
chpd = kzalloc(sizeof(*chpd), GFP_KERNEL);
- scpd_area = (void *)get_zeroed_page(GFP_KERNEL);
+ scpd_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!scpd_area || !chpd) {
ret = -ENOMEM;
goto out_free;
@@ -797,7 +797,7 @@ static int chsc_ioctl_dcal(void __user *user_dcal)
u8 data[PAGE_SIZE - 36];
} __attribute__ ((packed)) *sdcal_area;
- sdcal_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sdcal_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sdcal_area)
return -ENOMEM;
dcal = kzalloc(sizeof(*dcal), GFP_KERNEL);
diff --git a/drivers/s390/cio/scm.c b/drivers/s390/cio/scm.c
index 9b4da237a0ed52..f4faa38a4b17ef 100644
--- a/drivers/s390/cio/scm.c
+++ b/drivers/s390/cio/scm.c
@@ -229,7 +229,7 @@ int scm_update_information(void)
size_t num;
int ret;
- scm_info = (void *)__get_free_page(GFP_KERNEL);
+ scm_info = (void *)__get_free_page(GFP_KERNEL | GFP_DMA);
if (!scm_info)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 089/307] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 088/307] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 090/307] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
` (219 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Bartosz Golaszewski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit 8a122b5e72cc0043705f0d524bcd15f0c0b3ec15 ]
If *ppos is non-zero (user-space write split over multiple calls to
write()) then simple_write_to_buffer() won't initialize the start of the
buffer. Really, non-zero values for *ppos aren't going to work at all.
Check for that and return -EINVAL at the start of the function.
Fixes: 91581c4b3f29 ("gpio: virtuser: new virtual testing driver for the GPIO API")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/ahP3BJWWy-m_qI0X@stanley.mountain
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-virtuser.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-virtuser.c b/drivers/gpio/gpio-virtuser.c
index 8a313dd624c26e..ff1977b2699144 100644
--- a/drivers/gpio/gpio-virtuser.c
+++ b/drivers/gpio/gpio-virtuser.c
@@ -400,7 +400,7 @@ static ssize_t gpio_virtuser_direction_do_write(struct file *file,
char buf[32], *trimmed;
int ret, dir, val = 0;
- if (count >= sizeof(buf))
+ if (*ppos != 0 || count >= sizeof(buf))
return -EINVAL;
ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
@@ -627,7 +627,7 @@ static ssize_t gpio_virtuser_consumer_write(struct file *file,
char buf[GPIO_VIRTUSER_NAME_BUF_LEN + 2];
int ret;
- if (count >= sizeof(buf))
+ if (*ppos != 0 || count >= sizeof(buf))
return -EINVAL;
ret = simple_write_to_buffer(buf, GPIO_VIRTUSER_NAME_BUF_LEN, ppos,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 100/315] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 099/315] s390/cio: Restore GFP_DMA for CHSC allocation Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 101/315] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
` (216 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit fbceb39b536e40c2f7cc47ab42037bb7c2b7ced9 upstream.
EDP specification says:
"If either VSC SDP is unable to be transmitted 100 ns before the SU region,
the Source device may optionally transmit the VSC SDP during the prior
video scan line’s HBlank period There is a Intel specific drm dp register
currently containing bits related how TCON can support PSR2 with SDP on
prior line."
Unfortunately many panels are having problems in implementing this. So
there is a custom Intel specific DPCD register (INTEL_WA_REGISTER_CAPS) to
figure out if this is properly implemented on a panel or if panel doesn't
require that 100 ns delay before the SU region. Here are the definitions in
this custom DPCD address:
0 = Panel doesn't support SDP on prior line
1 = Panel supports SDP on prior line
2 = Panel doesn't have 100ns requirement
3 = Reserved
Add definitions for this new register and it's values into new header
intel_dpcd.h.
v2: add INTEL_DPCD_ prefix to definitions
Bspec: 74741
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-2-jouni.hogander@intel.com
(cherry picked from commit 1da1c9294825f08f622c473480d185680c2a3b75)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 drivers/gpu/drm/i915/display/intel_dpcd.h
diff --git a/drivers/gpu/drm/i915/display/intel_dpcd.h b/drivers/gpu/drm/i915/display/intel_dpcd.h
new file mode 100644
index 00000000000000..4aea5326f2ed48
--- /dev/null
+++ b/drivers/gpu/drm/i915/display/intel_dpcd.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: MIT */
+/*
+ * Copyright © 2026 Intel Corporation
+ */
+
+#ifndef __INTEL_DPCD_H__
+#define __INTEL_DPCD_H__
+
+#define INTEL_DPCD_INTEL_WA_REGISTER_CAPS 0x3f0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK REG_GENMASK(1, 0)
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1 0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE 1
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE 2
+
+#endif /* __INTEL_DPCD_H__ */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 090/307] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 089/307] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 091/307] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
` (218 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Scardovi, Bartosz Golaszewski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Scardovi <scardracs@disroot.org>
[ Upstream commit 3e46c18d5d87f063a93ae0fe7662fbf6660459d5 ]
The bank->clk was previously obtained via of_clk_get() and manually
prepared/enabled. However, it was missing a corresponding clk_put() in
both the error paths and the remove function, leading to a reference leak.
Convert the allocation to devm_clk_get_enabled(), which also properly
propagates failures from clk_prepare_enable() that were previously ignored.
The GPIO bank device uses the same OF node as the previous of_clk_get()
call, so devm_clk_get_enabled(dev, NULL) correctly resolves the same
clock provider entry.
Fix the reference leak and simplify the code by removing the manual
clk_disable_unprepare() calls in the probe error paths and in the
remove function.
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@disroot.org>
Link: https://patch.msgid.link/20260526171050.12785-2-scardracs@disroot.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-rockchip.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c
index 4e2132c80be32a..052713bd8d07a9 100644
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -647,11 +647,10 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
if (!bank->irq)
return -EINVAL;
- bank->clk = of_clk_get(bank->of_node, 0);
+ bank->clk = devm_clk_get_enabled(bank->dev, NULL);
if (IS_ERR(bank->clk))
return PTR_ERR(bank->clk);
- clk_prepare_enable(bank->clk);
id = readl(bank->reg_base + gpio_regs_v2.version_id);
/* If not gpio v2, that is default to v1. */
@@ -661,7 +660,6 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
bank->db_clk = of_clk_get(bank->of_node, 1);
if (IS_ERR(bank->db_clk)) {
dev_err(bank->dev, "cannot find debounce clk\n");
- clk_disable_unprepare(bank->clk);
return -EINVAL;
}
} else {
@@ -735,7 +733,6 @@ static int rockchip_gpio_probe(struct platform_device *pdev)
ret = rockchip_gpiolib_register(bank);
if (ret) {
- clk_disable_unprepare(bank->clk);
mutex_unlock(&bank->deferred_lock);
return ret;
}
@@ -776,7 +773,6 @@ static void rockchip_gpio_remove(struct platform_device *pdev)
{
struct rockchip_pin_bank *bank = platform_get_drvdata(pdev);
- clk_disable_unprepare(bank->clk);
gpiochip_remove(&bank->gpio_chip);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 101/315] drm/i915/psr: Read Intel DPCD workaround register
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 100/315] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 102/315] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
` (215 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit f30bece421a4ae34359254e1dc2a187a42b6af9b upstream.
Read Intel DPCD workaround register and store it into
intel_connector->dp.psr_caps. psr_caps was chosen as currently it contains
only PSR workaround for PSR2 SDP on prior scanline implementation.
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-3-jouni.hogander@intel.com
(cherry picked from commit c48ff24d0f4ab7ad696b2d35ad64ce7e049c668c)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_psr.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h
index 39dd7389f1a71a..197bdb6592a7f9 100644
--- a/drivers/gpu/drm/i915/display/intel_display_types.h
+++ b/drivers/gpu/drm/i915/display/intel_display_types.h
@@ -1710,6 +1710,7 @@ struct intel_dp {
u8 lttpr_common_caps[DP_LTTPR_COMMON_CAP_SIZE];
u8 lttpr_phy_caps[DP_MAX_LTTPR_COUNT][DP_LTTPR_PHY_CAP_SIZE];
u8 pcon_dsc_dpcd[DP_PCON_DSC_ENCODER_CAP_SIZE];
+ u8 intel_wa_dpcd;
/* source rates */
int num_source_rates;
const int *source_rates;
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index 1da20065ea7763..802a671b2afaaa 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -41,6 +41,7 @@
#include "intel_display_types.h"
#include "intel_dmc.h"
#include "intel_dp.h"
+#include "intel_dpcd.h"
#include "intel_dp_aux.h"
#include "intel_dsb.h"
#include "intel_frontbuffer.h"
@@ -679,6 +680,12 @@ static void _psr_init_dpcd(struct intel_dp *intel_dp)
drm_dbg_kms(display->drm, "PSR2 %ssupported\n",
intel_dp->psr.sink_psr2_support ? "" : "not ");
}
+
+ if (intel_dp->psr.sink_psr2_support)
+ drm_dp_dpcd_read(&intel_dp->aux,
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS,
+ &intel_dp->intel_wa_dpcd,
+ sizeof(intel_dp->intel_wa_dpcd));
}
void intel_psr_init_dpcd(struct intel_dp *intel_dp)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 091/307] net: mana: Add NULL guards in teardown path to prevent panic on attach failure
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 090/307] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 092/307] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
` (217 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Dipayaan Roy,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dipayaan Roy <dipayanroy@linux.microsoft.com>
[ Upstream commit 17bfe0a8c014ee1d542ad352cd6a0a505361664a ]
When queue allocation fails partway through, the error cleanup frees
and NULLs apc->tx_qp and apc->rxqs. Multiple teardown paths such as
mana_remove(), mana_change_mtu() recovery, and internal error handling
in mana_alloc_queues() can subsequently call into functions that
dereference these pointers without NULL checks:
- mana_chn_setxdp() dereferences apc->rxqs[0], causing a NULL pointer
dereference panic (CR2: 0000000000000000 at mana_chn_setxdp+0x26).
- mana_destroy_vport() iterates apc->rxqs without a NULL check.
- mana_fence_rqs() iterates apc->rxqs without a NULL check.
- mana_dealloc_queues() iterates apc->tx_qp without a NULL check.
Add NULL guards for apc->rxqs in mana_fence_rqs(),
mana_destroy_vport(), and before the mana_chn_setxdp() call. Add a
NULL guard for apc->tx_qp in mana_dealloc_queues() to skip TX queue
draining when TX queues were never allocated or already freed.
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Link: https://patch.msgid.link/20260525081129.1230035-2-dipayanroy@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/mana/mana_en.c | 70 +++++++++++--------
1 file changed, 41 insertions(+), 29 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index e527139936dee4..0e4b0ac4acf86b 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1304,6 +1304,9 @@ static void mana_fence_rqs(struct mana_port_context *apc)
struct mana_rxq *rxq;
int err;
+ if (!apc->rxqs)
+ return;
+
for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
rxq = apc->rxqs[rxq_idx];
err = mana_fence_rq(apc, rxq);
@@ -2324,13 +2327,16 @@ static void mana_destroy_vport(struct mana_port_context *apc)
struct mana_rxq *rxq;
u32 rxq_idx;
- for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
- rxq = apc->rxqs[rxq_idx];
- if (!rxq)
- continue;
+ if (apc->rxqs) {
- mana_destroy_rxq(apc, rxq, true);
- apc->rxqs[rxq_idx] = NULL;
+ for (rxq_idx = 0; rxq_idx < apc->num_queues; rxq_idx++) {
+ rxq = apc->rxqs[rxq_idx];
+ if (!rxq)
+ continue;
+
+ mana_destroy_rxq(apc, rxq, true);
+ apc->rxqs[rxq_idx] = NULL;
+ }
}
mana_destroy_txq(apc);
@@ -2633,7 +2639,8 @@ static int mana_dealloc_queues(struct net_device *ndev)
if (apc->port_is_up)
return -EINVAL;
- mana_chn_setxdp(apc, NULL);
+ if (apc->rxqs)
+ mana_chn_setxdp(apc, NULL);
if (gd->gdma_context->is_pf)
mana_pf_deregister_filter(apc);
@@ -2651,33 +2658,38 @@ static int mana_dealloc_queues(struct net_device *ndev)
* number of queues.
*/
- for (i = 0; i < apc->num_queues; i++) {
- txq = &apc->tx_qp[i].txq;
- tsleep = 1000;
- while (atomic_read(&txq->pending_sends) > 0 &&
- time_before(jiffies, timeout)) {
- usleep_range(tsleep, tsleep + 1000);
- tsleep <<= 1;
- }
- if (atomic_read(&txq->pending_sends)) {
- err = pcie_flr(to_pci_dev(gd->gdma_context->dev));
- if (err) {
- netdev_err(ndev, "flr failed %d with %d pkts pending in txq %u\n",
- err, atomic_read(&txq->pending_sends),
- txq->gdma_txq_id);
+ if (apc->tx_qp) {
+ for (i = 0; i < apc->num_queues; i++) {
+ txq = &apc->tx_qp[i].txq;
+ tsleep = 1000;
+ while (atomic_read(&txq->pending_sends) > 0 &&
+ time_before(jiffies, timeout)) {
+ usleep_range(tsleep, tsleep + 1000);
+ tsleep <<= 1;
+ }
+ if (atomic_read(&txq->pending_sends)) {
+ err =
+ pcie_flr(to_pci_dev(gd->gdma_context->dev));
+ if (err) {
+ netdev_err(ndev, "flr failed %d with %d pkts pending in txq %u\n",
+ err,
+ atomic_read(&txq->pending_sends),
+ txq->gdma_txq_id);
+ }
+ break;
}
- break;
}
- }
- for (i = 0; i < apc->num_queues; i++) {
- txq = &apc->tx_qp[i].txq;
- while ((skb = skb_dequeue(&txq->pending_skbs))) {
- mana_unmap_skb(skb, apc);
- dev_kfree_skb_any(skb);
+ for (i = 0; i < apc->num_queues; i++) {
+ txq = &apc->tx_qp[i].txq;
+ while ((skb = skb_dequeue(&txq->pending_skbs))) {
+ mana_unmap_skb(skb, apc);
+ dev_kfree_skb_any(skb);
+ }
+ atomic_set(&txq->pending_sends, 0);
}
- atomic_set(&txq->pending_sends, 0);
}
+
/* We're 100% sure the queues can no longer be woken up, because
* we're sure now mana_poll_tx_cq() can't be running.
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 102/315] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 101/315] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 103/315] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
` (214 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit 4703049f768fc1c1caac754134118bee1a3af189 upstream.
There is Intel specific workaround DPCD address containing workaround for
case where SDP is on prior line. Apply this workaround according to values
in the offset.
Fixes: 61e887329e33 ("drm/i915/xelpd: Handle PSR2 SDP indication in the prior scanline")
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-4-jouni.hogander@intel.com
(cherry picked from commit c3fe899fbeac86ea4a5ca9dd845b2cbc0da46249)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 28 +++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index 802a671b2afaaa..eed281b93cd84d 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -29,6 +29,7 @@
#include <drm/drm_vblank.h>
#include "i915_reg.h"
+#include "i915_utils.h"
#include "intel_alpm.h"
#include "intel_atomic.h"
#include "intel_crtc.h"
@@ -1315,6 +1316,30 @@ static bool psr2_granularity_check(struct intel_dp *intel_dp,
return true;
}
+static bool apply_scanline_indication_wa(struct intel_dp *intel_dp,
+ struct intel_crtc_state *crtc_state)
+{
+ u8 early_scanline_support = intel_dp->intel_wa_dpcd &
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK;
+
+ if (intel_dp->edp_dpcd[0] >= DP_EDP_15)
+ return true;
+
+ switch (early_scanline_support) {
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return false;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE:
+ return true;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return true;
+ default:
+ MISSING_CASE(early_scanline_support);
+ return false;
+ }
+}
+
static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_dp,
struct intel_crtc_state *crtc_state)
{
@@ -1336,7 +1361,8 @@ static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_d
return false;
crtc_state->req_psr2_sdp_prior_scanline = true;
- return true;
+
+ return apply_scanline_indication_wa(intel_dp, crtc_state);
}
static int intel_psr_entry_setup_frames(struct intel_dp *intel_dp,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 092/307] sctp: fix race between sctp_wait_for_connect and peeloff
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 091/307] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 093/307] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
` (216 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Xin Long,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit f14fe6395a8b3d961a61e138ad7b36ba3626dd4e ]
sctp_wait_for_connect() drops and re-acquires the socket lock while
waiting for the association to reach ESTABLISHED state. During this
window, another thread can peeloff the association to a new socket via
getsockopt(SCTP_SOCKOPT_PEELOFF), changing asoc->base.sk. After
re-acquiring the old socket lock, sctp_wait_for_connect() returns
success without noticing the migration — the caller then accesses
the association under the wrong lock in sctp_datamsg_from_user().
Add the same sk != asoc->base.sk check that sctp_wait_for_sndbuf()
already has, returning an error if the association was migrated while
we slept.
Fixes: 668c9beb9020 ("sctp: implement assign_number for sctp_stream_interleave")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260527032411.60959-1-kipreyyy@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 6b562dd1aae110..3e80cf4e63ff00 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9377,6 +9377,8 @@ static int sctp_wait_for_connect(struct sctp_association *asoc, long *timeo_p)
release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
lock_sock(sk);
+ if (sk != asoc->base.sk)
+ goto do_error;
*timeo_p = current_timeo;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 103/315] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 102/315] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 104/315] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
` (213 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ]
As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B,
we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY.
Because of this change then there is not need the check if it is a
different revision than rev B in the function vsc8584_probe() as we
already know that this will never happen.
These changes are a preparation for the next patch because in that patch
we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and
these PHYs have multiple revision.
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 8 ++++----
drivers/net/phy/mscc/mscc_main.c | 23 ++++-------------------
2 files changed, 8 insertions(+), 23 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index 2d8eca54c40a29..2eef5956b9cc59 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -289,12 +289,12 @@ enum rgmii_clock_delay {
#define PHY_ID_VSC8540 0x00070760
#define PHY_ID_VSC8541 0x00070770
#define PHY_ID_VSC8552 0x000704e0
-#define PHY_ID_VSC856X 0x000707e0
+#define PHY_ID_VSC856X 0x000707e1
#define PHY_ID_VSC8572 0x000704d0
#define PHY_ID_VSC8574 0x000704a0
-#define PHY_ID_VSC8575 0x000707d0
-#define PHY_ID_VSC8582 0x000707b0
-#define PHY_ID_VSC8584 0x000707c0
+#define PHY_ID_VSC8575 0x000707d1
+#define PHY_ID_VSC8582 0x000707b1
+#define PHY_ID_VSC8584 0x000707c1
#define PHY_VENDOR_MSCC 0x00070400
#define MSCC_VDDMAC_1500 1500
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index 48d43f60b8ff8c..8678ebf89cca51 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -1724,12 +1724,6 @@ static int vsc8584_config_init(struct phy_device *phydev)
* in this pre-init function.
*/
if (phy_package_init_once(phydev)) {
- /* The following switch statement assumes that the lowest
- * nibble of the phy_id_mask is always 0. This works because
- * the lowest nibble of the PHY_ID's below are also 0.
- */
- WARN_ON(phydev->drv->phy_id_mask & 0xf);
-
switch (phydev->phy_id & phydev->drv->phy_id_mask) {
case PHY_ID_VSC8504:
case PHY_ID_VSC8552:
@@ -2290,11 +2284,6 @@ static int vsc8584_probe(struct phy_device *phydev)
VSC8531_DUPLEX_COLLISION};
int ret;
- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) {
- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n");
- return -ENOTSUPP;
- }
-
vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL);
if (!vsc8531)
return -ENOMEM;
@@ -2587,9 +2576,8 @@ static struct phy_driver vsc85xx_driver[] = {
.config_inband = vsc85xx_config_inband,
},
{
- .phy_id = PHY_ID_VSC856X,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X),
.name = "Microsemi GE VSC856X SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2667,9 +2655,8 @@ static struct phy_driver vsc85xx_driver[] = {
.config_inband = vsc85xx_config_inband,
},
{
- .phy_id = PHY_ID_VSC8575,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575),
.name = "Microsemi GE VSC8575 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2693,9 +2680,8 @@ static struct phy_driver vsc85xx_driver[] = {
.config_inband = vsc85xx_config_inband,
},
{
- .phy_id = PHY_ID_VSC8582,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582),
.name = "Microsemi GE VSC8582 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2719,9 +2705,8 @@ static struct phy_driver vsc85xx_driver[] = {
.config_inband = vsc85xx_config_inband,
},
{
- .phy_id = PHY_ID_VSC8584,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584),
.name = "Microsemi GE VSC8584 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 093/307] ipv6: fix possible infinite loop in rt6_fill_node()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 092/307] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 094/307] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
` (215 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 9f72412bcf60144f252b0d6205106abf14344abc ]
Sashiko reported this issue [1]. Apply the same fix as
commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&rt->fib6_siblings)
without waiting for RCU readers; rt->fib6_siblings.next then still
points into the old ring and this softirq-side walker never reaches
&rt->fib6_siblings, causing a CPU stall. fib6_del_route() always
WRITE_ONCE()s rt->fib6_nsiblings to 0 before list_del_rcu(), so an
inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 31c9e3b73f2da1..c73218fd82c615 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5812,6 +5812,8 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
goto nla_put_failure;
}
+ if (!READ_ONCE(rt->fib6_nsiblings))
+ break;
}
rcu_read_unlock();
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 104/315] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 103/315] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 105/315] iio: imu: adis16550: fix stack leak in trigger handler Greg Kroah-Hartman
` (212 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jonathan Cameron,
David Lechner, Nuno Sá, Andy Shevchenko, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream.
The tagged FIFO path declares iio_buff on the stack with __aligned(8)
but no initializer, but there is a hole in the structure, which will
then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
copied, but the space between that and the timestamp are not
initialized.
Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
but for the tagged path it only added the alignment qualifier and not
the initializer :(
Fix this by just zero-initializing the structure on the stack.
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
@@ -608,7 +608,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s
* must be passed a buffer that is aligned to 8 bytes so
* as to allow insertion of a naturally aligned timestamp.
*/
- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
+ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
u8 tag;
bool reset_ts = false;
int i, err, read_len;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 094/307] ipv6: fix possible infinite loop in fib6_select_path()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 093/307] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 095/307] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
` (214 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 9c7da87c2dc860bb17ca1ece942495d28b1ce3b9 ]
Found while auditing the same pattern Sashiko reported in
rt6_fill_node() [1]. Apply the same fix as
commit f8d8ce1b515a ("ipv6: fix possible infinite loop in fib6_info_uses_dev()").
Writers holding tb6_lock can list_del_rcu(&first->fib6_siblings)
without waiting for RCU readers; first->fib6_siblings.next then
still points into the old ring and this softirq-side walker never
reaches &first->fib6_siblings as its terminator. fib6_purge_rt()
always WRITE_ONCE()s first->fib6_nsiblings to 0 before
list_del_rcu(), so an inside-loop check is a reliable detach signal.
[1] https://sashiko.dev/#/patchset/20260526020227.4857-1-jiayuan.chen%40linux.dev
Fixes: d9ccb18f83ea ("ipv6: Fix soft lockups in fib6_select_path under high next hop churn")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260527053133.180695-2-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c73218fd82c615..9e7470e8154429 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -482,6 +482,9 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
const struct fib6_nh *nh = sibling->fib6_nh;
int nh_upper_bound;
+ if (!READ_ONCE(first->fib6_nsiblings))
+ break;
+
nh_upper_bound = atomic_read(&nh->fib_nh_upper_bound);
if (hash > nh_upper_bound)
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 105/315] iio: imu: adis16550: fix stack leak in trigger handler
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 104/315] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 106/315] iio: pressure: bmp280: fix stack leak in bmp580 " Greg Kroah-Hartman
` (211 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lars-Peter Clausen,
Michael Hennerich, Jonathan Cameron, David Lechner, Nuno Sá,
Andy Shevchenko, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 474f8928d50b09f7dcf507049f08732640b88b49 upstream.
adis16550_trigger_handler() declares the scan data array on the stack
without initializing it. The memcpy() at the bottom fills only the
first 28 bytes (TEMP + 6 channels of GYRO/ACCEL data), and
iio_push_to_buffers_with_timestamp() writes the s64 timestamp at the
8-byte-aligned offset 32. Bytes 28-31 remain uninitialized stack data
which leaks to userspace on ever trigger.
Fix this all by just zero-initializing the structure on the stack.
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Michael Hennerich <Michael.Hennerich@analog.com>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Fixes: e4570f4bb231 ("iio: imu: adis16550: align buffers for timestamp")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/adis16550.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/imu/adis16550.c
+++ b/drivers/iio/imu/adis16550.c
@@ -836,7 +836,7 @@ static irqreturn_t adis16550_trigger_han
u16 dummy;
bool valid;
struct iio_poll_func *pf = p;
- __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8);
+ __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8) = { };
struct iio_dev *indio_dev = pf->indio_dev;
struct adis16550 *st = iio_priv(indio_dev);
struct adis *adis = iio_device_get_drvdata(indio_dev);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 095/307] net: skbuff: fix pskb_carve leaking zcopy pages
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 094/307] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 096/307] perf: Fix dangling cgroup pointer in cpuctx Greg Kroah-Hartman
` (213 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Willem de Bruijn,
Pavel Begunkov, Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
[ Upstream commit ff6e798c2eac3ebd0501ad7e796f583fab928de8 ]
When SKBFL_MANAGED_FRAG_REFS is set, frag pages are not refcounted but
their lifetime is controlled by the attached ubuf_info. To make a copy
of the skb_shared_info, we either should clear the flag and reference
the frags, or keep the flag and have frags unreferenced.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() don't
follow the rule and thus can leak page references. Let's clear
SKBFL_MANAGED_FRAG_REFS from the original skb to fix it. It's the
simplest way to address it, but there are more performant ways to do
that if it ever becomes a problem.
Link: https://lore.kernel.org/all/20260523085809.26331-1-nvminh232@clc.fitus.edu.vn/
Fixes: 753f1ca4e1e50 ("net: introduce managed frags infrastructure")
Reported-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/1e2086aa69217d7f9c8da3d38f5be7160f1b4cd1.1779993185.git.asml.silence@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 8c9f026182a6f0..c8653ed1991ae0 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6689,6 +6689,11 @@ static int pskb_carve_inside_header(struct sk_buff *skb, const u32 off,
skb_copy_from_linear_data_offset(skb, off, data, new_hlen);
skb->len -= off;
+ /* Remove SKBFL_MANAGED_FRAG_REFS instead of trying to honour it
+ * while refcounting frags below.
+ */
+ skb_zcopy_downgrade_managed(skb);
+
memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb),
offsetof(struct skb_shared_info,
@@ -6801,6 +6806,11 @@ static int pskb_carve_inside_nonlinear(struct sk_buff *skb, const u32 off,
return -ENOMEM;
size = SKB_WITH_OVERHEAD(size);
+ /* Remove SKBFL_MANAGED_FRAG_REFS instead of trying to honour it
+ * while refcounting frags below.
+ */
+ skb_zcopy_downgrade_managed(skb);
+
memcpy((struct skb_shared_info *)(data + size),
skb_shinfo(skb), offsetof(struct skb_shared_info, frags[0]));
if (skb_orphan_frags(skb, gfp_mask)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 096/307] perf: Fix dangling cgroup pointer in cpuctx
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 095/307] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 097/307] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
` (212 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeoreum Yun, Peter Zijlstra (Intel),
David Wang, Ian Klatzco, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeoreum Yun <yeoreum.yun@arm.com>
[ Upstream commit 3b7a34aebbdf2a4b7295205bf0c654294283ec82 ]
Commit a3c3c6667("perf/core: Fix child_total_time_enabled accounting
bug at task exit") moves the event->state update to before
list_del_event(). This makes the event->state test in list_del_event()
always false; never calling perf_cgroup_event_disable().
As a result, cpuctx->cgrp won't be cleared properly; causing havoc.
Fixes: a3c3c6667("perf/core: Fix child_total_time_enabled accounting bug at task exit")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: David Wang <00107082@163.com>
Link: https://lore.kernel.org/all/aD2TspKH%2F7yvfYoO@e129823.arm.com/
Signed-off-by: Ian Klatzco <iklatzco@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 6fce2bac6dae52..9099c0cc933be2 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -2096,18 +2096,6 @@ list_del_event(struct perf_event *event, struct perf_event_context *ctx)
if (event->group_leader == event)
del_event_from_groups(event, ctx);
- /*
- * If event was in error state, then keep it
- * that way, otherwise bogus counts will be
- * returned on read(). The only way to get out
- * of error state is by explicit re-enabling
- * of the event
- */
- if (event->state > PERF_EVENT_STATE_OFF) {
- perf_cgroup_event_disable(event, ctx);
- perf_event_set_state(event, PERF_EVENT_STATE_OFF);
- }
-
ctx->generation++;
event->pmu_ctx->nr_events--;
}
@@ -2457,6 +2445,10 @@ __perf_remove_from_context(struct perf_event *event,
state = PERF_EVENT_STATE_DEAD;
}
event_sched_out(event, ctx);
+
+ if (event->state > PERF_EVENT_STATE_OFF)
+ perf_cgroup_event_disable(event, ctx);
+
perf_event_set_state(event, min(event->state, state));
if (flags & DETACH_GROUP)
perf_group_detach(event);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 106/315] iio: pressure: bmp280: fix stack leak in bmp580 trigger handler
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 105/315] iio: imu: adis16550: fix stack leak in trigger handler Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 107/315] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
` (210 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, David Lechner,
Nuno Sá, Andy Shevchenko, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 387c86b582e0782ab332e7bfcd4e6e3f93922961 upstream.
bmp580_trigger_handler() declares its scan buffer on the stack without
an initializer and then memcpy()s 3 bytes of 24-bit sensor data into
each 4-byte __le32 field. The high byte of comp_temp and comp_press is
left uninitialized, and the channel storagebits is 32, so two bytes of
stack are pushed to userspace per scan.
This is a regression from when the buffer lived in the private data, the
move to a stack-local struct dropped the implicit zeroing.
bme280_trigger_handler() was fixed up to handle this bug, but this
driver was not fixed because there was no padding hole, but rather a
short-fill issue.
Fix this all by just zero-initializing the structure on the stack.
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Fixes: 872c8014e05e ("iio: pressure: bmp280: drop sensor_data array")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/bmp280-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
index d983ce9c0b99..9b489766e457 100644
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -2616,7 +2616,7 @@ static irqreturn_t bmp580_trigger_handler(int irq, void *p)
__le32 comp_temp;
__le32 comp_press;
aligned_s64 timestamp;
- } buffer;
+ } buffer = { };
int ret;
guard(mutex)(&data->lock);
--
2.54.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 097/307] batman-adv: v: stop OGMv2 on disabled interface
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 096/307] perf: Fix dangling cgroup pointer in cpuctx Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 098/307] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
` (211 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f8ce8b8331a1bc44ad4905886a482214d428b253 upstream.
When a batadv_hard_iface is disabled, its mesh_iface pointer is set to
NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via
batadv_v_ogm_queue_on_if() for interfaces that have since lost their
mesh_iface association. This results in a NULL pointer dereference when
batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the
now NULL hard_iface->mesh_iface to retrieve the batadv_priv.
It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that
it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was
called.
Cc: stable@kernel.org
Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
[ switch to old "mesh_iface" name "soft_iface" ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_v_ogm.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index 8f89ffe6020ced..310248a5812c49 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -115,14 +115,14 @@ static void batadv_v_ogm_start_timer(struct batadv_priv *bat_priv)
/**
* batadv_v_ogm_send_to_if() - send a batman ogm using a given interface
+ * @bat_priv: the bat priv with all the mesh interface information
* @skb: the OGM to send
* @hard_iface: the interface to use to send the OGM
*/
-static void batadv_v_ogm_send_to_if(struct sk_buff *skb,
+static void batadv_v_ogm_send_to_if(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
struct batadv_hard_iface *hard_iface)
{
- struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
-
if (hard_iface->if_status != BATADV_IF_ACTIVE) {
kfree_skb(skb);
return;
@@ -189,6 +189,7 @@ static void batadv_v_ogm_aggr_list_free(struct batadv_hard_iface *hard_iface)
/**
* batadv_v_ogm_aggr_send() - flush & send aggregation queue
+ * @bat_priv: the bat priv with all the mesh interface information
* @hard_iface: the interface with the aggregation queue to flush
*
* Aggregates all OGMv2 packets currently in the aggregation queue into a
@@ -198,7 +199,8 @@ static void batadv_v_ogm_aggr_list_free(struct batadv_hard_iface *hard_iface)
*
* Caller needs to hold the hard_iface->bat_v.aggr_list.lock.
*/
-static void batadv_v_ogm_aggr_send(struct batadv_hard_iface *hard_iface)
+static void batadv_v_ogm_aggr_send(struct batadv_priv *bat_priv,
+ struct batadv_hard_iface *hard_iface)
{
unsigned int aggr_len = hard_iface->bat_v.aggr_len;
struct sk_buff *skb_aggr;
@@ -228,27 +230,32 @@ static void batadv_v_ogm_aggr_send(struct batadv_hard_iface *hard_iface)
consume_skb(skb);
}
- batadv_v_ogm_send_to_if(skb_aggr, hard_iface);
+ batadv_v_ogm_send_to_if(bat_priv, skb_aggr, hard_iface);
}
/**
* batadv_v_ogm_queue_on_if() - queue a batman ogm on a given interface
+ * @bat_priv: the bat priv with all the mesh interface information
* @skb: the OGM to queue
* @hard_iface: the interface to queue the OGM on
*/
-static void batadv_v_ogm_queue_on_if(struct sk_buff *skb,
+static void batadv_v_ogm_queue_on_if(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
struct batadv_hard_iface *hard_iface)
{
- struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ if (hard_iface->soft_iface != bat_priv->soft_iface) {
+ kfree_skb(skb);
+ return;
+ }
if (!atomic_read(&bat_priv->aggregated_ogms)) {
- batadv_v_ogm_send_to_if(skb, hard_iface);
+ batadv_v_ogm_send_to_if(bat_priv, skb, hard_iface);
return;
}
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
if (!batadv_v_ogm_queue_left(skb, hard_iface))
- batadv_v_ogm_aggr_send(hard_iface);
+ batadv_v_ogm_aggr_send(bat_priv, hard_iface);
hard_iface->bat_v.aggr_len += batadv_v_ogm_len(skb);
__skb_queue_tail(&hard_iface->bat_v.aggr_list, skb);
@@ -347,7 +354,7 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
break;
}
- batadv_v_ogm_queue_on_if(skb_tmp, hard_iface);
+ batadv_v_ogm_queue_on_if(bat_priv, skb_tmp, hard_iface);
batadv_hardif_put(hard_iface);
}
rcu_read_unlock();
@@ -387,12 +394,14 @@ void batadv_v_ogm_aggr_work(struct work_struct *work)
{
struct batadv_hard_iface_bat_v *batv;
struct batadv_hard_iface *hard_iface;
+ struct batadv_priv *bat_priv;
batv = container_of(work, struct batadv_hard_iface_bat_v, aggr_wq.work);
hard_iface = container_of(batv, struct batadv_hard_iface, bat_v);
+ bat_priv = netdev_priv(hard_iface->soft_iface);
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
- batadv_v_ogm_aggr_send(hard_iface);
+ batadv_v_ogm_aggr_send(bat_priv, hard_iface);
spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
batadv_v_ogm_start_queue_timer(hard_iface);
@@ -582,7 +591,7 @@ static void batadv_v_ogm_forward(struct batadv_priv *bat_priv,
if_outgoing->net_dev->name, ntohl(ogm_forward->throughput),
ogm_forward->ttl, if_incoming->net_dev->name);
- batadv_v_ogm_queue_on_if(skb, if_outgoing);
+ batadv_v_ogm_queue_on_if(bat_priv, skb, if_outgoing);
out:
batadv_orig_ifinfo_put(orig_ifinfo);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 107/315] usb: typec: ucsi: ccg: reject firmware images without a : record header
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 106/315] iio: pressure: bmp280: fix stack leak in bmp580 " Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 108/315] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers Greg Kroah-Hartman
` (209 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream.
do_flash() locates the first .cyacd record with
p = strnchr(fw->data, fw->size, ':');
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
...
}
If the firmware image contains no ':' byte, strnchr() returns NULL.
NULL compares less than the valid kernel pointer eof, so the loop body
runs and strnchr() is called with p + 1 == (void *)1 and a length of
roughly (unsigned long)eof, causing a wonderful crash.
The not_signed_fw fallthrough earlier in do_flash() and the chip-state
branches in ccg_fw_update_needed() allow an unsigned blob to reach this
loop, so a root user who can place a crafted file under /lib/firmware
and write the do_flash sysfs attribute can trigger the oops.
Bail out with -EINVAL when the initial strnchr() returns NULL.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
+++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
@@ -1242,6 +1242,11 @@ not_signed_fw:
*****************************************************************/
p = strnchr(fw->data, fw->size, ':');
+ if (!p) {
+ dev_err(dev, "Bad FW format: no ':' record header found\n");
+ err = -EINVAL;
+ goto release_mem;
+ }
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 098/307] batman-adv: tvlv: abort OGM send on tvlv append failure
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 097/307] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 099/307] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
` (210 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 501368506563e151b322c8c3f228b796e615b90d upstream.
batadv_tvlv_container_ogm_append() could fail in two ways: a memory
allocation failure when resizing the packet buffer, or the tvlv data
exceeding U16_MAX bytes. In both cases the function previously returned the
old (now stale) tvlv_value_len rather than signalling an error, causing the
OGM/OGM2 send path to transmit a packet whose TVLV length field no longer
matched the actual buffer contents. And because it also didn't fill in the
new TVLV data, sending either uninitialized or corrupted data on the wire.
All errors in batadv_tvlv_container_ogm_append() must be forwarded to the
caller. And the caller must abort the send of the OGM2. For B.A.T.M.A.N.
IV, it is currently not allowed to abort the send. The non-TVLV part of the
OGM must be queued up instead.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 16 +++++++++++++---
net/batman-adv/bat_v_ogm.c | 26 ++++++++++++++------------
net/batman-adv/tvlv.c | 17 ++++++++++++-----
net/batman-adv/tvlv.h | 2 +-
4 files changed, 40 insertions(+), 21 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 748188d3b878b2..42b687c1a76807 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -781,6 +781,7 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
u32 seqno;
u16 tvlv_len = 0;
unsigned long send_time;
+ int ret;
lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
@@ -804,9 +805,18 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
* appended as it may alter the tt tvlv container
*/
batadv_tt_local_commit_changes(bat_priv);
- tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
- ogm_buff_len,
- BATADV_OGM_HLEN);
+ ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+ ogm_buff_len,
+ BATADV_OGM_HLEN);
+ if (ret < 0) {
+ /* OGMs must be queued even when the buffer allocation for
+ * TVLVs failed. just fall back to the non-TVLV version
+ */
+ ret = 0;
+ *ogm_buff_len = BATADV_OGM_HLEN;
+ }
+
+ tvlv_len = ret;
}
batadv_ogm_packet = (struct batadv_ogm_packet *)(*ogm_buff);
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index 310248a5812c49..8cfc3944dcfd52 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -271,9 +271,9 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
struct batadv_hard_iface *hard_iface;
struct batadv_ogm2_packet *ogm_packet;
struct sk_buff *skb, *skb_tmp;
- unsigned char *ogm_buff;
- int ogm_buff_len;
- u16 tvlv_len = 0;
+ unsigned char **ogm_buff;
+ int *ogm_buff_len;
+ u16 tvlv_len;
int ret;
lockdep_assert_held(&bat_priv->bat_v.ogm_buff_mutex);
@@ -281,25 +281,27 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING)
goto out;
- ogm_buff = bat_priv->bat_v.ogm_buff;
- ogm_buff_len = bat_priv->bat_v.ogm_buff_len;
+ ogm_buff = &bat_priv->bat_v.ogm_buff;
+ ogm_buff_len = &bat_priv->bat_v.ogm_buff_len;
+
/* tt changes have to be committed before the tvlv data is
* appended as it may alter the tt tvlv container
*/
batadv_tt_local_commit_changes(bat_priv);
- tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, &ogm_buff,
- &ogm_buff_len,
- BATADV_OGM2_HLEN);
+ ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+ ogm_buff_len,
+ BATADV_OGM2_HLEN);
+ if (ret < 0)
+ goto reschedule;
- bat_priv->bat_v.ogm_buff = ogm_buff;
- bat_priv->bat_v.ogm_buff_len = ogm_buff_len;
+ tvlv_len = ret;
- skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + ogm_buff_len);
+ skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + *ogm_buff_len);
if (!skb)
goto reschedule;
skb_reserve(skb, ETH_HLEN);
- skb_put_data(skb, ogm_buff, ogm_buff_len);
+ skb_put_data(skb, *ogm_buff, *ogm_buff_len);
ogm_packet = (struct batadv_ogm2_packet *)skb->data;
ogm_packet->seqno = htonl(atomic_read(&bat_priv->bat_v.ogm_seqno));
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 2a583215d439bd..76c6e0599694c7 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -8,6 +8,7 @@
#include <linux/byteorder/generic.h>
#include <linux/container_of.h>
+#include <linux/errno.h>
#include <linux/etherdevice.h>
#include <linux/gfp.h>
#include <linux/if_ether.h>
@@ -306,9 +307,10 @@ static bool batadv_tvlv_realloc_packet_buff(unsigned char **packet_buff,
* The ogm packet might be enlarged or shrunk depending on the current size
* and the size of the to-be-appended tvlv containers.
*
- * Return: size of all appended tvlv containers in bytes.
+ * Return: size of all appended tvlv containers in bytes (max U16_MAX), negative
+ * if operation failed
*/
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
unsigned char **packet_buff,
int *packet_buff_len, int packet_min_len)
{
@@ -316,6 +318,7 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
struct batadv_tvlv_hdr *tvlv_hdr;
u16 tvlv_value_len;
void *tvlv_value;
+ int tvlv_len_ret;
bool ret;
spin_lock_bh(&bat_priv->tvlv.container_list_lock);
@@ -323,9 +326,12 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len,
packet_min_len, tvlv_value_len);
-
- if (!ret)
+ if (!ret) {
+ tvlv_len_ret = -ENOMEM;
goto end;
+ }
+
+ tvlv_len_ret = tvlv_value_len;
if (!tvlv_value_len)
goto end;
@@ -344,7 +350,8 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
end:
spin_unlock_bh(&bat_priv->tvlv.container_list_lock);
- return tvlv_value_len;
+
+ return tvlv_len_ret;
}
/**
diff --git a/net/batman-adv/tvlv.h b/net/batman-adv/tvlv.h
index e5697230d99173..f96f6b3f44a001 100644
--- a/net/batman-adv/tvlv.h
+++ b/net/batman-adv/tvlv.h
@@ -16,7 +16,7 @@
void batadv_tvlv_container_register(struct batadv_priv *bat_priv,
u8 type, u8 version,
void *tvlv_value, u16 tvlv_value_len);
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
unsigned char **packet_buff,
int *packet_buff_len, int packet_min_len);
void batadv_tvlv_ogm_receive(struct batadv_priv *bat_priv,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 108/315] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 107/315] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 109/315] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() Greg Kroah-Hartman
` (208 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, stable,
Badhri Jagan Sridharan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8fbc349e8383125dd2d8de1c1e926279d398ab17 upstream.
Properly validate the count passed from a device when calling
svdm_consume_identity() or svdm_consume_identity_sop_prime() as the
device-controlled value could index off of the static arrays, which
could leak data.
Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://patch.msgid.link/2026051350-plated-salute-0efe@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1695,6 +1695,9 @@ static void svdm_consume_identity(struct
u32 vdo = p[VDO_INDEX_IDH];
u32 product = p[VDO_INDEX_PRODUCT];
+ if (cnt <= VDO_INDEX_PRODUCT)
+ return;
+
memset(&port->mode_data, 0, sizeof(port->mode_data));
port->partner_ident.id_header = vdo;
@@ -1715,6 +1718,9 @@ static void svdm_consume_identity_sop_pr
u32 product = p[VDO_INDEX_PRODUCT];
int svdm_version;
+ if (cnt <= VDO_INDEX_CABLE_1)
+ return;
+
/*
* Attempt to consume identity only if cable currently is not set
*/
@@ -1738,7 +1744,7 @@ static void svdm_consume_identity_sop_pr
switch (port->negotiated_rev_prime) {
case PD_REV30:
port->cable_desc.pd_revision = 0x0300;
- if (port->cable_desc.active)
+ if (port->cable_desc.active && cnt > VDO_INDEX_CABLE_2)
port->cable_ident.vdo[1] = p[VDO_INDEX_CABLE_2];
break;
case PD_REV20:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 109/315] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 108/315] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 110/315] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
` (207 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Badhri Jagan Sridharan,
Heikki Krogerus, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3389c149c68c3fea61910ad5d34f7bf3bff44e32 upstream.
svdm_consume_modes() checks pmdata->altmodes against the array size once
before the loop over the count, but forgot to check the bound at every
point in the loop.
In the well-behaved SVDM discovery flow this is harmless because each of
at most SVID_DISCOVERY_MAX SVIDs contributes at most MODE_DISCOVERY_MAX
modes, exactly filling altmode_desc[ALTMODE_DISCOVERY_MAX]. But the
CMDT_RSP_ACK handler in tcpm_pd_svdm() does not correlate an incoming
ACK with any request the port actually sent. Once port->partner is set,
an unsolicited Discover Modes ACK is consumed unconditionally. A broken
or malicious port partner can therefore drive altmodes to
ALTMODE_DISCOVERY_MAX - 1 via the normal flow, and then send one extra
Discover Modes ACK with seven VDOs. Because the pre-loop check passes,
the loop could then writes up to five entries past altmode_desc[]. For
mode_data_prime the next field in struct tcpm_port is the
partner_altmode[] pointer array, which then receives partner-chosen
SVID/VDO bytes.
Move the bound check inside the loop so the array can never be indexed
past ALTMODE_DISCOVERY_MAX regardless of how many VDOs the partner
supplies or how the function was reached.
Assisted-by: gkh_clanker_t1000
Cc: Badhri Jagan Sridharan <badhri@google.com>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026051351-reshuffle-skillful-90af@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1832,23 +1832,19 @@ static void svdm_consume_modes(struct tc
switch (rx_sop_type) {
case TCPC_TX_SOP_PRIME:
pmdata = &port->mode_data_prime;
- if (pmdata->altmodes >= ARRAY_SIZE(port->plug_prime_altmode)) {
- /* Already logged in svdm_consume_svids() */
- return;
- }
break;
case TCPC_TX_SOP:
pmdata = &port->mode_data;
- if (pmdata->altmodes >= ARRAY_SIZE(port->partner_altmode)) {
- /* Already logged in svdm_consume_svids() */
- return;
- }
break;
default:
return;
}
for (i = 1; i < cnt; i++) {
+ if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) {
+ /* Already logged in svdm_consume_svids() */
+ return;
+ }
paltmode = &pmdata->altmode_desc[pmdata->altmodes];
memset(paltmode, 0, sizeof(*paltmode));
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 099/307] batman-adv: tt: reject oversized local TVLV buffers
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 098/307] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 100/307] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
` (209 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 1e9fab756f8395096d5bba7be0c373c4c8f5d165 upstream.
The commit 3a359bf5c61d ("batman-adv: reject oversized global TT response
buffers") added a check to ensure that a global return buffer size can be
stored in an u16. The same buffer handling also exists for the local data
buffer but was not touched.
A similar check should be also be in place for the local TVLV buffer. It
doesn't have the similar attack surface because it is only generated from
locally discovered MAC addresses but the dynamic nature could still cause
temporarily to large buffers.
Cc: stable@kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index d830ccf016697b..8ffebece03c529 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -924,12 +924,12 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
{
struct batadv_tvlv_tt_vlan_data *tt_vlan;
struct batadv_softif_vlan *vlan;
+ size_t change_offset;
u16 num_vlan = 0;
u16 vlan_entries = 0;
u16 total_entries = 0;
u16 tvlv_len;
u8 *tt_change_ptr;
- int change_offset;
spin_lock_bh(&bat_priv->softif_vlan_list_lock);
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
@@ -948,8 +948,10 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
if (*tt_len < 0)
*tt_len = batadv_tt_len(total_entries);
- tvlv_len = *tt_len;
- tvlv_len += change_offset;
+ if (check_add_overflow(*tt_len, change_offset, &tvlv_len)) {
+ tvlv_len = 0;
+ goto out;
+ }
*tt_data = kmalloc(tvlv_len, GFP_ATOMIC);
if (!*tt_data) {
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 110/315] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 109/315] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 111/315] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
` (206 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pooja Katiyar, Johan Hovold, stable,
Heikki Krogerus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream.
ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
payload VDO from data[], but unlike the equivalent handler in
altmodes/displayport.c it does not check that count covers a VDO beyond
the header. A header-only Configure VDM (count == 1) would read one u32
past the caller's array.
In the normal UCSI path the caller controls count, so this is hardening
for non-standard delivery paths. NAK and bail when no configuration VDO
is present, matching the generic DP altmode driver's existing guard.
Assisted-by: gkh_clanker_t1000
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/displayport.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/typec/ucsi/displayport.c
+++ b/drivers/usb/typec/ucsi/displayport.c
@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t
dp->header |= VDO_CMDT(CMDT_RSP_ACK);
break;
case DP_CMD_CONFIGURE:
+ if (count < 2) {
+ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
+ break;
+ }
dp->data.conf = *data;
if (ucsi_displayport_configure(dp)) {
dp->header |= VDO_CMDT(CMDT_RSP_NAK);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 100/307] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 099/307] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 101/307] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
` (208 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ido Schimmel,
syzbot+9fdcc9f05a98a540b816, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f80d3d98d2ff78d9e2fe5d68b1f45948c4f7bd24 upstream.
Without rtnl_lock held, a hardif might be retrieved as primary interface of
a meshif, but then (while operating on this interface) getting decoupled
from the mesh interface. In this case, the meshif still exists but the
pointer from the primary hardif to the meshif is set to NULL.
The mesh_iface must be checked first to be non-NULL before continuing to
send an ARP request using meshif.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Reported-by: Ido Schimmel <idosch@nvidia.com>
Reported-by: syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9fdcc9f05a98a540b816
[ switch to old "mesh_iface" name "soft_iface" ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index e77f3ef3d7336a..17db4191ddb39e 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -356,12 +356,14 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, const u8 *mac,
sizeof(local_claim_dest));
local_claim_dest.type = claimtype;
- soft_iface = primary_if->soft_iface;
+ soft_iface = READ_ONCE(primary_if->soft_iface);
+ if (!soft_iface)
+ goto out;
skb = arp_create(ARPOP_REPLY, ETH_P_ARP,
/* IP DST: 0.0.0.0 */
zeroip,
- primary_if->soft_iface,
+ soft_iface,
/* IP SRC: 0.0.0.0 */
zeroip,
/* Ethernet DST: Broadcast */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 111/315] usb: typec: altmodes/displayport: validate count before reading Status Update VDO
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 110/315] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 112/315] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
` (205 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream.
A broken/malicious device can send the incorrect count for a status
update VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.
Fix this up by correctly verifying the count for the update object.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -405,6 +405,8 @@ static int dp_altmode_vdm(struct typec_a
dp->state = DP_STATE_EXIT_PRIME;
break;
case DP_CMD_STATUS_UPDATE:
+ if (count < 2)
+ break;
dp->data.status = *vdo;
ret = dp_altmode_status_update(dp);
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 101/307] batman-adv: tvlv: reject oversized TVLV packets
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 100/307] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 102/307] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
` (207 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f50487e3566358b2b982b7801945e858c78ad9ab upstream.
batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.
The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.
Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tvlv.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 76c6e0599694c7..8d6b017c433cc9 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -13,6 +13,7 @@
#include <linux/gfp.h>
#include <linux/if_ether.h>
#include <linux/kref.h>
+#include <linux/limits.h>
#include <linux/list.h>
#include <linux/lockdep.h>
#include <linux/netdevice.h>
@@ -160,10 +161,10 @@ batadv_tvlv_container_get(struct batadv_priv *bat_priv, u8 type, u8 version)
*
* Return: size of all currently registered tvlv containers in bytes.
*/
-static u16 batadv_tvlv_container_list_size(struct batadv_priv *bat_priv)
+static size_t batadv_tvlv_container_list_size(struct batadv_priv *bat_priv)
{
struct batadv_tvlv_container *tvlv;
- u16 tvlv_len = 0;
+ size_t tvlv_len = 0;
lockdep_assert_held(&bat_priv->tvlv.container_list_lock);
@@ -316,13 +317,17 @@ int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
{
struct batadv_tvlv_container *tvlv;
struct batadv_tvlv_hdr *tvlv_hdr;
- u16 tvlv_value_len;
+ size_t tvlv_value_len;
void *tvlv_value;
int tvlv_len_ret;
bool ret;
spin_lock_bh(&bat_priv->tvlv.container_list_lock);
tvlv_value_len = batadv_tvlv_container_list_size(bat_priv);
+ if (tvlv_value_len > U16_MAX) {
+ tvlv_len_ret = -E2BIG;
+ goto end;
+ }
ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len,
packet_min_len, tvlv_value_len);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 112/315] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 111/315] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 113/315] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT Greg Kroah-Hartman
` (204 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream.
wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
struct pd_message with
for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
which has two problems:
USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
The byte count latched in RXINFO is the number of bytes the port partner
put on the wire, so a malicious partner that transmits a 31-byte frame
can drive the loop one byte past the destination if the WCOVE BMC
receiver does not enforce the PD object-count limit in hardware. The
existing FIXME flagged this as unverified.
Independently, regmap_read() takes an unsigned int * and stores a full
unsigned int at the destination. Passing the byte pointer msg + i means
each iteration writes four bytes; the high three are zero (val_bits is
8) and are normally overwritten by the next iteration, but the final
iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
already writes three zero bytes past msg, which sits on the IRQ thread's
stack in wcove_typec_irq().
Clamp the loop to sizeof(struct pd_message) and read each register into
a local before storing only its low byte, so the copy can never exceed
the destination regardless of what RXINFO reports.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/wcove.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/usb/typec/tcpm/wcove.c
+++ b/drivers/usb/typec/tcpm/wcove.c
@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t
return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl);
}
-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
+static int wcove_read_rx_buffer(struct wcove_typec *wcove,
+ struct pd_message *msg)
{
- unsigned int info;
+ unsigned int info, val, len;
+ u8 *buf = (u8 *)msg;
int ret;
int i;
@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w
if (ret)
return ret;
- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */
+ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg));
- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) {
- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
+ for (i = 0; i < len; i++) {
+ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val);
if (ret)
return ret;
+ buf[i] = val;
}
return regmap_write(wcove->regmap, USBC_RXSTATUS,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 102/307] batman-adv: iv: recover OGM scheduling after forward packet error
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 101/307] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 103/307] batman-adv: tp_meter: avoid role confusion in tp_list Greg Kroah-Hartman
` (206 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit aa3153bd139a6c48667dcd02608d3b2c80bff02c upstream.
When batadv_iv_ogm_schedule_buff() fails to allocate and queue a forward
packet for OGM transmission, the work item that drives periodic OGM
scheduling is never re-armed. This silently halts transmission of the
node's own OGMs on the affected interface — only OGMs from other peers
continue to be aggregated and forwarded.
Fix this by tracking whether batadv_iv_ogm_queue_add() (and transitively
batadv_iv_ogm_aggregate_new()) successfully scheduled a forward packet.
When scheduling fails, batadv_iv_ogm_schedule_buff() falls back to queuing
a dedicated recovery work item (reschedule_work) that fires after one
originator interval and calls batadv_iv_ogm_schedule() again.
Cc: stable@kernel.org
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 76 +++++++++++++++++++++++++++----------
net/batman-adv/types.h | 3 ++
2 files changed, 60 insertions(+), 19 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 42b687c1a76807..b37c9fb178ae50 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -223,6 +223,8 @@ static void batadv_iv_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
hard_iface->bat_iv.ogm_buff = NULL;
mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
+
+ cancel_delayed_work_sync(&hard_iface->bat_iv.reschedule_work);
}
static void batadv_iv_ogm_iface_update_mac(struct batadv_hard_iface *hard_iface)
@@ -527,8 +529,10 @@ batadv_iv_ogm_can_aggregate(const struct batadv_ogm_packet *new_bat_ogm_packet,
* @if_incoming: interface where the packet was received
* @if_outgoing: interface for which the retransmission should be considered
* @own_packet: true if it is a self-generated ogm
+ *
+ * Return: whether forward packet was scheduled
*/
-static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
+static bool batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
int packet_len, unsigned long send_time,
bool direct_link,
struct batadv_hard_iface *if_incoming,
@@ -552,13 +556,13 @@ static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
skb = netdev_alloc_skb_ip_align(NULL, skb_size);
if (!skb)
- return;
+ return false;
forw_packet_aggr = batadv_forw_packet_alloc(if_incoming, if_outgoing,
queue_left, bat_priv, skb);
if (!forw_packet_aggr) {
kfree_skb(skb);
- return;
+ return false;
}
forw_packet_aggr->skb->priority = TC_PRIO_CONTROL;
@@ -580,6 +584,8 @@ static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
batadv_iv_send_outstanding_bat_ogm_packet);
batadv_forw_packet_ogmv1_queue(bat_priv, forw_packet_aggr, send_time);
+
+ return true;
}
/* aggregate a new packet into the existing ogm packet */
@@ -609,8 +615,10 @@ static void batadv_iv_ogm_aggregate(struct batadv_forw_packet *forw_packet_aggr,
* @if_outgoing: interface for which the retransmission should be considered
* @own_packet: true if it is a self-generated ogm
* @send_time: timestamp (jiffies) when the packet is to be sent
+ *
+ * Return: whether forward packet was scheduled
*/
-static void batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
+static bool batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
unsigned char *packet_buff,
int packet_len,
struct batadv_hard_iface *if_incoming,
@@ -662,14 +670,16 @@ static void batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
if (!own_packet && atomic_read(&bat_priv->aggregated_ogms))
send_time += max_aggregation_jiffies;
- batadv_iv_ogm_aggregate_new(packet_buff, packet_len,
- send_time, direct_link,
- if_incoming, if_outgoing,
- own_packet);
+ return batadv_iv_ogm_aggregate_new(packet_buff, packet_len,
+ send_time, direct_link,
+ if_incoming, if_outgoing,
+ own_packet);
} else {
batadv_iv_ogm_aggregate(forw_packet_aggr, packet_buff,
packet_len, direct_link);
spin_unlock_bh(&bat_priv->forw_bat_list_lock);
+
+ return true;
}
}
@@ -781,6 +791,8 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
u32 seqno;
u16 tvlv_len = 0;
unsigned long send_time;
+ bool reschedule = false;
+ bool scheduled;
int ret;
lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
@@ -809,11 +821,8 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
ogm_buff_len,
BATADV_OGM_HLEN);
if (ret < 0) {
- /* OGMs must be queued even when the buffer allocation for
- * TVLVs failed. just fall back to the non-TVLV version
- */
- ret = 0;
- *ogm_buff_len = BATADV_OGM_HLEN;
+ reschedule = true;
+ goto out;
}
tvlv_len = ret;
@@ -835,8 +844,11 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
/* OGMs from secondary interfaces are only scheduled on their
* respective interfaces.
*/
- batadv_iv_ogm_queue_add(bat_priv, *ogm_buff, *ogm_buff_len,
- hard_iface, hard_iface, 1, send_time);
+ scheduled = batadv_iv_ogm_queue_add(bat_priv, *ogm_buff, *ogm_buff_len,
+ hard_iface, hard_iface, 1, send_time);
+ if (!scheduled)
+ reschedule = true;
+
goto out;
}
@@ -851,15 +863,28 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
if (!kref_get_unless_zero(&tmp_hard_iface->refcount))
continue;
- batadv_iv_ogm_queue_add(bat_priv, *ogm_buff,
- *ogm_buff_len, hard_iface,
- tmp_hard_iface, 1, send_time);
-
+ scheduled = batadv_iv_ogm_queue_add(bat_priv, *ogm_buff,
+ *ogm_buff_len, hard_iface,
+ tmp_hard_iface, 1, send_time);
batadv_hardif_put(tmp_hard_iface);
+
+ if (!scheduled && tmp_hard_iface == hard_iface)
+ reschedule = true;
}
rcu_read_unlock();
out:
+ if (reschedule) {
+ /* there was a failure scheduling the own forward packet.
+ * as result, the batadv_iv_send_outstanding_bat_ogm_packet()
+ * work item is no longer scheduled. it is therefore necessary
+ * to reschedule it manually
+ */
+ queue_delayed_work(batadv_event_workqueue,
+ &hard_iface->bat_iv.reschedule_work,
+ msecs_to_jiffies(atomic_read(&bat_priv->orig_interval)));
+ }
+
batadv_hardif_put(primary_if);
}
@@ -874,6 +899,17 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
}
+static void batadv_iv_ogm_reschedule(struct work_struct *work)
+{
+ struct delayed_work *delayed_work = to_delayed_work(work);
+ struct batadv_hard_iface *hard_iface;
+
+ hard_iface = container_of(delayed_work,
+ struct batadv_hard_iface,
+ bat_iv.reschedule_work);
+ batadv_iv_ogm_schedule(hard_iface);
+}
+
/**
* batadv_iv_orig_ifinfo_sum() - Get bcast_own sum for originator over interface
* @orig_node: originator which reproadcasted the OGMs directly
@@ -2277,6 +2313,8 @@ batadv_iv_ogm_neigh_is_sob(struct batadv_neigh_node *neigh1,
static void batadv_iv_iface_enabled(struct batadv_hard_iface *hard_iface)
{
+ INIT_DELAYED_WORK(&hard_iface->bat_iv.reschedule_work, batadv_iv_ogm_reschedule);
+
/* begin scheduling originator messages on that interface */
batadv_iv_ogm_schedule(hard_iface);
}
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index fe774ec8b80b75..0ccd55b251fa26 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -83,6 +83,9 @@ struct batadv_hard_iface_bat_iv {
/** @ogm_seqno: OGM sequence number - used to identify each OGM */
atomic_t ogm_seqno;
+ /** @reschedule_work: recover OGM schedule after schedule error */
+ struct delayed_work reschedule_work;
+
/** @ogm_buff_mutex: lock protecting ogm_buff and ogm_buff_len */
struct mutex ogm_buff_mutex;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 113/315] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 112/315] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 114/315] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
` (203 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, André Draszik,
Badhri Jagan Sridharan, Amit Sunil Dhamne, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aa2f716327be1818e1cb156da8a2844804aaec2f upstream.
A broken/malicious port can transmit a CRC-valid frame whose header
advertises up to seven data objects but whose body carries fewer than
that. Check for this, and rightfully reject the message, instead of
reading from uninitialized stack memory.
Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: "André Draszik" <andre.draszik@linaro.org>
Cc: Badhri Jagan Sridharan <badhri@google.com>
Cc: Amit Sunil Dhamne <amitsd@google.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026051350-sitter-canopener-9045@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
+++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
@@ -186,6 +186,15 @@ static void process_rx(struct max_tcpci_
rx_buf_ptr = rx_buf + TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET;
msg.header = cpu_to_le16(*(u16 *)rx_buf_ptr);
rx_buf_ptr = rx_buf_ptr + sizeof(msg.header);
+
+ if (count < TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET + sizeof(msg.header) +
+ pd_header_cnt_le(msg.header) * sizeof(msg.payload[0])) {
+ max_tcpci_write16(chip, TCPC_ALERT, TCPC_ALERT_RX_STATUS);
+ dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d for header cnt %d\n",
+ count, pd_header_cnt_le(msg.header));
+ return;
+ }
+
for (payload_index = 0; payload_index < pd_header_cnt_le(msg.header); payload_index++,
rx_buf_ptr += sizeof(msg.payload[0]))
msg.payload[payload_index] = cpu_to_le32(*(u32 *)rx_buf_ptr);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 103/307] batman-adv: tp_meter: avoid role confusion in tp_list
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 102/307] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 104/307] s390/cio: Restore GFP_DMA for CHSC allocation Greg Kroah-Hartman
` (205 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit ff24f2ecfd94c07a2b89bac497433e3b23271cac upstream.
Session lookups in tp_list matched only on destination address (and
optionally session ID), leaving role validation to the caller. If two
sessions with the same other_end coexisted (one as sender, one as receiver)
a lookup could silently return the wrong one, causing the caller's role to
bail out early, potentially skipping necessary cleanup.
Move the role check into the lookup functions themselves so the correct
entry is always returned, or none at all. Since batadv_tp_start()
legitimately needs to detect any active session to a destination regardless
of role, introduce a dedicated helper for that case rather than bending the
existing lookup semantics.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 59 ++++++++++++++++++++++++---------------
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 04a83d6be45bc0..bc3dc377f0bfd0 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -255,6 +255,7 @@ static void batadv_tp_batctl_error_notify(enum batadv_tp_meter_reason reason,
* batadv_tp_list_find() - find a tp_vars object in the global list
* @bat_priv: the bat priv with all the soft interface information
* @dst: the other endpoint MAC address to look for
+ * @role: role of the session
*
* Look for a tp_vars object matching dst as end_point and return it after
* having increment the refcounter. Return NULL is not found
@@ -262,7 +263,8 @@ static void batadv_tp_batctl_error_notify(enum batadv_tp_meter_reason reason,
* Return: matching tp_vars or NULL when no tp_vars with @dst was found
*/
static struct batadv_tp_vars *batadv_tp_list_find(struct batadv_priv *bat_priv,
- const u8 *dst)
+ const u8 *dst,
+ enum batadv_tp_meter_role role)
{
struct batadv_tp_vars *pos, *tp_vars = NULL;
@@ -271,6 +273,9 @@ static struct batadv_tp_vars *batadv_tp_list_find(struct batadv_priv *bat_priv,
if (!batadv_compare_eth(pos->other_end, dst))
continue;
+ if (pos->role != role)
+ continue;
+
/* most of the time this function is invoked during the normal
* process..it makes sens to pay more when the session is
* finished and to speed the process up during the measurement
@@ -286,12 +291,33 @@ static struct batadv_tp_vars *batadv_tp_list_find(struct batadv_priv *bat_priv,
return tp_vars;
}
+/**
+ * batadv_tp_list_active() - check if session from/to destination is ongoing
+ * @bat_priv: the bat priv with all the mesh interface information
+ * @dst: the other endpoint MAC address to look for
+ *
+ * Return: if matching session with @dst was found
+ */
+static bool batadv_tp_list_active(struct batadv_priv *bat_priv, const u8 *dst)
+ __must_hold(&bat_priv->tp_list_lock)
+{
+ struct batadv_tp_vars *tp_vars;
+
+ hlist_for_each_entry_rcu(tp_vars, &bat_priv->tp_list, list) {
+ if (batadv_compare_eth(tp_vars->other_end, dst))
+ return true;
+ }
+
+ return false;
+}
+
/**
* batadv_tp_list_find_session() - find tp_vars session object in the global
* list
* @bat_priv: the bat priv with all the soft interface information
* @dst: the other endpoint MAC address to look for
* @session: session identifier
+ * @role: role of the session
*
* Look for a tp_vars object matching dst as end_point, session as tp meter
* session and return it after having increment the refcounter. Return NULL
@@ -301,7 +327,7 @@ static struct batadv_tp_vars *batadv_tp_list_find(struct batadv_priv *bat_priv,
*/
static struct batadv_tp_vars *
batadv_tp_list_find_session(struct batadv_priv *bat_priv, const u8 *dst,
- const u8 *session)
+ const u8 *session, enum batadv_tp_meter_role role)
{
struct batadv_tp_vars *pos, *tp_vars = NULL;
@@ -313,6 +339,9 @@ batadv_tp_list_find_session(struct batadv_priv *bat_priv, const u8 *dst,
if (memcmp(pos->session, session, sizeof(pos->session)) != 0)
continue;
+ if (pos->role != role)
+ continue;
+
/* most of the time this function is invoked during the normal
* process..it makes sense to pay more when the session is
* finished and to speed the process up during the measurement
@@ -671,13 +700,10 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv,
/* find the tp_vars */
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
- icmp->session);
+ icmp->session, BATADV_TP_SENDER);
if (unlikely(!tp_vars))
return;
- if (unlikely(tp_vars->role != BATADV_TP_SENDER))
- goto out;
-
if (unlikely(batadv_tp_sender_stopped(tp_vars)))
goto out;
@@ -986,10 +1012,8 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
return;
}
- tp_vars = batadv_tp_list_find(bat_priv, dst);
- if (tp_vars) {
+ if (batadv_tp_list_active(bat_priv, dst)) {
spin_unlock_bh(&bat_priv->tp_list_lock);
- batadv_tp_vars_put(tp_vars);
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: test to or from the same node already ongoing, aborting\n");
batadv_tp_batctl_error_notify(BATADV_TP_REASON_ALREADY_ONGOING,
@@ -1110,18 +1134,14 @@ void batadv_tp_stop(struct batadv_priv *bat_priv, const u8 *dst,
if (!orig_node)
return;
- tp_vars = batadv_tp_list_find(bat_priv, orig_node->orig);
+ tp_vars = batadv_tp_list_find(bat_priv, orig_node->orig, BATADV_TP_SENDER);
if (!tp_vars) {
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: trying to interrupt an already over connection\n");
goto out_put_orig_node;
}
- if (unlikely(tp_vars->role != BATADV_TP_SENDER))
- goto out_put_tp_vars;
-
batadv_tp_sender_shutdown(tp_vars, return_value);
-out_put_tp_vars:
batadv_tp_vars_put(tp_vars);
out_put_orig_node:
batadv_orig_node_put(orig_node);
@@ -1377,7 +1397,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
goto out_unlock;
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
- icmp->session);
+ icmp->session, BATADV_TP_RECEIVER);
if (tp_vars)
goto out_unlock;
@@ -1448,7 +1468,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
}
} else {
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
- icmp->session);
+ icmp->session, BATADV_TP_RECEIVER);
if (!tp_vars) {
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Unexpected packet from %pM!\n",
@@ -1457,13 +1477,6 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
}
}
- if (unlikely(tp_vars->role != BATADV_TP_RECEIVER)) {
- batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
- "Meter: dropping packet: not expected (role=%u)\n",
- tp_vars->role);
- goto out;
- }
-
tp_vars->last_recv_time = jiffies;
/* if the packet is a duplicate, it may be the case that an ACK has been
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 114/315] usb: typec: ucsi: validate connector number in ucsi_connector_change()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 113/315] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 115/315] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
` (202 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Benson Leung,
Jameson Thies, Nathan Rebello, Johan Hovold, Pooja Katiyar,
Hsin-Te Yuan, Abel Vesa, stable, Abel Vesa
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 288a81a8507052bcfbf884d39a463c44c42c5fd9 upstream.
The connector number in a UCSI CCI notification is a 7-bit field
supplied by the PPM. ucsi_connector_change() uses it to index the
ucsi->connector[] array without checking it against the number of
connectors the PPM reported at init time, so a buggy or malicious PPM
(EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 /
glink transports) can drive schedule_work() on memory past the end of
the array.
Reject connector numbers that are zero or exceed cap.num_connectors
before dereferencing the array.
Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: Benson Leung <bleung@chromium.org>
Cc: Jameson Thies <jthies@google.com>
Cc: Nathan Rebello <nathan.c.rebello@gmail.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Hsin-Te Yuan <yuanhsinte@chromium.org>
Cc: Abel Vesa <abelvesa@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Link: https://patch.msgid.link/2026051351-truck-steadfast-df48@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1325,13 +1325,22 @@ out_unlock:
*/
void ucsi_connector_change(struct ucsi *ucsi, u8 num)
{
- struct ucsi_connector *con = &ucsi->connector[num - 1];
+ struct ucsi_connector *con;
if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
dev_dbg(ucsi->dev, "Early connector change event\n");
return;
}
+ if (!num || num > ucsi->cap.num_connectors) {
+ dev_warn_ratelimited(ucsi->dev,
+ "Bogus connector change on %u (max %u)\n",
+ num, ucsi->cap.num_connectors);
+ return;
+ }
+
+ con = &ucsi->connector[num - 1];
+
if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
schedule_work(&con->work);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 104/307] s390/cio: Restore GFP_DMA for CHSC allocation
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 103/307] batman-adv: tp_meter: avoid role confusion in tp_list Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 105/307] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
` (204 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Oberparleiter, Heiko Carstens,
Alexander Gordeev, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit ea34567db0a6b3a7ce78ba421592344315c8f90e ]
Re-add GFP_DMA when allocating memory for CHSC control blocks.
On some supported machines, CHSC cannot access memory outside
the DMA zone, causing CHSC command failures.
Cc: stable@vger.kernel.org
Fixes: a3a64a4def8d ("s390/cio: remove unneeded DMA zone allocation")
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
[ adjusted context to account for missing commit bf4afc53b77ae ]
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/chsc.c | 4 ++--
drivers/s390/cio/chsc_sch.c | 20 ++++++++++----------
drivers/s390/cio/scm.c | 2 +-
3 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c
index dcc1e1c34ca2e1..8fe6658dcfe1a3 100644
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -1153,8 +1153,8 @@ int __init chsc_init(void)
{
int ret;
- sei_page = (void *)get_zeroed_page(GFP_KERNEL);
- chsc_page = (void *)get_zeroed_page(GFP_KERNEL);
+ sei_page = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
+ chsc_page = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sei_page || !chsc_page) {
ret = -ENOMEM;
goto out_err;
diff --git a/drivers/s390/cio/chsc_sch.c b/drivers/s390/cio/chsc_sch.c
index 1e58ee3cc87db1..9131ce3af1b8eb 100644
--- a/drivers/s390/cio/chsc_sch.c
+++ b/drivers/s390/cio/chsc_sch.c
@@ -293,7 +293,7 @@ static int chsc_ioctl_start(void __user *user_area)
if (!css_general_characteristics.dynio)
/* It makes no sense to try. */
return -EOPNOTSUPP;
- chsc_area = (void *)get_zeroed_page(GFP_KERNEL);
+ chsc_area = (void *)get_zeroed_page(GFP_DMA | GFP_KERNEL);
if (!chsc_area)
return -ENOMEM;
request = kzalloc(sizeof(*request), GFP_KERNEL);
@@ -341,7 +341,7 @@ static int chsc_ioctl_on_close_set(void __user *user_area)
ret = -ENOMEM;
goto out_unlock;
}
- on_close_chsc_area = (void *)get_zeroed_page(GFP_KERNEL);
+ on_close_chsc_area = (void *)get_zeroed_page(GFP_DMA | GFP_KERNEL);
if (!on_close_chsc_area) {
ret = -ENOMEM;
goto out_free_request;
@@ -393,7 +393,7 @@ static int chsc_ioctl_start_sync(void __user *user_area)
struct chsc_sync_area *chsc_area;
int ret, ccode;
- chsc_area = (void *)get_zeroed_page(GFP_KERNEL);
+ chsc_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!chsc_area)
return -ENOMEM;
if (copy_from_user(chsc_area, user_area, PAGE_SIZE)) {
@@ -439,7 +439,7 @@ static int chsc_ioctl_info_channel_path(void __user *user_cd)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *scpcd_area;
- scpcd_area = (void *)get_zeroed_page(GFP_KERNEL);
+ scpcd_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!scpcd_area)
return -ENOMEM;
cd = kzalloc(sizeof(*cd), GFP_KERNEL);
@@ -501,7 +501,7 @@ static int chsc_ioctl_info_cu(void __user *user_cd)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *scucd_area;
- scucd_area = (void *)get_zeroed_page(GFP_KERNEL);
+ scucd_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!scucd_area)
return -ENOMEM;
cd = kzalloc(sizeof(*cd), GFP_KERNEL);
@@ -564,7 +564,7 @@ static int chsc_ioctl_info_sch_cu(void __user *user_cud)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *sscud_area;
- sscud_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sscud_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sscud_area)
return -ENOMEM;
cud = kzalloc(sizeof(*cud), GFP_KERNEL);
@@ -626,7 +626,7 @@ static int chsc_ioctl_conf_info(void __user *user_ci)
u8 data[PAGE_SIZE - 20];
} __attribute__ ((packed)) *sci_area;
- sci_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sci_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sci_area)
return -ENOMEM;
ci = kzalloc(sizeof(*ci), GFP_KERNEL);
@@ -697,7 +697,7 @@ static int chsc_ioctl_conf_comp_list(void __user *user_ccl)
u32 res;
} __attribute__ ((packed)) *cssids_parm;
- sccl_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sccl_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sccl_area)
return -ENOMEM;
ccl = kzalloc(sizeof(*ccl), GFP_KERNEL);
@@ -757,7 +757,7 @@ static int chsc_ioctl_chpd(void __user *user_chpd)
int ret;
chpd = kzalloc(sizeof(*chpd), GFP_KERNEL);
- scpd_area = (void *)get_zeroed_page(GFP_KERNEL);
+ scpd_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!scpd_area || !chpd) {
ret = -ENOMEM;
goto out_free;
@@ -797,7 +797,7 @@ static int chsc_ioctl_dcal(void __user *user_dcal)
u8 data[PAGE_SIZE - 36];
} __attribute__ ((packed)) *sdcal_area;
- sdcal_area = (void *)get_zeroed_page(GFP_KERNEL);
+ sdcal_area = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sdcal_area)
return -ENOMEM;
dcal = kzalloc(sizeof(*dcal), GFP_KERNEL);
diff --git a/drivers/s390/cio/scm.c b/drivers/s390/cio/scm.c
index c7894d61306d74..375cbfa31b5373 100644
--- a/drivers/s390/cio/scm.c
+++ b/drivers/s390/cio/scm.c
@@ -228,7 +228,7 @@ int scm_update_information(void)
size_t num;
int ret;
- scm_info = (void *)__get_free_page(GFP_KERNEL);
+ scm_info = (void *)__get_free_page(GFP_KERNEL | GFP_DMA);
if (!scm_info)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 115/315] USB: serial: safe_serial: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 114/315] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 116/315] media: rc: igorplugusb: fix control request setup packet Greg Kroah-Hartman
` (201 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 438061ed1ad85e6743e2dce826671772d81089ec upstream.
Make sure that the bulk-out buffer size is at least eight bytes to avoid
user-controlled slab corruption in "safe" mode should a malicious device
report a smaller size.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/safe_serial.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/usb/serial/safe_serial.c
+++ b/drivers/usb/serial/safe_serial.c
@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str
static int safe_startup(struct usb_serial *serial)
{
struct usb_interface_descriptor *desc;
+ int bulk_out_size;
if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS)
return -ENODEV;
@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria
default:
return -EINVAL;
}
+
+ /*
+ * The bulk-out buffer needs to be large enough for the two-byte
+ * trailer in safe mode, but assume anything smaller than eight bytes
+ * is broken.
+ */
+ bulk_out_size = serial->port[0]->bulk_out_size;
+ if (bulk_out_size > 0 && bulk_out_size < 8)
+ return -EINVAL;
+
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 105/307] batman-adv: tp_meter: directly shut down timer on cleanup
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 104/307] s390/cio: Restore GFP_DMA for CHSC allocation Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 106/307] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
` (203 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d5487249a81ea658717614009c8f46acc5b7101a upstream.
batadv_tp_sender_cleanup() was calling timer_delete_sync() followed by
timer_delete() to guard against the timer handler re-arming itself between
the two calls. This double-deletion hack relied on the sending status being
set to 0 to suppress re-arming.
Replace both calls with a single timer_shutdown_sync(). This function both
waits for any running timer callback to complete (like timer_delete_sync())
and permanently disarms the timer so it cannot be re-armed afterwards,
making re-arming prevention unconditional and self-documenting.
The re-arming property is also required because otherwise:
1. context 0 (batadv_tp_recv_ack()) checks in
batadv_tp_reset_sender_timer() if sending is still 1 -> it is
2. context 1 changes in batadv_tp_sender_shutdown() sending to 0 and in
this process forces the kthread to stop timer in
batadv_tp_sender_cleanup()
3. context 0 continues in batadv_tp_reset_sender_timer() and rearms the
timer -> but the reference for it is already gone
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ adapt pre-hunk to old del_timer* names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index bc3dc377f0bfd0..dfc3374549921f 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -430,13 +430,7 @@ static void batadv_tp_sender_cleanup(struct batadv_tp_vars *tp_vars)
batadv_tp_list_detach(tp_vars);
/* kill the timer and remove its reference */
- del_timer_sync(&tp_vars->timer);
- /* the worker might have rearmed itself therefore we kill it again. Note
- * that if the worker should run again before invoking the following
- * del_timer(), it would not re-arm itself once again because the status
- * is OFF now
- */
- del_timer(&tp_vars->timer);
+ timer_shutdown_sync(&tp_vars->timer);
batadv_tp_vars_put(tp_vars);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 116/315] media: rc: igorplugusb: fix control request setup packet
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 115/315] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 117/315] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
` (200 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+11f0e4f957c7c3bf3d51, Henri A,
Sean Young, Hans Verkuil
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henri A <contact@henrialfonso.com>
commit 171022c7d594c133a45f92357a2a91475edabe20 upstream.
Commit eac69475b01f ("media: rc: igorplugusb: heed coherency
rules") changed the control request storage from an embedded struct to
an allocated pointer so it can obey DMA coherency rules.
However, the driver still passes &ir->request to usb_fill_control_urb().
That points the URB setup packet at the pointer field itself rather than
at the allocated struct usb_ctrlrequest.
USB core then interprets pointer bytes as the setup packet. This can
produce an invalid bRequestType and trigger the control direction warning
reported by syzbot:
usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0
Pass ir->request itself as the setup packet.
Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules")
Reported-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=11f0e4f957c7c3bf3d51
Tested-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Assisted-by: Codex:GPT-5.5
Signed-off-by: Henri A <contact@henrialfonso.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/igorplugusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_
if (!ir->buf_in)
goto fail;
usb_fill_control_urb(ir->urb, udev,
- usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request,
+ usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request,
ir->buf_in, MAX_PACKET, igorplugusb_callback, ir);
usb_make_path(udev, ir->phys, sizeof(ir->phys));
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 106/307] batman-adv: tt: fix TOCTOU race for reported vlans
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 105/307] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 107/307] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
` (202 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 94d27005016be15ffc638b2ecbc4d58805ad7b48 upstream.
The local TT based TVLV is generated by first checking the number of VLANs
which have at least one TT entry. A new buffer with the correct size for
the VLANs is then allocated. Only then, the list of VLANs s used to fill
the VLAN entries in the buffer. During this time, the meshif_vlan_list_lock
is held. But the actual number of TT entries of each VLAN can still
increase during this time - just not the number of VLANs in the list.
But the prefilter used in the buffer size calculation might still cause an
increase of the number of VLANs which need to be stored. Simply because a
VLAN might now suddenly have at least one entry when it had none in the
pre-alloc check - and then needs to occupy space which was not allocated.
It is better to overestimate the buffer size at the beginning and then fill
the buffer only with the VLANs which are not empty.
Cc: stable@kernel.org
Fixes: 16116dac2339 ("batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs")
[ Context, drop flex array dependency ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 8ffebece03c529..d4cebe122e528a 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -934,11 +934,8 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
spin_lock_bh(&bat_priv->softif_vlan_list_lock);
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
- if (vlan_entries < 1)
- continue;
-
- num_vlan++;
total_entries += vlan_entries;
+ num_vlan++;
}
change_offset = sizeof(**tt_data);
@@ -964,6 +961,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
(*tt_data)->num_vlan = htons(num_vlan);
tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
+ num_vlan = 0;
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
if (vlan_entries < 1)
@@ -974,8 +972,16 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
tt_vlan->reserved = 0;
tt_vlan++;
+ num_vlan++;
}
+ /* recalculate in case number of VLANs reduced */
+ change_offset = sizeof(**tt_data);
+ change_offset += num_vlan * sizeof(*tt_vlan);
+ tvlv_len = *tt_len + change_offset;
+
+ (*tt_data)->num_vlan = htons(num_vlan);
+
tt_change_ptr = (u8 *)*tt_data + change_offset;
*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 117/315] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 116/315] media: rc: igorplugusb: fix control request setup packet Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 118/315] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
` (199 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Dmitry Torokhov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream.
The input buffer size is pcu->max_in_size, but pcu->max_out_size is
passed to usb_free_coherent().
Change size to match the allocation size.
Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/ims-pcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1604,7 +1604,7 @@ static void ims_pcu_buffers_free(struct
usb_kill_urb(pcu->urb_in);
usb_free_urb(pcu->urb_in);
- usb_free_coherent(pcu->udev, pcu->max_out_size,
+ usb_free_coherent(pcu->udev, pcu->max_in_size,
pcu->urb_in_buf, pcu->read_dma);
kfree(pcu->urb_out_buf);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 107/307] batman-adv: tt: avoid empty VLAN responses
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 106/307] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 108/307] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
` (201 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit fa1bd704940b5bcbc32c0b28db9167405c8ee5e0 upstream.
The commit 16116dac2339 ("batman-adv: prevent TT request storms by not
sending inconsistent TT TLVLs") added checks to the local (direct) TT
response code. But the response can also be done indirectly by another node
using the global TT state. To avoid such inconsistency states reported in
the original fix, also avoid sending empty VLANs for replies from the
global TT state.
Cc: stable@kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
[ Context, drop flex array dependency ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index d4cebe122e528a..4045ddefc29b47 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -843,17 +843,19 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
s32 *tt_len)
{
u16 num_vlan = 0;
- u16 num_entries = 0;
u16 tvlv_len = 0;
unsigned int change_offset;
struct batadv_tvlv_tt_vlan_data *tt_vlan;
struct batadv_orig_node_vlan *vlan;
+ u16 total_entries = 0;
u8 *tt_change_ptr;
+ int vlan_entries;
spin_lock_bh(&orig_node->vlan_list_lock);
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
+ vlan_entries = atomic_read(&vlan->tt.num_entries);
+ total_entries += vlan_entries;
num_vlan++;
- num_entries += atomic_read(&vlan->tt.num_entries);
}
change_offset = sizeof(**tt_data);
@@ -861,7 +863,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
/* if tt_len is negative, allocate the space needed by the full table */
if (*tt_len < 0)
- *tt_len = batadv_tt_len(num_entries);
+ *tt_len = batadv_tt_len(total_entries);
if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) {
*tt_len = 0;
@@ -882,14 +884,27 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
(*tt_data)->num_vlan = htons(num_vlan);
tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
+ num_vlan = 0;
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
+ vlan_entries = atomic_read(&vlan->tt.num_entries);
+ if (vlan_entries < 1)
+ continue;
+
tt_vlan->vid = htons(vlan->vid);
tt_vlan->crc = htonl(vlan->tt.crc);
tt_vlan->reserved = 0;
tt_vlan++;
+ num_vlan++;
}
+ /* recalculate in case number of VLANs reduced */
+ change_offset = sizeof(**tt_data);
+ change_offset += num_vlan * sizeof(*tt_vlan);
+ tvlv_len = *tt_len + change_offset;
+
+ (*tt_data)->num_vlan = htons(num_vlan);
+
tt_change_ptr = (u8 *)*tt_data + change_offset;
*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 118/315] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 117/315] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 119/315] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
` (198 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, hlleng, Benjamin Tissoires
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: hlleng <a909204013@gmail.com>
commit 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd upstream.
The SIGMACHIP USB mouse with VID/PID 1c4f:0034 can disconnect and
re-enumerate repeatedly after it has been enumerated if its interrupt
endpoint is not continuously polled.
This was observed with the device reporting itself as "SIGMACHIP Usb
Mouse". Keeping the input event device open avoids the disconnects.
Add HID_QUIRK_ALWAYS_POLL for this device so the HID core keeps polling
it even when there is no userspace input consumer.
Cc: stable@vger.kernel.org
Signed-off-by: hlleng <a909204013@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -1244,6 +1244,7 @@
#define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f
#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002
+#define USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE 0x0034
#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD2 0x0059
#define USB_VENDOR_ID_SIGMATEL 0x066F
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -186,6 +186,7 @@ static const struct hid_device_id hid_qu
{ HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS },
{ HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE), HID_QUIRK_ALWAYS_POLL },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS1030_TOUCH), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS817_TOUCH), HID_QUIRK_NOGET },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 108/307] batman-adv: bla: avoid double decrement of bla.num_requests
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 107/307] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 109/307] mm/page_alloc: clear page->private in free_pages_prepare() Greg Kroah-Hartman
` (200 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 83ab69bd12b80f6ea169c8bea6977701b53a043d upstream.
The bla.num_requests is increased when no request_sent was in progress. And
it is decremented in various places (announcement was received, backbone is
purged, periodic work). But the check if the request_sent is actually set
to a specific state and the atomic_dec/_inc are not safe because they are
not atomic (TOCTOU) and multiple such code portions can run concurrently.
At the same time, it is necessary to modify request_sent (state) and
bla.num_requests atomically. Otherwise batadv_bla_send_request() might set
request_sent to 1 and is interrupted. batadv_handle_announce() can then
set request_sent back to 0 and decrement num_requests before
batadv_bla_send_request() incremented it.
The two operations must therefore be locked. And since state (request_sent)
and wait_periods are only accessed inside this lock, they can be converted
to simpler datatypes. And to avoid that the bla.num_requests is touched by
a parallel running context with a valid backbone_gw reference after
batadv_bla_purge_backbone_gw() ran, a third state "stopped" is required to
correctly signal that a backbone_gw is in the state of being cleaned up.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 51 ++++++++++++++++++--------
net/batman-adv/soft-interface.c | 1 +
net/batman-adv/types.h | 39 ++++++++++++++++----
3 files changed, 67 insertions(+), 24 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 17db4191ddb39e..15aeb07285e61f 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -516,8 +516,8 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, const u8 *orig,
entry->crc = BATADV_BLA_CRC_INIT;
entry->bat_priv = bat_priv;
spin_lock_init(&entry->crc_lock);
- atomic_set(&entry->request_sent, 0);
- atomic_set(&entry->wait_periods, 0);
+ entry->state = BATADV_BLA_BACKBONE_GW_SYNCED;
+ entry->wait_periods = 0;
ether_addr_copy(entry->orig, orig);
INIT_WORK(&entry->report_work, batadv_bla_loopdetect_report);
kref_init(&entry->refcount);
@@ -546,9 +546,13 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, const u8 *orig,
batadv_bla_send_announce(bat_priv, entry);
/* this will be decreased in the worker thread */
- atomic_inc(&entry->request_sent);
- atomic_set(&entry->wait_periods, BATADV_BLA_WAIT_PERIODS);
- atomic_inc(&bat_priv->bla.num_requests);
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (entry->state == BATADV_BLA_BACKBONE_GW_SYNCED) {
+ entry->state = BATADV_BLA_BACKBONE_GW_UNSYNCED;
+ entry->wait_periods = BATADV_BLA_WAIT_PERIODS;
+ atomic_inc(&bat_priv->bla.num_requests);
+ }
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
return entry;
@@ -651,10 +655,12 @@ static void batadv_bla_send_request(struct batadv_bla_backbone_gw *backbone_gw)
backbone_gw->vid, BATADV_CLAIM_TYPE_REQUEST);
/* no local broadcasts should be sent or received, for now. */
- if (!atomic_read(&backbone_gw->request_sent)) {
+ spin_lock_bh(&backbone_gw->bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_SYNCED) {
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_UNSYNCED;
atomic_inc(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 1);
}
+ spin_unlock_bh(&backbone_gw->bat_priv->bla.num_requests_lock);
}
/**
@@ -875,10 +881,12 @@ static bool batadv_handle_announce(struct batadv_priv *bat_priv, u8 *an_addr,
/* if we have sent a request and the crc was OK,
* we can allow traffic again.
*/
- if (atomic_read(&backbone_gw->request_sent)) {
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_UNSYNCED) {
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_SYNCED;
atomic_dec(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 0);
}
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
batadv_backbone_gw_put(backbone_gw);
@@ -1257,9 +1265,13 @@ static void batadv_bla_purge_backbone_gw(struct batadv_priv *bat_priv, int now)
purged = true;
/* don't wait for the pending request anymore */
- if (atomic_read(&backbone_gw->request_sent))
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_UNSYNCED)
atomic_dec(&bat_priv->bla.num_requests);
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_STOPPED;
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
+
batadv_bla_del_backbone_claims(backbone_gw);
hlist_del_rcu(&backbone_gw->hash_entry);
@@ -1510,7 +1522,7 @@ static void batadv_bla_periodic_work(struct work_struct *work)
batadv_bla_send_loopdetect(bat_priv,
backbone_gw);
- /* request_sent is only set after creation to avoid
+ /* state is only set to unsynced after creation to avoid
* problems when we are not yet known as backbone gw
* in the backbone.
*
@@ -1519,14 +1531,21 @@ static void batadv_bla_periodic_work(struct work_struct *work)
* some grace time.
*/
- if (atomic_read(&backbone_gw->request_sent) == 0)
- continue;
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state != BATADV_BLA_BACKBONE_GW_UNSYNCED)
+ goto unlock_next;
- if (!atomic_dec_and_test(&backbone_gw->wait_periods))
- continue;
+ if (backbone_gw->wait_periods > 0)
+ backbone_gw->wait_periods--;
+
+ if (backbone_gw->wait_periods > 0)
+ goto unlock_next;
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_SYNCED;
atomic_dec(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 0);
+
+unlock_next:
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
rcu_read_unlock();
}
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 2758aba47a2f25..f46064333f3343 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -787,6 +787,7 @@ static int batadv_softif_init_late(struct net_device *dev)
atomic_set(&bat_priv->tt.ogm_append_cnt, 0);
#ifdef CONFIG_BATMAN_ADV_BLA
atomic_set(&bat_priv->bla.num_requests, 0);
+ spin_lock_init(&bat_priv->bla.num_requests_lock);
#endif
atomic_set(&bat_priv->tp_num, 0);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 0ccd55b251fa26..f703d266780d74 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1091,6 +1091,12 @@ struct batadv_priv_bla {
/** @num_requests: number of bla requests in flight */
atomic_t num_requests;
+ /**
+ * @num_requests_lock: locks update num_requests +
+ * batadv_backbone_gw::state + batadv_backbone_gw::wait_periods update
+ */
+ spinlock_t num_requests_lock;
+
/**
* @claim_hash: hash table containing mesh nodes this host has claimed
*/
@@ -1825,6 +1831,27 @@ struct batadv_priv {
#ifdef CONFIG_BATMAN_ADV_BLA
+enum batadv_bla_backbone_gw_state {
+ /**
+ * @BATADV_BLA_BACKBONE_GW_STOPPED: backbone gw is being removed
+ * and it must not longer work on requests
+ */
+ BATADV_BLA_BACKBONE_GW_STOPPED,
+
+ /**
+ * @BATADV_BLA_BACKBONE_GW_UNSYNCED: backbone was detected out
+ * of sync and a request was send. No traffic is forwarded until the
+ * situation is resolved
+ */
+ BATADV_BLA_BACKBONE_GW_UNSYNCED,
+
+ /**
+ * @BATADV_BLA_BACKBONE_GW_SYNCED: backbone is consider to be in
+ * sync. traffic can be forwarded
+ */
+ BATADV_BLA_BACKBONE_GW_SYNCED,
+};
+
/**
* struct batadv_bla_backbone_gw - batman-adv gateway bridged into the LAN
*/
@@ -1850,16 +1877,12 @@ struct batadv_bla_backbone_gw {
/**
* @wait_periods: grace time for bridge forward delays and bla group
* forming at bootup phase - no bcast traffic is formwared until it has
- * elapsed
+ * elapsed. Must only be access with num_requests_lock.
*/
- atomic_t wait_periods;
+ u8 wait_periods;
- /**
- * @request_sent: if this bool is set to true we are out of sync with
- * this backbone gateway - no bcast traffic is formwared until the
- * situation was resolved
- */
- atomic_t request_sent;
+ /** @state: sync state. Must only be access with num_requests_lock. */
+ enum batadv_bla_backbone_gw_state state;
/** @crc: crc16 checksum over all claims */
u16 crc;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 119/315] Bluetooth: btusb: Allow firmware re-download when version matches
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 118/315] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 120/315] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
` (197 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuai Zhang, Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream.
The Bluetooth host decides whether to download firmware by reading the
controller firmware download completion flag and firmware version
information.
If a USB error occurs during the firmware download process (for example
due to a USB disconnect), the download is aborted immediately. An
incomplete firmware transfer does not cause the controller to set the
download completion flag, but the firmware version information may be
updated at an early stage of the download process.
In this case, after USB reconnection, the host attempts to re-download
the firmware because the download completion flag is not set. However,
since the controller reports the same firmware version as the target
firmware, the download is skipped. This ultimately results in the
firmware not being properly updated on the controller.
This change removes the restriction that skips firmware download when
the versions are equal. It covers scenarios where the USB connection
can be disconnected at any time and ensures that firmware download can
be retriggered after USB reconnection, allowing the Bluetooth firmware
to be correctly and completely updated.
Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family")
Cc: stable@vger.kernel.org
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3478,7 +3478,13 @@ static int btusb_setup_qca_load_rampatch
"firmware rome 0x%x build 0x%x",
rver_rom, rver_patch, ver_rom, ver_patch);
- if (rver_rom != ver_rom || rver_patch <= ver_patch) {
+ /* Allow rampatch when the patch version equals the firmware version.
+ * A firmware download may be aborted by a transient USB error (e.g.
+ * disconnect) after the controller updates version info but before
+ * completion.
+ * Allowing equal versions enables re-flashing during recovery.
+ */
+ if (rver_rom != ver_rom || rver_patch < ver_patch) {
bt_dev_err(hdev, "rampatch file version did not match with firmware");
err = -EINVAL;
goto done;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 109/307] mm/page_alloc: clear page->private in free_pages_prepare()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 108/307] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 110/307] media: rc: fix race between unregister and urb/irq callbacks Greg Kroah-Hartman
` (199 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Gavrilov, Zi Yan,
David Hildenbrand (Arm), Vlastimil Babka, Brendan Jackman,
Chris Li, Hugh Dickins, Johannes Weiner, Kairui Song,
Matthew Wilcox (Oracle), Michal Hocko, Nicholas Piggin,
Suren Baghdasaryan, Andrew Morton, Li Wang, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
[ Upstream commit ac1ea219590c09572ed5992dc233bbf7bb70fef9 ]
Several subsystems (slub, shmem, ttm, etc.) use page->private but don't
clear it before freeing pages. When these pages are later allocated as
high-order pages and split via split_page(), tail pages retain stale
page->private values.
This causes a use-after-free in the swap subsystem. The swap code uses
page->private to track swap count continuations, assuming freshly
allocated pages have page->private == 0. When stale values are present,
swap_count_continued() incorrectly assumes the continuation list is valid
and iterates over uninitialized page->lru containing LIST_POISON values,
causing a crash:
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
RIP: 0010:__do_sys_swapoff+0x1151/0x1860
Fix this by clearing page->private in free_pages_prepare(), ensuring all
freed pages have clean state regardless of previous use.
Link: https://lkml.kernel.org/r/20260207173615.146159-1-mikhail.v.gavrilov@gmail.com
Fixes: 3b8000ae185c ("mm/vmalloc: huge vmalloc backing pages should be split rather than compound")
Signed-off-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Suggested-by: Zi Yan <ziy@nvidia.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Chris Li <chrisl@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Kairui Song <ryncsn@gmail.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[backport: context only]
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/page_alloc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index b1a8abe5005e99..259249a37faf01 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1158,6 +1158,7 @@ __always_inline bool free_pages_prepare(struct page *page,
page_cpupid_reset_last(page);
page->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;
+ page->private = 0;
reset_page_owner(page, order);
page_table_check_free(page, order);
pgalloc_tag_sub(page, 1 << order);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 120/315] hpfs: fix a crash if hpfs_map_dnode_bitmap fails
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 119/315] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 121/315] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() Greg Kroah-Hartman
` (196 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Farhad Alemi
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 974820a59efde7c1a7e1260bcfe9bb81f833cc9f upstream.
If hpfs_map_dnode_bitmap fails, the code would call hpfs_brelse4 on
uninitialized quad buffer head, causing a crash.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hpfs/alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/hpfs/alloc.c
+++ b/fs/hpfs/alloc.c
@@ -372,8 +372,8 @@ int hpfs_check_free_dnodes(struct super_
return 0;
}
}
+ hpfs_brelse4(&qbh);
}
- hpfs_brelse4(&qbh);
i = 0;
if (hpfs_sb(s)->sb_c_bitmap != -1) {
bmp = hpfs_map_bitmap(s, b, &qbh, "chkdn1");
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 110/307] media: rc: fix race between unregister and urb/irq callbacks
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 109/307] mm/page_alloc: clear page->private in free_pages_prepare() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 111/307] media: rc: ttusbir: fix inverted error logic Greg Kroah-Hartman
` (198 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Patrice Chotard,
Sean Young, Hans Verkuil, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@mess.org>
[ Upstream commit dccc0c3ddf8f16071736f98a7d6dd46a2d43e037 ]
Some rc device drivers have a race condition between rc_unregister_device()
and irq or urb callbacks. This is because rc_unregister_device() does two
things, it marks the device as unregistered so no new commands can be
issued and then it calls rc_free_device(). This means the driver has no
chance to cancel any pending urb callbacks or interrupts after the device
has been marked as unregistered. Those callbacks may access struct rc_dev
or its members (e.g. struct ir_raw_event_ctrl), which have been freed by
rc_free_device().
This change removes the implicit call to rc_free_device() from
rc_unregister_device(). This means that device drivers can call
rc_unregister_device() in their remove or disconnect function, then cancel
all the urbs and interrupts before explicitly calling rc_free_device().
Note this is an alternative fix for an issue found by Haotian Zhang, see
the Closes: tags.
Reported-by: Haotian Zhang <vulab@iscas.ac.cn>
Closes: https://lore.kernel.org/linux-media/20251114101432.2566-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114101418.2548-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114101346.2530-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114090605.2413-1-vulab@iscas.ac.cn/
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Stable-dep-of: 646ebdd31058 ("media: rc: ttusbir: fix inverted error logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/sil-sii8620.c | 1 +
drivers/hid/hid-picolcd_cir.c | 1 +
drivers/media/cec/core/cec-core.c | 2 +-
drivers/media/common/siano/smsir.c | 1 +
drivers/media/i2c/ir-kbd-i2c.c | 2 ++
drivers/media/pci/bt8xx/bttv-input.c | 3 ++-
drivers/media/pci/cx23885/cx23885-input.c | 1 +
drivers/media/pci/cx88/cx88-input.c | 3 ++-
drivers/media/pci/dm1105/dm1105.c | 1 +
drivers/media/pci/mantis/mantis_input.c | 1 +
drivers/media/pci/saa7134/saa7134-input.c | 1 +
drivers/media/pci/smipcie/smipcie-ir.c | 1 +
drivers/media/pci/ttpci/budget-ci.c | 1 +
drivers/media/rc/ati_remote.c | 6 +++---
drivers/media/rc/ene_ir.c | 2 +-
drivers/media/rc/fintek-cir.c | 3 ++-
drivers/media/rc/igorplugusb.c | 1 +
drivers/media/rc/iguanair.c | 1 +
drivers/media/rc/img-ir/img-ir-hw.c | 3 ++-
drivers/media/rc/img-ir/img-ir-raw.c | 3 ++-
drivers/media/rc/imon.c | 3 ++-
drivers/media/rc/ir-hix5hd2.c | 2 +-
drivers/media/rc/ir_toy.c | 1 +
drivers/media/rc/ite-cir.c | 2 +-
drivers/media/rc/mceusb.c | 1 +
drivers/media/rc/rc-ir-raw.c | 5 -----
drivers/media/rc/rc-loopback.c | 1 +
drivers/media/rc/rc-main.c | 6 +-----
drivers/media/rc/redrat3.c | 4 +++-
drivers/media/rc/st_rc.c | 2 +-
drivers/media/rc/streamzap.c | 7 ++++---
drivers/media/rc/sunxi-cir.c | 1 +
drivers/media/rc/ttusbir.c | 2 +-
drivers/media/rc/winbond-cir.c | 2 +-
drivers/media/rc/xbox_remote.c | 5 +++--
drivers/media/usb/au0828/au0828-input.c | 1 +
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 1 +
drivers/media/usb/dvb-usb/dvb-usb-remote.c | 6 ++++--
drivers/media/usb/em28xx/em28xx-input.c | 1 +
drivers/staging/media/av7110/av7110_ir.c | 1 +
include/media/rc-core.h | 2 --
41 files changed, 58 insertions(+), 36 deletions(-)
diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
index 26b8d137bce096..2baeb1c5301ead 100644
--- a/drivers/gpu/drm/bridge/sil-sii8620.c
+++ b/drivers/gpu/drm/bridge/sil-sii8620.c
@@ -2220,6 +2220,7 @@ static void sii8620_detach(struct drm_bridge *bridge)
return;
rc_unregister_device(ctx->rc_dev);
+ rc_free_device(ctx->rc_dev);
}
static int sii8620_is_packing_required(struct sii8620 *ctx,
diff --git a/drivers/hid/hid-picolcd_cir.c b/drivers/hid/hid-picolcd_cir.c
index d6faa0e00f95ac..6d4c636e1c9f7e 100644
--- a/drivers/hid/hid-picolcd_cir.c
+++ b/drivers/hid/hid-picolcd_cir.c
@@ -134,5 +134,6 @@ void picolcd_exit_cir(struct picolcd_data *data)
data->rc_dev = NULL;
rc_unregister_device(rdev);
+ rc_free_device(rdev);
}
diff --git a/drivers/media/cec/core/cec-core.c b/drivers/media/cec/core/cec-core.c
index 865d86f34add0e..b3c0710eb5b18d 100644
--- a/drivers/media/cec/core/cec-core.c
+++ b/drivers/media/cec/core/cec-core.c
@@ -337,8 +337,8 @@ int cec_register_adapter(struct cec_adapter *adap,
res = cec_devnode_register(&adap->devnode, adap->owner);
if (res) {
#ifdef CONFIG_MEDIA_CEC_RC
- /* Note: rc_unregister also calls rc_free */
rc_unregister_device(adap->rc);
+ rc_free_device(adap->rc);
adap->rc = NULL;
#endif
return res;
diff --git a/drivers/media/common/siano/smsir.c b/drivers/media/common/siano/smsir.c
index d85c78c104b990..5f4c0aa7a0d72a 100644
--- a/drivers/media/common/siano/smsir.c
+++ b/drivers/media/common/siano/smsir.c
@@ -92,6 +92,7 @@ int sms_ir_init(struct smscore_device_t *coredev)
void sms_ir_exit(struct smscore_device_t *coredev)
{
rc_unregister_device(coredev->ir.dev);
+ rc_free_device(coredev->ir.dev);
pr_debug("\n");
}
diff --git a/drivers/media/i2c/ir-kbd-i2c.c b/drivers/media/i2c/ir-kbd-i2c.c
index 5588cdd7ec20de..60474531700433 100644
--- a/drivers/media/i2c/ir-kbd-i2c.c
+++ b/drivers/media/i2c/ir-kbd-i2c.c
@@ -355,6 +355,7 @@ static void ir_work(struct work_struct *work)
mutex_unlock(&ir->lock);
if (rc == -ENODEV) {
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
ir->rc = NULL;
return;
}
@@ -972,6 +973,7 @@ static void ir_remove(struct i2c_client *client)
i2c_unregister_device(ir->tx_c);
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
}
static const struct i2c_device_id ir_kbd_id[] = {
diff --git a/drivers/media/pci/bt8xx/bttv-input.c b/drivers/media/pci/bt8xx/bttv-input.c
index 41226f1d0e5b64..d70e6282c48b2e 100644
--- a/drivers/media/pci/bt8xx/bttv-input.c
+++ b/drivers/media/pci/bt8xx/bttv-input.c
@@ -572,8 +572,9 @@ void bttv_input_fini(struct bttv *btv)
if (btv->remote == NULL)
return;
- bttv_ir_stop(btv);
rc_unregister_device(btv->remote->dev);
+ bttv_ir_stop(btv);
+ rc_free_device(btv->remote->dev);
kfree(btv->remote);
btv->remote = NULL;
}
diff --git a/drivers/media/pci/cx23885/cx23885-input.c b/drivers/media/pci/cx23885/cx23885-input.c
index d2e84c6457e0ab..722329ef3fd2cc 100644
--- a/drivers/media/pci/cx23885/cx23885-input.c
+++ b/drivers/media/pci/cx23885/cx23885-input.c
@@ -402,6 +402,7 @@ void cx23885_input_fini(struct cx23885_dev *dev)
if (dev->kernel_ir == NULL)
return;
rc_unregister_device(dev->kernel_ir->rc);
+ rc_free_device(dev->kernel_ir->rc);
kfree(dev->kernel_ir->phys);
kfree(dev->kernel_ir->name);
kfree(dev->kernel_ir);
diff --git a/drivers/media/pci/cx88/cx88-input.c b/drivers/media/pci/cx88/cx88-input.c
index a04a1d33fadb1b..74a8769dd6c79c 100644
--- a/drivers/media/pci/cx88/cx88-input.c
+++ b/drivers/media/pci/cx88/cx88-input.c
@@ -510,8 +510,9 @@ int cx88_ir_fini(struct cx88_core *core)
if (!ir)
return 0;
- cx88_ir_stop(core);
rc_unregister_device(ir->dev);
+ cx88_ir_stop(core);
+ rc_free_device(ir->dev);
kfree(ir);
/* done */
diff --git a/drivers/media/pci/dm1105/dm1105.c b/drivers/media/pci/dm1105/dm1105.c
index 9e9c7c071accce..e1185aa669f480 100644
--- a/drivers/media/pci/dm1105/dm1105.c
+++ b/drivers/media/pci/dm1105/dm1105.c
@@ -763,6 +763,7 @@ static int dm1105_ir_init(struct dm1105_dev *dm1105)
static void dm1105_ir_exit(struct dm1105_dev *dm1105)
{
rc_unregister_device(dm1105->ir.dev);
+ rc_free_device(dm1105->ir.dev);
}
static int dm1105_hw_init(struct dm1105_dev *dev)
diff --git a/drivers/media/pci/mantis/mantis_input.c b/drivers/media/pci/mantis/mantis_input.c
index 34c0d979240fda..edb4cacf55d229 100644
--- a/drivers/media/pci/mantis/mantis_input.c
+++ b/drivers/media/pci/mantis/mantis_input.c
@@ -72,5 +72,6 @@ EXPORT_SYMBOL_GPL(mantis_input_init);
void mantis_input_exit(struct mantis_pci *mantis)
{
rc_unregister_device(mantis->rc);
+ rc_free_device(mantis->rc);
}
EXPORT_SYMBOL_GPL(mantis_input_exit);
diff --git a/drivers/media/pci/saa7134/saa7134-input.c b/drivers/media/pci/saa7134/saa7134-input.c
index 8610eb473b39e1..8a0f26d94d1de8 100644
--- a/drivers/media/pci/saa7134/saa7134-input.c
+++ b/drivers/media/pci/saa7134/saa7134-input.c
@@ -834,6 +834,7 @@ void saa7134_input_fini(struct saa7134_dev *dev)
return;
rc_unregister_device(dev->remote->dev);
+ rc_free_device(dev->remote->dev);
kfree(dev->remote);
dev->remote = NULL;
}
diff --git a/drivers/media/pci/smipcie/smipcie-ir.c b/drivers/media/pci/smipcie/smipcie-ir.c
index c0604d9c70119a..0bbe4fa2d5a84e 100644
--- a/drivers/media/pci/smipcie/smipcie-ir.c
+++ b/drivers/media/pci/smipcie/smipcie-ir.c
@@ -181,5 +181,6 @@ void smi_ir_exit(struct smi_dev *dev)
rc_unregister_device(rc_dev);
smi_ir_stop(ir);
+ rc_free_device(rc_dev);
ir->rc_dev = NULL;
}
diff --git a/drivers/media/pci/ttpci/budget-ci.c b/drivers/media/pci/ttpci/budget-ci.c
index 33f08adf4feb10..16973ac8e6a920 100644
--- a/drivers/media/pci/ttpci/budget-ci.c
+++ b/drivers/media/pci/ttpci/budget-ci.c
@@ -249,6 +249,7 @@ static void msp430_ir_deinit(struct budget_ci *budget_ci)
cancel_work_sync(&budget_ci->ir.msp430_irq_bh_work);
rc_unregister_device(budget_ci->ir.dev);
+ rc_free_device(budget_ci->ir.dev);
}
static int ciintf_read_attribute_mem(struct dvb_ca_en50221 *ca, int slot, int address)
diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c
index d7721e60776edd..46d1844f5c9873 100644
--- a/drivers/media/rc/ati_remote.c
+++ b/drivers/media/rc/ati_remote.c
@@ -921,7 +921,6 @@ static int ati_remote_probe(struct usb_interface *interface,
input_free_device(input_dev);
exit_unregister_device:
rc_unregister_device(rc_dev);
- rc_dev = NULL;
exit_kill_urbs:
usb_kill_urb(ati_remote->irq_urb);
usb_kill_urb(ati_remote->out_urb);
@@ -941,18 +940,19 @@ static void ati_remote_disconnect(struct usb_interface *interface)
struct ati_remote *ati_remote;
ati_remote = usb_get_intfdata(interface);
- usb_set_intfdata(interface, NULL);
if (!ati_remote) {
dev_warn(&interface->dev, "%s - null device?\n", __func__);
return;
}
+ rc_unregister_device(ati_remote->rdev);
+ usb_set_intfdata(interface, NULL);
usb_kill_urb(ati_remote->irq_urb);
usb_kill_urb(ati_remote->out_urb);
if (ati_remote->idev)
input_unregister_device(ati_remote->idev);
- rc_unregister_device(ati_remote->rdev);
ati_remote_free_buffers(ati_remote);
+ rc_free_device(ati_remote->rdev);
kfree(ati_remote);
}
diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c
index 67722e2e47ff78..3fd51a41c3b2b6 100644
--- a/drivers/media/rc/ene_ir.c
+++ b/drivers/media/rc/ene_ir.c
@@ -1090,7 +1090,6 @@ static int ene_probe(struct pnp_dev *pnp_dev, const struct pnp_device_id *id)
release_region(dev->hw_io, ENE_IO_SIZE);
exit_unregister_device:
rc_unregister_device(rdev);
- rdev = NULL;
exit_free_dev_rdev:
rc_free_device(rdev);
kfree(dev);
@@ -1110,6 +1109,7 @@ static void ene_remove(struct pnp_dev *pnp_dev)
ene_rx_restore_hw_buffer(dev);
spin_unlock_irqrestore(&dev->hw_lock, flags);
+ rc_free_device(dev->rdev);
free_irq(dev->irq, dev);
release_region(dev->hw_io, ENE_IO_SIZE);
kfree(dev);
diff --git a/drivers/media/rc/fintek-cir.c b/drivers/media/rc/fintek-cir.c
index 3fb0968efd57d3..9b789097cdd4c3 100644
--- a/drivers/media/rc/fintek-cir.c
+++ b/drivers/media/rc/fintek-cir.c
@@ -568,6 +568,7 @@ static void fintek_remove(struct pnp_dev *pdev)
struct fintek_dev *fintek = pnp_get_drvdata(pdev);
unsigned long flags;
+ rc_unregister_device(fintek->rdev);
spin_lock_irqsave(&fintek->fintek_lock, flags);
/* disable CIR */
fintek_disable_cir(fintek);
@@ -580,7 +581,7 @@ static void fintek_remove(struct pnp_dev *pdev)
free_irq(fintek->cir_irq, fintek);
release_region(fintek->cir_addr, fintek->cir_port_len);
- rc_unregister_device(fintek->rdev);
+ rc_free_device(fintek->rdev);
kfree(fintek);
}
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index f3616607d4f52b..8bf059b9a31b45 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -247,6 +247,7 @@ static void igorplugusb_disconnect(struct usb_interface *intf)
usb_set_intfdata(intf, NULL);
usb_unpoison_urb(ir->urb);
usb_free_urb(ir->urb);
+ rc_free_device(ir->rc);
kfree(ir->buf_in);
kfree(ir->request);
}
diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
index 8af94246e5916e..7bd6dd7254157a 100644
--- a/drivers/media/rc/iguanair.c
+++ b/drivers/media/rc/iguanair.c
@@ -500,6 +500,7 @@ static void iguanair_disconnect(struct usb_interface *intf)
usb_set_intfdata(intf, NULL);
usb_kill_urb(ir->urb_in);
usb_kill_urb(ir->urb_out);
+ rc_free_device(ir->rc);
usb_free_urb(ir->urb_in);
usb_free_urb(ir->urb_out);
usb_free_coherent(ir->udev, MAX_IN_PACKET, ir->buf_in, ir->dma_in);
diff --git a/drivers/media/rc/img-ir/img-ir-hw.c b/drivers/media/rc/img-ir/img-ir-hw.c
index 5da7479c1793b1..07f41372976eaf 100644
--- a/drivers/media/rc/img-ir/img-ir-hw.c
+++ b/drivers/media/rc/img-ir/img-ir-hw.c
@@ -1117,9 +1117,10 @@ void img_ir_remove_hw(struct img_ir_priv *priv)
struct rc_dev *rdev = hw->rdev;
if (!rdev)
return;
+ rc_unregister_device(rdev);
img_ir_set_decoder(priv, NULL, 0);
hw->rdev = NULL;
- rc_unregister_device(rdev);
+ rc_free_device(rdev);
#ifdef CONFIG_COMMON_CLK
if (!IS_ERR(priv->clk))
clk_notifier_unregister(priv->clk, &hw->clk_nb);
diff --git a/drivers/media/rc/img-ir/img-ir-raw.c b/drivers/media/rc/img-ir/img-ir-raw.c
index 8b0bdd9603b3c5..533d40dae54224 100644
--- a/drivers/media/rc/img-ir/img-ir-raw.c
+++ b/drivers/media/rc/img-ir/img-ir-raw.c
@@ -136,6 +136,7 @@ void img_ir_remove_raw(struct img_ir_priv *priv)
if (!rdev)
return;
+ rc_unregister_device(rdev);
/* switch off and disable raw (edge) interrupts */
spin_lock_irq(&priv->lock);
raw->rdev = NULL;
@@ -145,7 +146,7 @@ void img_ir_remove_raw(struct img_ir_priv *priv)
img_ir_write(priv, IMG_IR_IRQ_CLEAR, IMG_IR_IRQ_EDGE);
spin_unlock_irq(&priv->lock);
- rc_unregister_device(rdev);
+ rc_free_device(rdev);
del_timer_sync(&raw->timer);
}
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index ddb1304cb77b82..cb9bd5a6ff54f7 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -2546,9 +2546,10 @@ static void imon_disconnect(struct usb_interface *interface)
if (ifnum == 0) {
ictx->dev_present_intf0 = false;
+ rc_unregister_device(ictx->rdev);
usb_kill_urb(ictx->rx_urb_intf0);
input_unregister_device(ictx->idev);
- rc_unregister_device(ictx->rdev);
+ rc_free_device(ictx->rdev);
if (ictx->display_supported) {
if (ictx->display_type == IMON_DISPLAY_TYPE_LCD)
usb_deregister_dev(interface, &imon_lcd_class);
diff --git a/drivers/media/rc/ir-hix5hd2.c b/drivers/media/rc/ir-hix5hd2.c
index de5bb9a08ea4c0..1604679fa2c807 100644
--- a/drivers/media/rc/ir-hix5hd2.c
+++ b/drivers/media/rc/ir-hix5hd2.c
@@ -331,7 +331,6 @@ static int hix5hd2_ir_probe(struct platform_device *pdev)
regerr:
rc_unregister_device(rdev);
- rdev = NULL;
clkerr:
clk_disable_unprepare(priv->clock);
err:
@@ -346,6 +345,7 @@ static void hix5hd2_ir_remove(struct platform_device *pdev)
clk_disable_unprepare(priv->clock);
rc_unregister_device(priv->rdev);
+ rc_free_device(priv->rdev);
}
#ifdef CONFIG_PM_SLEEP
diff --git a/drivers/media/rc/ir_toy.c b/drivers/media/rc/ir_toy.c
index 533faa11751744..e79de56997a426 100644
--- a/drivers/media/rc/ir_toy.c
+++ b/drivers/media/rc/ir_toy.c
@@ -536,6 +536,7 @@ static void irtoy_disconnect(struct usb_interface *intf)
usb_free_urb(ir->urb_out);
usb_kill_urb(ir->urb_in);
usb_free_urb(ir->urb_in);
+ rc_free_device(ir->rc);
kfree(ir->in);
kfree(ir->out);
kfree(ir);
diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
index 2bacecb022623e..23afbafb557488 100644
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -1414,7 +1414,6 @@ static int ite_probe(struct pnp_dev *pdev, const struct pnp_device_id
release_region(itdev->cir_addr, itdev->params->io_region_size);
exit_unregister_device:
rc_unregister_device(rdev);
- rdev = NULL;
exit_free_dev_rdev:
rc_free_device(rdev);
kfree(itdev);
@@ -1439,6 +1438,7 @@ static void ite_remove(struct pnp_dev *pdev)
release_region(dev->cir_addr, dev->params->io_region_size);
rc_unregister_device(dev->rdev);
+ rc_free_device(dev->rdev);
kfree(dev);
}
diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index cd7af4d88b7f77..bf93b94d337fea 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1851,6 +1851,7 @@ static void mceusb_dev_disconnect(struct usb_interface *intf)
usb_free_urb(ir->urb_in);
usb_free_coherent(dev, ir->len_in, ir->buf_in, ir->dma_in);
usb_put_dev(dev);
+ rc_free_device(ir->rc);
kfree(ir);
}
diff --git a/drivers/media/rc/rc-ir-raw.c b/drivers/media/rc/rc-ir-raw.c
index 16e33d7eaaa2d8..dd70f8ad526642 100644
--- a/drivers/media/rc/rc-ir-raw.c
+++ b/drivers/media/rc/rc-ir-raw.c
@@ -647,9 +647,6 @@ int ir_raw_event_register(struct rc_dev *dev)
void ir_raw_event_free(struct rc_dev *dev)
{
- if (!dev)
- return;
-
kfree(dev->raw);
dev->raw = NULL;
}
@@ -673,8 +670,6 @@ void ir_raw_event_unregister(struct rc_dev *dev)
lirc_bpf_free(dev);
- ir_raw_event_free(dev);
-
/*
* A user can be calling bpf(BPF_PROG_{QUERY|ATTACH|DETACH}), so
* ensure that the raw member is null on unlock; this is how
diff --git a/drivers/media/rc/rc-loopback.c b/drivers/media/rc/rc-loopback.c
index 8288366f891fc9..a108b057b5fd56 100644
--- a/drivers/media/rc/rc-loopback.c
+++ b/drivers/media/rc/rc-loopback.c
@@ -263,6 +263,7 @@ static int __init loop_init(void)
static void __exit loop_exit(void)
{
rc_unregister_device(loopdev.dev);
+ rc_free_device(loopdev.dev);
}
module_init(loop_init);
diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index a4c539b17cf344..a4c0ec06ee6aa3 100644
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -1611,6 +1611,7 @@ static void rc_dev_release(struct device *device)
{
struct rc_dev *dev = to_rc_dev(device);
+ ir_raw_event_free(dev);
kfree(dev);
}
@@ -1773,7 +1774,6 @@ struct rc_dev *devm_rc_allocate_device(struct device *dev,
}
rc->dev.parent = dev;
- rc->managed_alloc = true;
*dr = rc;
devres_add(dev, dr);
@@ -2042,11 +2042,7 @@ void rc_unregister_device(struct rc_dev *dev)
device_del(&dev->dev);
ida_free(&rc_ida, dev->minor);
-
- if (!dev->managed_alloc)
- rc_free_device(dev);
}
-
EXPORT_SYMBOL_GPL(rc_unregister_device);
/*
diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c
index a49173f54a4d0e..b8289327f6a206 100644
--- a/drivers/media/rc/redrat3.c
+++ b/drivers/media/rc/redrat3.c
@@ -1133,11 +1133,13 @@ static void redrat3_dev_disconnect(struct usb_interface *intf)
{
struct usb_device *udev = interface_to_usbdev(intf);
struct redrat3_dev *rr3 = usb_get_intfdata(intf);
+ struct rc_dev *rc = rr3->rc;
usb_set_intfdata(intf, NULL);
- rc_unregister_device(rr3->rc);
+ rc_unregister_device(rc);
led_classdev_unregister(&rr3->led);
redrat3_delete(rr3, udev);
+ rc_free_device(rc);
}
static int redrat3_dev_suspend(struct usb_interface *intf, pm_message_t message)
diff --git a/drivers/media/rc/st_rc.c b/drivers/media/rc/st_rc.c
index fd2f056f287b25..79aad3d7f69f0d 100644
--- a/drivers/media/rc/st_rc.c
+++ b/drivers/media/rc/st_rc.c
@@ -203,6 +203,7 @@ static void st_rc_remove(struct platform_device *pdev)
device_init_wakeup(&pdev->dev, false);
clk_disable_unprepare(rc_dev->sys_clock);
rc_unregister_device(rc_dev->rdev);
+ rc_free_device(rc_dev->rdev);
}
static int st_rc_open(struct rc_dev *rdev)
@@ -334,7 +335,6 @@ static int st_rc_probe(struct platform_device *pdev)
return ret;
rcerr:
rc_unregister_device(rdev);
- rdev = NULL;
clkerr:
clk_disable_unprepare(rc_dev->sys_clock);
err:
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index 8e9b156e430022..8c85b9f30a3a96 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -392,15 +392,16 @@ static void streamzap_disconnect(struct usb_interface *interface)
struct streamzap_ir *sz = usb_get_intfdata(interface);
struct usb_device *usbdev = interface_to_usbdev(interface);
- usb_set_intfdata(interface, NULL);
-
if (!sz)
return;
- usb_kill_urb(sz->urb_in);
rc_unregister_device(sz->rdev);
+ usb_set_intfdata(interface, NULL);
+
+ usb_kill_urb(sz->urb_in);
usb_free_urb(sz->urb_in);
usb_free_coherent(usbdev, sz->buf_in_len, sz->buf_in, sz->dma_in);
+ rc_free_device(sz->rdev);
kfree(sz);
}
diff --git a/drivers/media/rc/sunxi-cir.c b/drivers/media/rc/sunxi-cir.c
index b49df8355e6b39..448d453cfda934 100644
--- a/drivers/media/rc/sunxi-cir.c
+++ b/drivers/media/rc/sunxi-cir.c
@@ -371,6 +371,7 @@ static void sunxi_ir_remove(struct platform_device *pdev)
struct sunxi_ir *ir = platform_get_drvdata(pdev);
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
sunxi_ir_hw_exit(&pdev->dev);
}
diff --git a/drivers/media/rc/ttusbir.c b/drivers/media/rc/ttusbir.c
index dde446a95eaa93..a670d4b008cb0d 100644
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -336,7 +336,6 @@ static int ttusbir_probe(struct usb_interface *intf,
return 0;
out3:
rc_unregister_device(rc);
- rc = NULL;
out2:
led_classdev_unregister(&tt->led);
out:
@@ -378,6 +377,7 @@ static void ttusbir_disconnect(struct usb_interface *intf)
usb_kill_urb(tt->bulk_urb);
usb_free_urb(tt->bulk_urb);
kfree(tt->bulk_buffer);
+ rc_free_device(tt->rc);
usb_set_intfdata(intf, NULL);
kfree(tt);
}
diff --git a/drivers/media/rc/winbond-cir.c b/drivers/media/rc/winbond-cir.c
index 25884a79985c8a..14d8b58e283980 100644
--- a/drivers/media/rc/winbond-cir.c
+++ b/drivers/media/rc/winbond-cir.c
@@ -1132,7 +1132,6 @@ wbcir_probe(struct pnp_dev *device, const struct pnp_device_id *dev_id)
release_region(data->wbase, WAKEUP_IOMEM_LEN);
exit_unregister_device:
rc_unregister_device(data->dev);
- data->dev = NULL;
exit_free_rc:
rc_free_device(data->dev);
exit_unregister_led:
@@ -1163,6 +1162,7 @@ wbcir_remove(struct pnp_dev *device)
wbcir_set_bits(data->wbase + WBCIR_REG_WCEIR_EV_EN, 0x00, 0x07);
rc_unregister_device(data->dev);
+ rc_free_device(data->dev);
led_classdev_unregister(&data->led);
diff --git a/drivers/media/rc/xbox_remote.c b/drivers/media/rc/xbox_remote.c
index 0c9c855ced729c..80b7c247932a8f 100644
--- a/drivers/media/rc/xbox_remote.c
+++ b/drivers/media/rc/xbox_remote.c
@@ -283,14 +283,15 @@ static void xbox_remote_disconnect(struct usb_interface *interface)
struct xbox_remote *xbox_remote;
xbox_remote = usb_get_intfdata(interface);
- usb_set_intfdata(interface, NULL);
if (!xbox_remote) {
dev_warn(&interface->dev, "%s - null device?\n", __func__);
return;
}
- usb_kill_urb(xbox_remote->irq_urb);
rc_unregister_device(xbox_remote->rdev);
+ usb_set_intfdata(interface, NULL);
+ usb_kill_urb(xbox_remote->irq_urb);
+ rc_free_device(xbox_remote->rdev);
usb_free_urb(xbox_remote->irq_urb);
kfree(xbox_remote->inbuf);
kfree(xbox_remote);
diff --git a/drivers/media/usb/au0828/au0828-input.c b/drivers/media/usb/au0828/au0828-input.c
index 3d3368202cd018..283ad2c6288cd5 100644
--- a/drivers/media/usb/au0828/au0828-input.c
+++ b/drivers/media/usb/au0828/au0828-input.c
@@ -357,6 +357,7 @@ void au0828_rc_unregister(struct au0828_dev *dev)
return;
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
/* done */
kfree(ir);
diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
index f1c79f351ec8de..17e8961179d14b 100644
--- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
+++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
@@ -187,6 +187,7 @@ static int dvb_usbv2_remote_exit(struct dvb_usb_device *d)
if (d->rc_dev) {
cancel_delayed_work_sync(&d->rc_query_work);
rc_unregister_device(d->rc_dev);
+ rc_free_device(d->rc_dev);
d->rc_dev = NULL;
}
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-remote.c b/drivers/media/usb/dvb-usb/dvb-usb-remote.c
index 65e2c9e2cdc99f..6dc11718dfb985 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-remote.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-remote.c
@@ -347,10 +347,12 @@ int dvb_usb_remote_exit(struct dvb_usb_device *d)
{
if (d->state & DVB_USB_STATE_REMOTE) {
cancel_delayed_work_sync(&d->rc_query_work);
- if (d->props.rc.mode == DVB_RC_LEGACY)
+ if (d->props.rc.mode == DVB_RC_LEGACY) {
input_unregister_device(d->input_dev);
- else
+ } else {
rc_unregister_device(d->rc_dev);
+ rc_free_device(d->rc_dev);
+ }
}
d->state &= ~DVB_USB_STATE_REMOTE;
return 0;
diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
index 5f3b00869bdbc9..26f333b5be7325 100644
--- a/drivers/media/usb/em28xx/em28xx-input.c
+++ b/drivers/media/usb/em28xx/em28xx-input.c
@@ -853,6 +853,7 @@ static int em28xx_ir_fini(struct em28xx *dev)
goto ref_put;
rc_unregister_device(ir->rc);
+ rc_free_device(ir->rc);
kfree(ir->i2c_client);
diff --git a/drivers/staging/media/av7110/av7110_ir.c b/drivers/staging/media/av7110/av7110_ir.c
index 68b3979ba5f20c..fdae467fd7ab81 100644
--- a/drivers/staging/media/av7110/av7110_ir.c
+++ b/drivers/staging/media/av7110/av7110_ir.c
@@ -151,6 +151,7 @@ int av7110_ir_init(struct av7110 *av7110)
void av7110_ir_exit(struct av7110 *av7110)
{
rc_unregister_device(av7110->ir.rcdev);
+ rc_free_device(av7110->ir.rcdev);
}
//MODULE_AUTHOR("Holger Waechtler <holger@convergence.de>, Oliver Endriss <o.endriss@gmx.de>");
diff --git a/include/media/rc-core.h b/include/media/rc-core.h
index d095908073ef9d..7a8511d0d4b4a4 100644
--- a/include/media/rc-core.h
+++ b/include/media/rc-core.h
@@ -81,7 +81,6 @@ struct lirc_fh {
/**
* struct rc_dev - represents a remote control device
* @dev: driver model's view of this device
- * @managed_alloc: devm_rc_allocate_device was used to create rc_dev
* @sysfs_groups: sysfs attribute groups
* @device_name: name of the rc child device
* @input_phys: physical path to the input child device
@@ -156,7 +155,6 @@ struct lirc_fh {
*/
struct rc_dev {
struct device dev;
- bool managed_alloc;
const struct attribute_group *sysfs_groups[5];
const char *device_name;
const char *input_phys;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 121/315] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 120/315] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 122/315] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
` (195 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 441f92f7d386b85bad16de49db95a307cba048a2 upstream.
DAMON sysfs maintains the DAMOS tried region directory objects via a
linked list. When the user requests refresh of the directories, DAMON
sysfs removes all the region directories first, and then generate updated
regions directory on the empty space. The removal function
(damon_sysfs_scheme_regions_rm_dirs()) only puts the kobj objects.
Deletion of the container region object from the linked list is done
inside the kobj release callback function.
If somehow the callback invocation is delayed, the list will contain
regions list that gonna be freed. If the updated region directories
creation is started in this situation, the list can be corrupted and
use-after-free can happen.
Because the kobj objects are managed by only DAMON sysfs, the issue cannot
happen in normal situation. But, such delays can be made on kernels that
built with CONFIG_DEBUG_KOBJECT_RELEASE. On the kernel, the issue can
indeed be reproduced like below.
# damo start --damos_action stat
# cd /sys/kernel/mm/damon/admin/kdamonds/0/
# for i in {1..10}; do echo update_schemes_tried_regions > state; done
# dmesg | grep underflow
[ 89.296152] refcount_t: underflow; use-after-free.
Fix the issue by removing the region object from the list when
decrementing the reference count.
Also update damos_sysfs_populate_region_dir() to add the region object to
the list only after the kobject_init_and_add() is success, so that fail of
kobject_init_and_add() is not leaving the deallocated object on the list.
The issue was discovered [1] by Sashiko.
Link: https://lore.kernel.org/20260518152559.93038-1-sj@kernel.org
Link: https://lore.kernel.org/20260513011920.119183-1-sj@kernel.org [1]
Fixes: 9277d0367ba1 ("mm/damon/sysfs-schemes: implement scheme region directory")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.2.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs-schemes.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -89,7 +89,6 @@ static void damon_sysfs_scheme_region_re
struct damon_sysfs_scheme_region *region = container_of(kobj,
struct damon_sysfs_scheme_region, kobj);
- list_del(®ion->list);
kfree(region);
}
@@ -166,7 +165,7 @@ static void damon_sysfs_scheme_regions_r
struct damon_sysfs_scheme_region *r, *next;
list_for_each_entry_safe(r, next, ®ions->regions_list, list) {
- /* release function deletes it from the list */
+ list_del(&r->list);
kobject_put(&r->kobj);
regions->nr_regions--;
}
@@ -2767,14 +2766,15 @@ void damos_sysfs_populate_region_dir(str
if (!region)
return;
region->sz_filter_passed = sz_filter_passed;
- list_add_tail(®ion->list, &sysfs_regions->regions_list);
- sysfs_regions->nr_regions++;
if (kobject_init_and_add(®ion->kobj,
&damon_sysfs_scheme_region_ktype,
&sysfs_regions->kobj, "%d",
sysfs_regions->nr_regions++)) {
kobject_put(®ion->kobj);
+ return;
}
+ list_add_tail(®ion->list, &sysfs_regions->regions_list);
+ sysfs_regions->nr_regions++;
}
int damon_sysfs_schemes_clear_regions(
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 111/307] media: rc: ttusbir: fix inverted error logic
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 110/307] media: rc: fix race between unregister and urb/irq callbacks Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 112/307] inet: frags: add inet_frag_queue_flush() Greg Kroah-Hartman
` (197 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 646ebdd3105809d84ed04aa9e92e47e89cc44502 ]
We have to report ENOMEM if no buffer is allocated.
Typo dropped a "!". Restore it.
Fixes: 50acaad3d202 ("media: rc: ttusbir: respect DMA coherency rules")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/ttusbir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/rc/ttusbir.c b/drivers/media/rc/ttusbir.c
index a670d4b008cb0d..3452b5aefd2848 100644
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -191,7 +191,7 @@ static int ttusbir_probe(struct usb_interface *intf,
tt = kzalloc(sizeof(*tt), GFP_KERNEL);
buffer = kzalloc(5, GFP_KERNEL);
rc = rc_allocate_device(RC_DRIVER_IR_RAW);
- if (!tt || !rc || buffer) {
+ if (!tt || !rc || !buffer) {
ret = -ENOMEM;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 122/315] ipc: limit next_id allocation to the valid ID range
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 121/315] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 123/315] mm: memcontrol: propagate NMI slab stats to memcg vmstats Greg Kroah-Hartman
` (194 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linpu Yu, Ren Wei, Yuan Tan,
Yifan Wu, Juefei Pu, Xin Liu, Kees Cook, Stanislav Kinsbursky,
Davidlohr Bueso, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linpu Yu <linpu5433@gmail.com>
commit fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 upstream.
The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next_id. ipc_idr_alloc() currently forwards that request to
idr_alloc() with an open-ended upper bound.
If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc_mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.
The bug is in ipc_idr_alloc() in the checkpoint/restore path.
1. ids->next_id is passed to:
idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)
2. The zero upper bound makes the allocation effectively open-ended.
Once the valid SysV IPC tail is occupied, idr_alloc() can spill past
ipc_mni and allocate an entry beyond the valid IPC id range.
3. The new object id is still encoded with the narrower SysV IPC index
width:
new->id = (new->seq << ipcmni_seq_shift()) + idx
4. Later removal goes through ipc_rmid(), which uses:
ipcid_to_idx(ipcp->id)
That truncates the real IDR index. An object actually stored at a
high index can then be removed as if it lived at a low in-range
index.
5. For shared memory, shm_destroy() frees the current object anyway, but
the real high IDR slot is left behind as a dangling pointer.
6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry
and dereferences freed memory.
Prevent this by bounding the requested allocation to ipc_mni so the
checkpoint/restore path fails once the valid range is exhausted.
Link: https://lore.kernel.org/cover.1778336914.git.linpu5433@gmail.com
Link: https://lore.kernel.org/2eebe949bfa7d1f6e13b5be6a92c64c850ce9d45.1778336914.git.linpu5433@gmail.com
Fixes: 03f595668017 ("ipc: add sysctl to specify desired next object id")
Signed-off-by: Linpu Yu <linpu5433@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -253,7 +253,7 @@ static inline int ipc_idr_alloc(struct i
} else {
new->seq = ipcid_to_seqx(next_id);
idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id),
- 0, GFP_NOWAIT);
+ ipc_mni, GFP_NOWAIT);
}
if (idx >= 0)
new->id = (new->seq << ipcmni_seq_shift()) + idx;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 112/307] inet: frags: add inet_frag_queue_flush()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 111/307] media: rc: ttusbir: fix inverted error logic Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 113/307] inet: frags: flush pending skbs in fqdir_pre_exit() Greg Kroah-Hartman
` (196 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Rajani Kantha, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 1231eec6994be29d6bb5c303dfa54731ed9fc0e6 ]
Instead of exporting inet_frag_rbtree_purge() which requires that
caller takes care of memory accounting, add a new helper. We will
need to call it from a few places in the next patch.
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251207010942.1672972-3-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_frag.h | 5 ++---
net/ipv4/inet_fragment.c | 15 ++++++++++++---
net/ipv4/ip_fragment.c | 6 +-----
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h
index 5af6eb14c5db15..94edc0e130d2c4 100644
--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -141,9 +141,8 @@ void inet_frag_kill(struct inet_frag_queue *q);
void inet_frag_destroy(struct inet_frag_queue *q);
struct inet_frag_queue *inet_frag_find(struct fqdir *fqdir, void *key);
-/* Free all skbs in the queue; return the sum of their truesizes. */
-unsigned int inet_frag_rbtree_purge(struct rb_root *root,
- enum skb_drop_reason reason);
+void inet_frag_queue_flush(struct inet_frag_queue *q,
+ enum skb_drop_reason reason);
static inline void inet_frag_put(struct inet_frag_queue *q)
{
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index d179a2c8422276..70640906337757 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -264,8 +264,8 @@ static void inet_frag_destroy_rcu(struct rcu_head *head)
kmem_cache_free(f->frags_cachep, q);
}
-unsigned int inet_frag_rbtree_purge(struct rb_root *root,
- enum skb_drop_reason reason)
+static unsigned int
+inet_frag_rbtree_purge(struct rb_root *root, enum skb_drop_reason reason)
{
struct rb_node *p = rb_first(root);
unsigned int sum = 0;
@@ -285,7 +285,16 @@ unsigned int inet_frag_rbtree_purge(struct rb_root *root,
}
return sum;
}
-EXPORT_SYMBOL(inet_frag_rbtree_purge);
+
+void inet_frag_queue_flush(struct inet_frag_queue *q,
+ enum skb_drop_reason reason)
+{
+ unsigned int sum;
+
+ sum = inet_frag_rbtree_purge(&q->rb_fragments, reason);
+ sub_frag_mem_limit(q->fqdir, sum);
+}
+EXPORT_SYMBOL(inet_frag_queue_flush);
void inet_frag_destroy(struct inet_frag_queue *q)
{
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 183856b0b74094..eb5f6060b85d52 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -253,16 +253,12 @@ static int ip_frag_too_far(struct ipq *qp)
static int ip_frag_reinit(struct ipq *qp)
{
- unsigned int sum_truesize = 0;
-
if (!mod_timer(&qp->q.timer, jiffies + qp->q.fqdir->timeout)) {
refcount_inc(&qp->q.refcnt);
return -ETIMEDOUT;
}
- sum_truesize = inet_frag_rbtree_purge(&qp->q.rb_fragments,
- SKB_DROP_REASON_FRAG_TOO_FAR);
- sub_frag_mem_limit(qp->q.fqdir, sum_truesize);
+ inet_frag_queue_flush(&qp->q, SKB_DROP_REASON_FRAG_TOO_FAR);
qp->q.flags = 0;
qp->q.len = 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 123/315] mm: memcontrol: propagate NMI slab stats to memcg vmstats
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 122/315] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 124/315] memfd: deny writeable mappings when implying SEAL_WRITE Greg Kroah-Hartman
` (193 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Ghiti, Shakeel Butt,
Johannes Weiner, Harry Yoo (Oracle), Michal Hocko, Muchun Song,
Roman Gushchin, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Ghiti <alex@ghiti.fr>
commit e16f17a9c5af50221184d1ef4be4056bf3c4209e upstream.
flush_nmi_stats() drains per-node NMI slab atomics into the per-node
lruvec_stats, but does not propagate them to the memcg-level vmstats.
For non NMI case, account_slab_nmi_safe() calls mod_memcg_lruvec_state()
which updates both per-node lruvec_stats and memcg-level vmstats, so
flush_nmi_stats() needs to flush to per-node lruvec_stats as well as
memcg-level vmstats.
So fix this by flushing to the memcg-level vmstats for NMI too.
Link: https://lore.kernel.org/20260518082830.599102-1-alex@ghiti.fr
Fixes: 940b01fc8dc1 ("memcg: nmi safe memcg stats for specific archs")
Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memcontrol.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4044,6 +4044,9 @@ static void flush_nmi_stats(struct mem_c
lstats->state[index] += slab;
if (plstats)
plstats->state_pending[index] += slab;
+ memcg->vmstats->state[index] += slab;
+ if (parent)
+ parent->vmstats->state_pending[index] += slab;
}
if (atomic_read(&pn->slab_unreclaimable)) {
int slab = atomic_xchg(&pn->slab_unreclaimable, 0);
@@ -4052,6 +4055,9 @@ static void flush_nmi_stats(struct mem_c
lstats->state[index] += slab;
if (plstats)
plstats->state_pending[index] += slab;
+ memcg->vmstats->state[index] += slab;
+ if (parent)
+ parent->vmstats->state_pending[index] += slab;
}
}
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 113/307] inet: frags: flush pending skbs in fqdir_pre_exit()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 112/307] inet: frags: add inet_frag_queue_flush() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 114/307] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
` (195 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Rajani Kantha, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 006a5035b495dec008805df249f92c22c89c3d2e ]
We have been seeing occasional deadlocks on pernet_ops_rwsem since
September in NIPA. The stuck task was usually modprobe (often loading
a driver like ipvlan), trying to take the lock as a Writer.
lockdep does not track readers for rwsems so the read wasn't obvious
from the reports.
On closer inspection the Reader holding the lock was conntrack looping
forever in nf_conntrack_cleanup_net_list(). Based on past experience
with occasional NIPA crashes I looked thru the tests which run before
the crash and noticed that the crash follows ip_defrag.sh. An immediate
red flag. Scouring thru (de)fragmentation queues reveals skbs sitting
around, holding conntrack references.
The problem is that since conntrack depends on nf_defrag_ipv6,
nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its
netns exit hooks run _after_ conntrack's netns exit hook.
Flush all fragment queue SKBs during fqdir_pre_exit() to release
conntrack references before conntrack cleanup runs. Also flush
the queues in timer expiry handlers when they discover fqdir->dead
is set, in case packet sneaks in while we're running the pre_exit
flush.
The commit under Fixes is not exactly the culprit, but I think
previously the timer firing would eventually unblock the spinning
conntrack.
Fixes: d5dd88794a13 ("inet: fix various use-after-free in defrags units")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251207010942.1672972-4-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/inet_frag.h | 13 +------------
include/net/ipv6_frag.h | 9 ++++++---
net/ipv4/inet_fragment.c | 36 ++++++++++++++++++++++++++++++++++++
net/ipv4/ip_fragment.c | 12 +++++++-----
4 files changed, 50 insertions(+), 20 deletions(-)
diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h
index 94edc0e130d2c4..fcabb34fff35de 100644
--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -123,18 +123,7 @@ void inet_frags_fini(struct inet_frags *);
int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net);
-static inline void fqdir_pre_exit(struct fqdir *fqdir)
-{
- /* Prevent creation of new frags.
- * Pairs with READ_ONCE() in inet_frag_find().
- */
- WRITE_ONCE(fqdir->high_thresh, 0);
-
- /* Pairs with READ_ONCE() in inet_frag_kill(), ip_expire()
- * and ip6frag_expire_frag_queue().
- */
- WRITE_ONCE(fqdir->dead, true);
-}
+void fqdir_pre_exit(struct fqdir *fqdir);
void fqdir_exit(struct fqdir *fqdir);
void inet_frag_kill(struct inet_frag_queue *q);
diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
index 7321ffe3a108c1..df61b98b521531 100644
--- a/include/net/ipv6_frag.h
+++ b/include/net/ipv6_frag.h
@@ -68,9 +68,6 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq)
struct sk_buff *head;
rcu_read_lock();
- /* Paired with the WRITE_ONCE() in fqdir_pre_exit(). */
- if (READ_ONCE(fq->q.fqdir->dead))
- goto out_rcu_unlock;
spin_lock(&fq->q.lock);
if (fq->q.flags & INET_FRAG_COMPLETE)
@@ -79,6 +76,12 @@ ip6frag_expire_frag_queue(struct net *net, struct frag_queue *fq)
fq->q.flags |= INET_FRAG_DROP;
inet_frag_kill(&fq->q);
+ /* Paired with the WRITE_ONCE() in fqdir_pre_exit(). */
+ if (READ_ONCE(fq->q.fqdir->dead)) {
+ inet_frag_queue_flush(&fq->q, 0);
+ goto out;
+ }
+
dev = dev_get_by_index_rcu(net, fq->iif);
if (!dev)
goto out;
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 70640906337757..f9cf20b21a0781 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -219,6 +219,41 @@ static int __init inet_frag_wq_init(void)
pure_initcall(inet_frag_wq_init);
+void fqdir_pre_exit(struct fqdir *fqdir)
+{
+ struct inet_frag_queue *fq;
+ struct rhashtable_iter hti;
+
+ /* Prevent creation of new frags.
+ * Pairs with READ_ONCE() in inet_frag_find().
+ */
+ WRITE_ONCE(fqdir->high_thresh, 0);
+
+ /* Pairs with READ_ONCE() in inet_frag_kill(), ip_expire()
+ * and ip6frag_expire_frag_queue().
+ */
+ WRITE_ONCE(fqdir->dead, true);
+
+ rhashtable_walk_enter(&fqdir->rhashtable, &hti);
+ rhashtable_walk_start(&hti);
+
+ while ((fq = rhashtable_walk_next(&hti))) {
+ if (IS_ERR(fq)) {
+ if (PTR_ERR(fq) != -EAGAIN)
+ break;
+ continue;
+ }
+ spin_lock_bh(&fq->lock);
+ if (!(fq->flags & INET_FRAG_COMPLETE))
+ inet_frag_queue_flush(fq, 0);
+ spin_unlock_bh(&fq->lock);
+ }
+
+ rhashtable_walk_stop(&hti);
+ rhashtable_walk_exit(&hti);
+}
+EXPORT_SYMBOL(fqdir_pre_exit);
+
void fqdir_exit(struct fqdir *fqdir)
{
INIT_WORK(&fqdir->destroy_work, fqdir_work_fn);
@@ -291,6 +326,7 @@ void inet_frag_queue_flush(struct inet_frag_queue *q,
{
unsigned int sum;
+ reason = reason ?: SKB_DROP_REASON_FRAG_REASM_TIMEOUT;
sum = inet_frag_rbtree_purge(&q->rb_fragments, reason);
sub_frag_mem_limit(q->fqdir, sum);
}
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index eb5f6060b85d52..124c0d64d4204b 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -148,11 +148,6 @@ static void ip_expire(struct timer_list *t)
net = qp->q.fqdir->net;
rcu_read_lock();
-
- /* Paired with WRITE_ONCE() in fqdir_pre_exit(). */
- if (READ_ONCE(qp->q.fqdir->dead))
- goto out_rcu_unlock;
-
spin_lock(&qp->q.lock);
if (qp->q.flags & INET_FRAG_COMPLETE)
@@ -160,6 +155,13 @@ static void ip_expire(struct timer_list *t)
qp->q.flags |= INET_FRAG_DROP;
ipq_kill(qp);
+
+ /* Paired with WRITE_ONCE() in fqdir_pre_exit(). */
+ if (READ_ONCE(qp->q.fqdir->dead)) {
+ inet_frag_queue_flush(&qp->q, 0);
+ goto out;
+ }
+
__IP_INC_STATS(net, IPSTATS_MIB_REASMFAILS);
__IP_INC_STATS(net, IPSTATS_MIB_REASMTIMEOUT);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 124/315] memfd: deny writeable mappings when implying SEAL_WRITE
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 123/315] mm: memcontrol: propagate NMI slab stats to memcg vmstats Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 125/315] mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one Greg Kroah-Hartman
` (192 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav (Google),
Pasha Tatashin, Jeff Xu, Baolin Wang, Brendan Jackman,
Greg Thelen, Hugh Dickins, Kees Cook, David Hildenbrand (Arm),
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pratyush Yadav (Google) <pratyush@kernel.org>
commit 3b041514cb6eae45869b020f743c14d983363222 upstream.
When SEAL_EXEC is added, SEAL_WRITE is implied to make W^X. But the
implied seal is set after the check that makes sure the memfd can not have
any writable mappings. This means one can use SEAL_EXEC to apply
SEAL_WRITE while having writeable mappings.
This breaks the contract that SEAL_WRITE provides and can be used by an
attacker to pass a memfd that appears to be write sealed but can still be
modified arbitrarily.
Fix this by adding the implied seals before the call for
mapping_deny_writable() is done.
Link: https://lore.kernel.org/20260505133922.797635-1-pratyush@kernel.org
Fixes: c4f75bc8bd6b ("mm/memfd: add write seals when apply SEAL_EXEC to executable memfd")
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Acked-by: Jeff Xu <jeffxu@google.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memfd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -284,6 +284,12 @@ static int memfd_add_seals(struct file *
goto unlock;
}
+ /*
+ * SEAL_EXEC implies SEAL_WRITE, making W^X from the start.
+ */
+ if (seals & F_SEAL_EXEC && inode->i_mode & 0111)
+ seals |= F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE;
+
if ((seals & F_SEAL_WRITE) && !(*file_seals & F_SEAL_WRITE)) {
error = mapping_deny_writable(file->f_mapping);
if (error)
@@ -296,12 +302,6 @@ static int memfd_add_seals(struct file *
}
}
- /*
- * SEAL_EXEC implies SEAL_WRITE, making W^X from the start.
- */
- if (seals & F_SEAL_EXEC && inode->i_mode & 0111)
- seals |= F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE;
-
*file_seals |= seals;
error = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 114/307] HID: core: Add printk_ratelimited variants to hid_warn() etc
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 113/307] inet: frags: flush pending skbs in fqdir_pre_exit() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 115/307] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
` (194 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vicki Pfau, Jiri Kosina, Lee Jones,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vicki Pfau <vi@endrift.com>
[ Upstream commit 1d64624243af8329b4b219d8c39e28ea448f9929 ]
hid_warn_ratelimited() is needed. Add the others as part of the block.
Signed-off-by: Vicki Pfau <vi@endrift.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/hid.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 7d8d09318fa91d..bef017d6b44042 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1245,4 +1245,15 @@ void hid_quirks_exit(__u16 bus);
#define hid_dbg_once(hid, fmt, ...) \
dev_dbg_once(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_err_ratelimited(hid, fmt, ...) \
+ dev_err_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_notice_ratelimited(hid, fmt, ...) \
+ dev_notice_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_warn_ratelimited(hid, fmt, ...) \
+ dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_info_ratelimited(hid, fmt, ...) \
+ dev_info_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_dbg_ratelimited(hid, fmt, ...) \
+ dev_dbg_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 125/315] mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 124/315] memfd: deny writeable mappings when implying SEAL_WRITE Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 126/315] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
` (191 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dev Jain, Barry Song,
David Hildenbrand (Arm), Lorenzo Stoakes, Anshuman Khandual,
Harry Yoo, Jann Horn, Liam R. Howlett, Rik van Riel, Ryan Roberts,
Vlastimil Babka, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dev Jain <dev.jain@arm.com>
commit 3f8968e9cbf95d5d87d32218906cab0b9b9eddbe upstream.
Initialize nr_pages to 1 at the start of each loop iteration, like
folio_referenced_one() does.
Without this, nr_pages computed by a previous folio_unmap_pte_batch() call
can be reused on a later iteration that does not run
folio_unmap_pte_batch() again.
mmap a 64K large folio with MAP_ANONYMOUS | MAP_DROPPABLE, then call
madvise(MADV_FREE), then make the last page device-exclusive via
HMM_DMIRROR_EXCLUSIVE.
Trigger node reclaim through sysfs. Now, in try_to_unmap_one(), we will
first clear the first 15 out of 16 entries mapping the lazyfree folio.
This will set nr_pages to 15. In the next pvmw walk, this nr_pages gets
reused on a device-exclusive pte, thus potentially corrupting folio
refcount/mapcount.
At the moment, I have a userspace program which can make the kernel spit
out a trace, but the blow up is in folio_referenced_one(), because there
are existing bugs in the interaction between device-private and rmap
(which too I am investigating). I did a one liner kernel change to avoid
going into folio_referenced_one(), and the kernel blows up at
folio_remove_rmap_ptes in try_to_unmap_one which is what I wanted.
Note that the bug is there not since file folio batching but lazyfree
folio batching, since device-exclusive only works for anonymous folios.
Userspace visible effect is simply kernel crashing somewhere due to
refcount/mapcount corruption.
Link: https://lore.kernel.org/20260518063656.3721056-1-dev.jain@arm.com
Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large folios during reclamation")
Signed-off-by: Dev Jain <dev.jain@arm.com>
Acked-by: Barry Song <baohua@kernel.org>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Harry Yoo <harry@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/rmap.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1918,6 +1918,8 @@ static bool try_to_unmap_one(struct foli
mmu_notifier_invalidate_range_start(&range);
while (page_vma_mapped_walk(&pvmw)) {
+ nr_pages = 1;
+
/*
* If the folio is in an mlock()d vma, we must not swap it out.
*/
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 115/307] HID: pass the buffer size to hid_report_raw_event
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 114/307] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 116/307] HID: core: introduce hid_safe_input_report() Greg Kroah-Hartman
` (193 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires, Johan Hovold,
Jiri Kosina, Lee Jones, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
[ Upstream commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a ]
commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
bogus memset()") enforced the provided data to be at least the size of
the declared buffer in the report descriptor to prevent a buffer
overflow. However, we can try to be smarter by providing both the buffer
size and the data size, meaning that hid_report_raw_event() can make
better decision whether we should plaining reject the buffer (buffer
overflow attempt) or if we can safely memset it to 0 and pass it to the
rest of the stack.
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Acked-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Stable-dep-of: 206342541fc8 ("HID: core: introduce hid_safe_input_report()")
(cherry picked from commit 509c2605065004fc4cd86ee50a9350d402785307)
[Lee: Backported to linux-6.12.y and beyond]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/bpf/hid_bpf_dispatch.c | 6 +++--
drivers/hid/hid-core.c | 37 +++++++++++++++++++++---------
drivers/hid/hid-gfrm.c | 4 ++--
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-vivaldi-common.c | 2 +-
drivers/hid/wacom_sys.c | 6 ++---
drivers/staging/greybus/hid.c | 2 +-
include/linux/hid.h | 4 ++--
include/linux/hid_bpf.h | 14 +++++++----
11 files changed, 51 insertions(+), 30 deletions(-)
diff --git a/drivers/hid/bpf/hid_bpf_dispatch.c b/drivers/hid/bpf/hid_bpf_dispatch.c
index 284861c166d9c4..b711d83dfde1d4 100644
--- a/drivers/hid/bpf/hid_bpf_dispatch.c
+++ b/drivers/hid/bpf/hid_bpf_dispatch.c
@@ -24,7 +24,8 @@ EXPORT_SYMBOL(hid_ops);
u8 *
dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data,
- u32 *size, int interrupt, u64 source, bool from_bpf)
+ size_t *buf_size, u32 *size, int interrupt, u64 source,
+ bool from_bpf)
{
struct hid_bpf_ctx_kern ctx_kern = {
.ctx = {
@@ -74,6 +75,7 @@ dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type
*size = ret;
}
+ *buf_size = ctx_kern.ctx.allocated_size;
return ctx_kern.data;
}
EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event);
@@ -514,7 +516,7 @@ __hid_bpf_input_report(struct hid_bpf_ctx *ctx, enum hid_report_type type, u8 *b
if (ret)
return ret;
- return hid_ops->hid_input_report(ctx->hid, type, buf, size, 0, (u64)(long)ctx, true,
+ return hid_ops->hid_input_report(ctx->hid, type, buf, size, size, 0, (u64)(long)ctx, true,
lock_already_taken);
}
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 294a25330ed030..ceff91722c3c83 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1998,24 +1998,32 @@ int __hid_request(struct hid_device *hid, struct hid_report *report,
}
EXPORT_SYMBOL_GPL(__hid_request);
-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt)
+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt)
{
struct hid_report_enum *report_enum = hid->report_enum + type;
struct hid_report *report;
struct hid_driver *hdrv;
int max_buffer_size = HID_MAX_BUFFER_SIZE;
u32 rsize, csize = size;
+ size_t bsize = bufsize;
u8 *cdata = data;
int ret = 0;
report = hid_get_report(report_enum, data);
if (!report)
- goto out;
+ return 0;
+
+ if (unlikely(bsize < csize)) {
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ report->id, csize, bsize);
+ return -EINVAL;
+ }
if (report_enum->numbered) {
cdata++;
csize--;
+ bsize--;
}
rsize = hid_compute_report_size(report);
@@ -2028,9 +2036,15 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
else if (rsize > max_buffer_size)
rsize = max_buffer_size;
+ if (bsize < rsize) {
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ report->id, rsize, bsize);
+ return -EINVAL;
+ }
+
if (csize < rsize) {
dbg_hid("report %d is too short, (%d < %d)\n", report->id,
- csize, rsize);
+ csize, rsize);
memset(cdata + csize, 0, rsize - csize);
}
@@ -2039,7 +2053,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
if (hid->claimed & HID_CLAIMED_HIDRAW) {
ret = hidraw_report_event(hid, data, size);
if (ret)
- goto out;
+ return ret;
}
if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
@@ -2051,15 +2065,15 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
if (hid->claimed & HID_CLAIMED_INPUT)
hidinput_report_event(hid, report);
-out:
+
return ret;
}
EXPORT_SYMBOL_GPL(hid_report_raw_event);
static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
- bool lock_already_taken)
+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
+ bool from_bpf, bool lock_already_taken)
{
struct hid_report_enum *report_enum;
struct hid_driver *hdrv;
@@ -2084,7 +2098,8 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
report_enum = hid->report_enum + type;
hdrv = hid->driver;
- data = dispatch_hid_bpf_device_event(hid, type, data, &size, interrupt, source, from_bpf);
+ data = dispatch_hid_bpf_device_event(hid, type, data, &bufsize, &size, interrupt,
+ source, from_bpf);
if (IS_ERR(data)) {
ret = PTR_ERR(data);
goto unlock;
@@ -2113,7 +2128,7 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
goto unlock;
}
- ret = hid_report_raw_event(hid, type, data, size, interrupt);
+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
unlock:
if (!lock_already_taken)
@@ -2135,7 +2150,7 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
int interrupt)
{
- return __hid_input_report(hid, type, data, size, interrupt, 0,
+ return __hid_input_report(hid, type, data, size, size, interrupt, 0,
false, /* from_bpf */
false /* lock_already_taken */);
}
diff --git a/drivers/hid/hid-gfrm.c b/drivers/hid/hid-gfrm.c
index 699186ff2349e9..d2a56bf92b416e 100644
--- a/drivers/hid/hid-gfrm.c
+++ b/drivers/hid/hid-gfrm.c
@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
switch (data[1]) {
case GFRM100_SEARCH_KEY_DOWN:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
- sizeof(search_key_dn), 1);
+ sizeof(search_key_dn), sizeof(search_key_dn), 1);
break;
case GFRM100_SEARCH_KEY_AUDIO_DATA:
@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
case GFRM100_SEARCH_KEY_UP:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
- sizeof(search_key_up), 1);
+ sizeof(search_key_up), sizeof(search_key_up), 1);
break;
default:
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index d60cd4379e866a..858ac2ab46bd97 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -3691,7 +3691,7 @@ static int hidpp10_consumer_keys_raw_event(struct hidpp_device *hidpp,
memcpy(&consumer_report[1], &data[3], 4);
/* We are called from atomic context */
hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
- consumer_report, 5, 1);
+ consumer_report, sizeof(consumer_report), 5, 1);
return 1;
}
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index fcf9a806f109a5..760f9db44c9e32 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -500,7 +500,7 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
- size, 0);
+ size, size, 0);
if (ret)
dev_warn(&hdev->dev, "failed to report feature\n");
}
diff --git a/drivers/hid/hid-primax.c b/drivers/hid/hid-primax.c
index e44d79dff8de63..8db054280afbcd 100644
--- a/drivers/hid/hid-primax.c
+++ b/drivers/hid/hid-primax.c
@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_device *hid, struct hid_report *report,
data[0] |= (1 << (data[idx] - 0xE0));
data[idx] = 0;
}
- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
return 1;
default: /* unknown report */
diff --git a/drivers/hid/hid-vivaldi-common.c b/drivers/hid/hid-vivaldi-common.c
index bf734055d4b69d..b12bb5cc091aa3 100644
--- a/drivers/hid/hid-vivaldi-common.c
+++ b/drivers/hid/hid-vivaldi-common.c
@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_device *hdev,
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
- report_len, 0);
+ report_len, report_len, 0);
if (ret) {
dev_warn(&hdev->dev, "failed to report feature %d\n",
field->report->id);
diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 1b1112772777ca..ffcf65dcf71347 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -74,7 +74,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
int err;
size = kfifo_out(fifo, buf, sizeof(buf));
- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
if (err) {
hid_warn(hdev, "%s: unable to flush event due to error %d\n",
__func__, err);
@@ -319,7 +319,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n && features->type == HID_GENERIC) {
ret = hid_report_raw_event(hdev,
- HID_FEATURE_REPORT, data, n, 0);
+ HID_FEATURE_REPORT, data, n, n, 0);
} else if (ret == 2 && features->type != HID_GENERIC) {
features->touch_max = data[1];
} else {
@@ -380,7 +380,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n) {
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
- data, n, 0);
+ data, n, n, 0);
} else {
hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
__func__);
diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
index 63c77a3df59111..afa78c96ede898 100644
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid *ghid, struct hid_report *report)
* we just need to setup the input fields, so using
* hid_report_raw_event is safe.
*/
- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
}
static void gb_hid_init_reports(struct gb_hid *ghid)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index bef017d6b44042..fdd401e4ebde3d 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1213,8 +1213,8 @@ static inline u32 hid_report_len(struct hid_report *report)
return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
}
-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
- int interrupt);
+int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt);
/* HID quirks API */
unsigned long hid_lookup_quirk(const struct hid_device *hdev);
diff --git a/include/linux/hid_bpf.h b/include/linux/hid_bpf.h
index 6a47223e646006..aa87513acbcd24 100644
--- a/include/linux/hid_bpf.h
+++ b/include/linux/hid_bpf.h
@@ -72,8 +72,8 @@ struct hid_ops {
int (*hid_hw_output_report)(struct hid_device *hdev, __u8 *buf, size_t len,
u64 source, bool from_bpf);
int (*hid_input_report)(struct hid_device *hid, enum hid_report_type type,
- u8 *data, u32 size, int interrupt, u64 source, bool from_bpf,
- bool lock_already_taken);
+ u8 *data, size_t bufsize, u32 size, int interrupt, u64 source,
+ bool from_bpf, bool lock_already_taken);
struct module *owner;
const struct bus_type *bus_type;
};
@@ -200,7 +200,8 @@ struct hid_bpf {
#ifdef CONFIG_HID_BPF
u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, u8 *data,
- u32 *size, int interrupt, u64 source, bool from_bpf);
+ size_t *buf_size, u32 *size, int interrupt, u64 source,
+ bool from_bpf);
int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
unsigned char reportnum, __u8 *buf,
u32 size, enum hid_report_type rtype,
@@ -215,8 +216,11 @@ int hid_bpf_device_init(struct hid_device *hid);
u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, const u8 *rdesc, unsigned int *size);
#else /* CONFIG_HID_BPF */
static inline u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type,
- u8 *data, u32 *size, int interrupt,
- u64 source, bool from_bpf) { return data; }
+ u8 *data, size_t *buf_size, u32 *size,
+ int interrupt, u64 source, bool from_bpf)
+{
+ return data;
+}
static inline int dispatch_hid_bpf_raw_requests(struct hid_device *hdev,
unsigned char reportnum, u8 *buf,
u32 size, enum hid_report_type rtype,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 126/315] auxdisplay: line-display: fix OOB read on zero-length message_store()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 125/315] mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 127/315] smb: client: fix uninitialized variable in smb2_writev_callback Greg Kroah-Hartman
` (190 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Andy Shevchenko
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit a7511dcd9dd4bc55d123f9b800c8a4ed2662e5c6 upstream.
linedisp_display() unconditionally reads msg[count - 1] before
checking whether count is zero, so a write of zero bytes to the
message sysfs attribute hits msg[-1]:
write(fd, "", 0);
-> message_store(..., buf, count=0)
-> linedisp_display(linedisp, buf, count=0)
-> msg[count - 1] == '\n' ; OOB read
The kernfs write buffer for that store is a 1-byte allocation
(kernfs_fop_write_iter() does kmalloc(len + 1) with len == 0),
so msg[-1] is a 1-byte read before the slab object. On a
KASAN-enabled kernel this trips an out-of-bounds report and
panics; on stock kernels it silently reads adjacent slab data
and, if that byte happens to be '\n', the following count--
wraps ssize_t 0 to -1 and is then passed to kmemdup_nul().
linedisp_display() is reached from the message_store() sysfs
callback (drivers/auxdisplay/line-display.c message attribute,
mode 0644) and from the in-tree initial-message setup with
count == -1, so the OOB path is only userspace-triggerable via
zero-byte writes; vfs_write() does not short-circuit on
count == 0 and kernfs_fop_write_iter() dispatches the store
callback regardless.
Guard the trailing-newline trim with a count check. The
existing if (!count) block then takes the clear-display path
unchanged.
Affects every auxdisplay driver that registers via
linedisp_register() / linedisp_attach(): ht16k33, max6959,
img-ascii-lcd, seg-led-gpio.
Fixes: 7e76aece6f03 ("auxdisplay: Extract character line display core support")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/auxdisplay/line-display.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/auxdisplay/line-display.c
+++ b/drivers/auxdisplay/line-display.c
@@ -90,7 +90,7 @@ static int linedisp_display(struct lined
count = strlen(msg);
/* if the string ends with a newline, trim it */
- if (msg[count - 1] == '\n')
+ if (count && msg[count - 1] == '\n')
count--;
if (!count) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 116/307] HID: core: introduce hid_safe_input_report()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 115/307] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 117/307] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
` (192 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires, Jiri Kosina,
Lee Jones, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
[ Upstream commit 206342541fc887ae919774a43942dc883161fece ]
hid_input_report() is used in too many places to have a commit that
doesn't cross subsystem borders. Instead of changing the API, introduce
a new one when things matters in the transport layers:
- usbhid
- i2chid
This effectively revert to the old behavior for those two transport
layers.
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
(cherry picked from commit 301338b8edadc67a42b1c86add975091e66768d9)
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 25 +++++++++++++++++++++++++
drivers/hid/i2c-hid/i2c-hid-core.c | 7 ++++---
drivers/hid/usbhid/hid-core.c | 11 ++++++-----
include/linux/hid.h | 2 ++
4 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index ceff91722c3c83..d9ea99cdb68e06 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2146,6 +2146,7 @@ static int __hid_input_report(struct hid_device *hid, enum hid_report_type type,
* @interrupt: distinguish between interrupt and control transfers
*
* This is data entry for lower layers.
+ * Legacy, please use hid_safe_input_report() instead.
*/
int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
int interrupt)
@@ -2156,6 +2157,30 @@ int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data
}
EXPORT_SYMBOL_GPL(hid_input_report);
+/**
+ * hid_safe_input_report - report data from lower layer (usb, bt...)
+ *
+ * @hid: hid device
+ * @type: HID report type (HID_*_REPORT)
+ * @data: report contents
+ * @bufsize: allocated size of the data buffer
+ * @size: useful size of data parameter
+ * @interrupt: distinguish between interrupt and control transfers
+ *
+ * This is data entry for lower layers.
+ * Please use this function instead of the non safe version because we provide
+ * here the size of the buffer, allowing hid-core to make smarter decisions
+ * regarding the incoming buffer.
+ */
+int hid_safe_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt)
+{
+ return __hid_input_report(hid, type, data, bufsize, size, interrupt, 0,
+ false, /* from_bpf */
+ false /* lock_already_taken */);
+}
+EXPORT_SYMBOL_GPL(hid_safe_input_report);
+
bool hid_match_one_id(const struct hid_device *hdev,
const struct hid_device_id *id)
{
diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
index cf8ae0df0cda95..8ce0535fc42d60 100644
--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -568,9 +568,10 @@ static void i2c_hid_get_input(struct i2c_hid *ihid)
if (ihid->hid->group != HID_GROUP_RMI)
pm_wakeup_event(&ihid->client->dev, 0);
- hid_input_report(ihid->hid, HID_INPUT_REPORT,
- ihid->inbuf + sizeof(__le16),
- ret_size - sizeof(__le16), 1);
+ hid_safe_input_report(ihid->hid, HID_INPUT_REPORT,
+ ihid->inbuf + sizeof(__le16),
+ ihid->bufsize - sizeof(__le16),
+ ret_size - sizeof(__le16), 1);
}
return;
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index f14b46ce00cb67..336ad7cf3d484e 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -283,9 +283,9 @@ static void hid_irq_in(struct urb *urb)
break;
usbhid_mark_busy(usbhid);
if (!test_bit(HID_RESUME_RUNNING, &usbhid->iofl)) {
- hid_input_report(urb->context, HID_INPUT_REPORT,
- urb->transfer_buffer,
- urb->actual_length, 1);
+ hid_safe_input_report(urb->context, HID_INPUT_REPORT,
+ urb->transfer_buffer, urb->transfer_buffer_length,
+ urb->actual_length, 1);
/*
* autosuspend refused while keys are pressed
* because most keyboards don't wake up when
@@ -482,9 +482,10 @@ static void hid_ctrl(struct urb *urb)
switch (status) {
case 0: /* success */
if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_IN)
- hid_input_report(urb->context,
+ hid_safe_input_report(urb->context,
usbhid->ctrl[usbhid->ctrltail].report->type,
- urb->transfer_buffer, urb->actual_length, 0);
+ urb->transfer_buffer, urb->transfer_buffer_length,
+ urb->actual_length, 0);
break;
case -ESHUTDOWN: /* unplug */
unplug = 1;
diff --git a/include/linux/hid.h b/include/linux/hid.h
index fdd401e4ebde3d..7d05b1edacd80c 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -949,6 +949,8 @@ struct hid_field *hid_find_field(struct hid_device *hdev, unsigned int report_ty
int hid_set_field(struct hid_field *, unsigned, __s32);
int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size,
int interrupt);
+int hid_safe_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data,
+ size_t bufsize, u32 size, int interrupt);
struct hid_field *hidinput_get_led_field(struct hid_device *hid);
unsigned int hidinput_count_leds(struct hid_device *hid);
__s32 hidinput_calc_abs_res(const struct hid_field *field, __u16 code);
--
2.53.0
pu, ZCR_EL2, p->regval);
- vq = SYS_FIELD_GET(ZCR_ELx, LEN, p->regval) + 1;
- vq = min(vq, vcpu_sve_max_vq(vcpu));
- __vcpu_assign_sys_reg(vcpu, ZCR_EL2, vq - 1);
return true;
}
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 127/315] smb: client: fix uninitialized variable in smb2_writev_callback
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 126/315] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 128/315] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
` (189 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Howells, Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
commit 9d2491197a00acf8c423512078458c2855102b66 upstream.
compiling with W=2 pointed out that "written may be used uninitialized"
Fixes: 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref")
Cc: stable@vger.kernel.org
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4837,7 +4837,7 @@ smb2_writev_callback(struct mid_q_entry
unsigned int rreq_debug_id = wdata->rreq->debug_id;
unsigned int subreq_debug_index = wdata->subreq.debug_index;
ssize_t result = 0;
- size_t written;
+ size_t written = 0;
WARN_ONCE(wdata->server != mid->server,
"wdata server %p != mid server %p",
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 117/307] HID: core: Fix size_t specifier in hid_report_raw_event()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 116/307] HID: core: introduce hid_safe_input_report() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 118/307] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
` (191 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miguel Ojeda, Nathan Chancellor,
Linus Torvalds, Lee Jones, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 ]
When building for 32-bit platforms, for which 'size_t' is
'unsigned int', there are warnings around using the incorrect format
specifier to print bsize in hid_report_raw_event():
drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
| ~~~
| %zu
2054 | report->id, csize, bsize);
| ^~~~~
drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
| ~~~
| %zu
2076 | report->id, rsize, bsize);
| ^~~~~
Use the proper 'size_t' format specifier, '%zu', to clear up the
warnings.
Cc: stable@vger.kernel.org
Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Reported-by: Miguel Ojeda <ojeda@kernel.org>
Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 3ab135238832446399614e7a4bb796d620717806)
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index d9ea99cdb68e06..87d990ada8688a 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2015,7 +2015,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
return 0;
if (unlikely(bsize < csize)) {
- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n",
report->id, csize, bsize);
return -EINVAL;
}
@@ -2037,7 +2037,7 @@ int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *
rsize = max_buffer_size;
if (bsize < rsize) {
- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
report->id, rsize, bsize);
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 128/315] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 127/315] smb: client: fix uninitialized variable in smb2_writev_callback Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 129/315] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
` (188 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 8c8e620467a7b51562dbcefbd1f09f288d7d710d upstream.
l2cap_chan_close() removes the channel from conn->chan_l, which
must be done under conn->lock. cleanup_listen() runs under the
parent sk_lock, so acquiring conn->lock would invert the
established conn->lock -> chan->lock -> sk_lock order.
Instead of calling l2cap_chan_close() directly, schedule
l2cap_chan_timeout with delay 0 to close the channel
asynchronously. The timeout handler already acquires conn->lock
and chan->lock in the correct order.
The timer is only armed when chan->conn is still set: if it is
already NULL, l2cap_conn_del() has already processed this channel
(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),
so there is nothing left to do. If l2cap_conn_del() races in
after the timer is armed, __clear_chan_timer() inside
l2cap_chan_del() cancels it; if the timer has already fired, the
handler returns harmlessly because chan->conn was cleared.
Fixes: 3df91ea20e74 ("Bluetooth: Revert to mutexes from RCU list")
Cc: <stable@vger.kernel.org> # 0b58004: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1481,6 +1481,10 @@ static void l2cap_sock_cleanup_listen(st
* pin it (hold_unless_zero() additionally skips a chan already past
* its last reference). We then drop the sk lock before taking
* chan->lock, so sk and chan locks are never held together.
+ *
+ * Since we cannot call l2cap_chan_close() without conn->lock,
+ * schedule l2cap_chan_timeout to close the channel; it already
+ * acquires conn->lock -> chan->lock in the correct order.
*/
while ((sk = bt_accept_dequeue(parent, NULL))) {
struct l2cap_chan *chan;
@@ -1498,14 +1502,12 @@ static void l2cap_sock_cleanup_listen(st
state_to_string(chan->state));
l2cap_chan_lock(chan);
- __clear_chan_timer(chan);
- l2cap_chan_close(chan, ECONNRESET);
- /* l2cap_conn_del() may already have killed this socket
- * (it sets SOCK_DEAD); skip the duplicate to avoid a
- * double sock_put()/l2cap_chan_put().
+ /* Since we cannot call l2cap_chan_close() without
+ * conn->lock, schedule its timer to trigger the close
+ * and cleanup of this channel.
*/
- if (!sock_flag(sk, SOCK_DEAD))
- l2cap_sock_kill(sk);
+ if (chan->conn)
+ __set_chan_timer(chan, 0);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 118/307] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 117/307] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 119/307] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
` (190 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit fbceb39b536e40c2f7cc47ab42037bb7c2b7ced9 upstream.
EDP specification says:
"If either VSC SDP is unable to be transmitted 100 ns before the SU region,
the Source device may optionally transmit the VSC SDP during the prior
video scan line’s HBlank period There is a Intel specific drm dp register
currently containing bits related how TCON can support PSR2 with SDP on
prior line."
Unfortunately many panels are having problems in implementing this. So
there is a custom Intel specific DPCD register (INTEL_WA_REGISTER_CAPS) to
figure out if this is properly implemented on a panel or if panel doesn't
require that 100 ns delay before the SU region. Here are the definitions in
this custom DPCD address:
0 = Panel doesn't support SDP on prior line
1 = Panel supports SDP on prior line
2 = Panel doesn't have 100ns requirement
3 = Reserved
Add definitions for this new register and it's values into new header
intel_dpcd.h.
v2: add INTEL_DPCD_ prefix to definitions
Bspec: 74741
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-2-jouni.hogander@intel.com
(cherry picked from commit 1da1c9294825f08f622c473480d185680c2a3b75)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 drivers/gpu/drm/i915/display/intel_dpcd.h
diff --git a/drivers/gpu/drm/i915/display/intel_dpcd.h b/drivers/gpu/drm/i915/display/intel_dpcd.h
new file mode 100644
index 00000000000000..4aea5326f2ed48
--- /dev/null
+++ b/drivers/gpu/drm/i915/display/intel_dpcd.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: MIT */
+/*
+ * Copyright © 2026 Intel Corporation
+ */
+
+#ifndef __INTEL_DPCD_H__
+#define __INTEL_DPCD_H__
+
+#define INTEL_DPCD_INTEL_WA_REGISTER_CAPS 0x3f0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK REG_GENMASK(1, 0)
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1 0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE 1
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE 2
+
+#endif /* __INTEL_DPCD_H__ */
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 129/315] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 128/315] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 130/315] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
` (187 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 upstream.
__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold()
before scheduling the delayed work. The normal path in
l2cap_chan_timeout() drops this reference with l2cap_chan_put() at the
end, but the early return when chan->conn is NULL skips the put,
leaking the reference.
Add the missing l2cap_chan_put() before the early return.
Fixes: adf0398cee86 ("Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -411,8 +411,10 @@ static void l2cap_chan_timeout(struct wo
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
- if (!conn)
+ if (!conn) {
+ l2cap_chan_put(chan);
return;
+ }
mutex_lock(&conn->lock);
/* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 119/307] drm/i915/psr: Read Intel DPCD workaround register
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 118/307] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 120/307] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
` (189 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit f30bece421a4ae34359254e1dc2a187a42b6af9b upstream.
Read Intel DPCD workaround register and store it into
intel_connector->dp.psr_caps. psr_caps was chosen as currently it contains
only PSR workaround for PSR2 SDP on prior scanline implementation.
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-3-jouni.hogander@intel.com
(cherry picked from commit c48ff24d0f4ab7ad696b2d35ad64ce7e049c668c)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_psr.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h
index 2039c17a9ee787..992945b37190e6 100644
--- a/drivers/gpu/drm/i915/display/intel_display_types.h
+++ b/drivers/gpu/drm/i915/display/intel_display_types.h
@@ -1773,6 +1773,7 @@ struct intel_dp {
u8 lttpr_common_caps[DP_LTTPR_COMMON_CAP_SIZE];
u8 lttpr_phy_caps[DP_MAX_LTTPR_COUNT][DP_LTTPR_PHY_CAP_SIZE];
u8 pcon_dsc_dpcd[DP_PCON_DSC_ENCODER_CAP_SIZE];
+ u8 intel_wa_dpcd;
/* source rates */
int num_source_rates;
const int *source_rates;
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index 2a7f379c59fefd..9c38b957701675 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -35,6 +35,7 @@
#include "intel_de.h"
#include "intel_display_types.h"
#include "intel_dp.h"
+#include "intel_dpcd.h"
#include "intel_dp_aux.h"
#include "intel_frontbuffer.h"
#include "intel_hdmi.h"
@@ -665,6 +666,12 @@ static void _psr_init_dpcd(struct intel_dp *intel_dp)
drm_dbg_kms(display->drm, "PSR2 %ssupported\n",
intel_dp->psr.sink_psr2_support ? "" : "not ");
}
+
+ if (intel_dp->psr.sink_psr2_support)
+ drm_dp_dpcd_read(&intel_dp->aux,
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS,
+ &intel_dp->intel_wa_dpcd,
+ sizeof(intel_dp->intel_wa_dpcd));
}
void intel_psr_init_dpcd(struct intel_dp *intel_dp)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 130/315] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 129/315] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 131/315] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
` (186 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream.
hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.
hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in an
out-of-bounds read of skb data. The OOB bytes may be interpreted as
phantom key presses or spurious mouse movement.
Replace the open-coded length tracking and pointer arithmetic with
skb_pull_data() calls. skb_pull_data() returns NULL if the requested
bytes are not present, eliminating the need for a manual size variable
and the separate skb->len guard.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hidp/core.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid
{
struct input_dev *dev = session->input;
unsigned char *keys = session->keys;
- unsigned char *udata = skb->data + 1;
- signed char *sdata = skb->data + 1;
- int i, size = skb->len - 1;
+ unsigned char *udata;
+ signed char *sdata;
+ u8 *hdr;
+ int i;
+
+ hdr = skb_pull_data(skb, 1);
+ if (!hdr)
+ return;
- switch (skb->data[0]) {
+ switch (*hdr) {
case 0x01: /* Keyboard report */
+ udata = skb_pull_data(skb, 8);
+ if (!udata)
+ break;
+
for (i = 0; i < 8; i++)
input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid
break;
case 0x02: /* Mouse report */
+ sdata = skb_pull_data(skb, 3);
+ if (!sdata)
+ break;
+
input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid
input_report_rel(dev, REL_X, sdata[1]);
input_report_rel(dev, REL_Y, sdata[2]);
- if (size > 3)
+ if (skb->len > 0)
input_report_rel(dev, REL_WHEEL, sdata[3]);
break;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 120/307] drm/dp: Add eDP 1.5 bit definition
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 119/307] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 121/307] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
` (188 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suraj Kandpal, Arun R Murthy,
Ben Kao, Maarten Lankhorst, Jouni Högander, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suraj Kandpal <suraj.kandpal@intel.com>
commit 5dfc37a6b77bf6beedbd30d70184b54e1a08ccac upstream.
Add the eDP revision bit value for 1.5.
Spec: eDPv1.5 Table 16-5
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Reviewed-by: Arun R Murthy <arun.r.murthy@intel.com>
Tested-by: Ben Kao <ben.kao@intel.com>
Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250206063253.2827017-2-suraj.kandpal@intel.com
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/display/drm_dp.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/drm/display/drm_dp.h b/include/drm/display/drm_dp.h
index 3bd9f482f0c3e6..dd218400a613e3 100644
--- a/include/drm/display/drm_dp.h
+++ b/include/drm/display/drm_dp.h
@@ -997,6 +997,7 @@
# define DP_EDP_14 0x03
# define DP_EDP_14a 0x04 /* eDP 1.4a */
# define DP_EDP_14b 0x05 /* eDP 1.4b */
+# define DP_EDP_15 0x06 /* eDP 1.5 */
#define DP_EDP_GENERAL_CAP_1 0x701
# define DP_EDP_TCON_BACKLIGHT_ADJUSTMENT_CAP (1 << 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 131/315] Bluetooth: ISO: fix UAF in iso_recv_frame
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 130/315] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 132/315] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
` (185 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 47f23a259517abbdb8032c057a1e8a6bf3734878 upstream.
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().
Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -571,7 +571,7 @@ static void iso_recv_frame(struct iso_co
struct sock *sk;
iso_conn_lock(conn);
- sk = conn->sk;
+ sk = iso_sock_hold(conn);
iso_conn_unlock(conn);
if (!sk)
@@ -580,11 +580,15 @@ static void iso_recv_frame(struct iso_co
BT_DBG("sk %p len %d", sk, skb->len);
if (sk->sk_state != BT_CONNECTED)
- goto drop;
+ goto drop_put;
- if (!sock_queue_rcv_skb(sk, skb))
+ if (!sock_queue_rcv_skb(sk, skb)) {
+ sock_put(sk);
return;
+ }
+drop_put:
+ sock_put(sk);
drop:
kfree_skb(skb);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 121/307] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 120/307] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 122/307] arm64: io: Rename ioremap_prot() to __ioremap_prot() Greg Kroah-Hartman
` (187 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit 4703049f768fc1c1caac754134118bee1a3af189 upstream.
There is Intel specific workaround DPCD address containing workaround for
case where SDP is on prior line. Apply this workaround according to values
in the offset.
Fixes: 61e887329e33 ("drm/i915/xelpd: Handle PSR2 SDP indication in the prior scanline")
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-4-jouni.hogander@intel.com
(cherry picked from commit c3fe899fbeac86ea4a5ca9dd845b2cbc0da46249)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 27 +++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index 9c38b957701675..5173f5759ce888 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -1303,6 +1303,30 @@ static bool psr2_granularity_check(struct intel_dp *intel_dp,
return true;
}
+static bool apply_scanline_indication_wa(struct intel_dp *intel_dp,
+ struct intel_crtc_state *crtc_state)
+{
+ u8 early_scanline_support = intel_dp->intel_wa_dpcd &
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK;
+
+ if (intel_dp->edp_dpcd[0] >= DP_EDP_15)
+ return true;
+
+ switch (early_scanline_support) {
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return false;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE:
+ return true;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return true;
+ default:
+ MISSING_CASE(early_scanline_support);
+ return false;
+ }
+}
+
static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_dp,
struct intel_crtc_state *crtc_state)
{
@@ -1324,7 +1348,8 @@ static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_d
return false;
crtc_state->req_psr2_sdp_prior_scanline = true;
- return true;
+
+ return apply_scanline_indication_wa(intel_dp, crtc_state);
}
static int intel_psr_entry_setup_frames(struct intel_dp *intel_dp,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 122/307] arm64: io: Rename ioremap_prot() to __ioremap_prot()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 121/307] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 123/307] arm64: io: Extract user memory type in ioremap_prot() Greg Kroah-Hartman
` (186 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zeng Heng, Jinjiang Tu,
Catalin Marinas, Will Deacon, Xiangyu Chen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit f6bf47ab32e0863df50f5501d207dcdddb7fc507 upstream.
Rename our ioremap_prot() implementation to __ioremap_prot() and convert
all arch-internal callers over to the new function.
ioremap_prot() remains as a #define to __ioremap_prot() for
generic_access_phys() and will be subsequently extended to handle user
permissions in 'prot'.
Cc: Zeng Heng <zengheng4@huawei.com>
Cc: Jinjiang Tu <tujinjiang@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/io.h | 7 ++++---
arch/arm64/kernel/acpi.c | 2 +-
arch/arm64/mm/ioremap.c | 7 +++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h
index 1ada23a6ec1900..e6ad41131d80b4 100644
--- a/arch/arm64/include/asm/io.h
+++ b/arch/arm64/include/asm/io.h
@@ -274,15 +274,16 @@ __iowrite64_copy(void __iomem *to, const void *from, size_t count)
typedef int (*ioremap_prot_hook_t)(phys_addr_t phys_addr, size_t size,
pgprot_t *prot);
int arm64_ioremap_prot_hook_register(const ioremap_prot_hook_t hook);
+void __iomem *__ioremap_prot(phys_addr_t phys, size_t size, pgprot_t prot);
#define ioremap_prot ioremap_prot
#define _PAGE_IOREMAP PROT_DEVICE_nGnRE
#define ioremap_wc(addr, size) \
- ioremap_prot((addr), (size), PROT_NORMAL_NC)
+ __ioremap_prot((addr), (size), __pgprot(PROT_NORMAL_NC))
#define ioremap_np(addr, size) \
- ioremap_prot((addr), (size), PROT_DEVICE_nGnRnE)
+ __ioremap_prot((addr), (size), __pgprot(PROT_DEVICE_nGnRnE))
/*
* io{read,write}{16,32,64}be() macros
@@ -303,7 +304,7 @@ static inline void __iomem *ioremap_cache(phys_addr_t addr, size_t size)
if (pfn_is_map_memory(__phys_to_pfn(addr)))
return (void __iomem *)__phys_to_virt(addr);
- return ioremap_prot(addr, size, PROT_NORMAL);
+ return __ioremap_prot(addr, size, __pgprot(PROT_NORMAL));
}
/*
diff --git a/arch/arm64/kernel/acpi.c b/arch/arm64/kernel/acpi.c
index e6f66491fbe932..a99476819e6b2d 100644
--- a/arch/arm64/kernel/acpi.c
+++ b/arch/arm64/kernel/acpi.c
@@ -379,7 +379,7 @@ void __iomem *acpi_os_ioremap(acpi_physical_address phys, acpi_size size)
prot = __acpi_get_writethrough_mem_attribute();
}
}
- return ioremap_prot(phys, size, pgprot_val(prot));
+ return __ioremap_prot(phys, size, prot);
}
/*
diff --git a/arch/arm64/mm/ioremap.c b/arch/arm64/mm/ioremap.c
index 6cc0b7e7eb0384..1e4794a2af7d63 100644
--- a/arch/arm64/mm/ioremap.c
+++ b/arch/arm64/mm/ioremap.c
@@ -14,11 +14,10 @@ int arm64_ioremap_prot_hook_register(ioremap_prot_hook_t hook)
return 0;
}
-void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size,
- unsigned long prot)
+void __iomem *__ioremap_prot(phys_addr_t phys_addr, size_t size,
+ pgprot_t pgprot)
{
unsigned long last_addr = phys_addr + size - 1;
- pgprot_t pgprot = __pgprot(prot);
/* Don't allow outside PHYS_MASK */
if (last_addr & ~PHYS_MASK)
@@ -39,7 +38,7 @@ void __iomem *ioremap_prot(phys_addr_t phys_addr, size_t size,
return generic_ioremap_prot(phys_addr, size, pgprot);
}
-EXPORT_SYMBOL(ioremap_prot);
+EXPORT_SYMBOL(__ioremap_prot);
/*
* Must be called after early_fixmap_init
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 132/315] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 131/315] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 133/315] Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() Greg Kroah-Hartman
` (184 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 4b5f8e608749b7e8fa386c6e4301cf9272595859 upstream.
iso_sock_close() calls iso_sock_clear_timer() before acquiring
lock_sock(sk).
iso_sock_clear_timer() reads iso_pi(sk)->conn twice without the
socket lock held:
if (!iso_pi(sk)->conn)
return;
cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
Concurrently, iso_conn_del() executes under lock_sock(sk) and calls
iso_chan_del(), which sets iso_pi(sk)->conn to NULL and may result in
the final reference to the connection being dropped:
CPU0 CPU1
---- ----
iso_sock_clear_timer()
if (conn != NULL) ... lock_sock(sk)
iso_chan_del()
iso_pi(sk)->conn = NULL
cancel_delayed_work(conn) /* NULL deref or UAF */
iso_pi(sk)->conn is not stable across the unlock window, causing a
NULL pointer dereference or use-after-free.
Serialize iso_sock_clear_timer() with the socket lock by moving it
inside lock_sock()/release_sock(), matching the pattern used in
iso_conn_del() and all other call sites.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -854,8 +854,8 @@ static void __iso_sock_close(struct sock
/* Must be called on unlocked socket. */
static void iso_sock_close(struct sock *sk)
{
- iso_sock_clear_timer(sk);
lock_sock(sk);
+ iso_sock_clear_timer(sk);
__iso_sock_close(sk);
release_sock(sk);
iso_sock_kill(sk);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 133/315] Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 132/315] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 134/315] Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading Greg Kroah-Hartman
` (183 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavitra Jha, Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavitra Jha <jhapavitra98@gmail.com>
commit bfa9d28960ed677d556bdf097073bc3129686229 upstream.
hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but
returns 0 without freeing it when neither pa_sync_term nor big_sync_term
flags are set after evaluating the PA and BIG sync connection state.
This early-return path was introduced when hci_le_big_terminate() was
refactored to take struct hci_conn instead of raw u8 parameters, adding
PA/BIG flag evaluation logic. The existing kfree() on hci_cmd_sync_queue
failure does not cover this path.
Fixes: a7bcffc673de ("Bluetooth: Add PA_LINK to distinguish BIG sync and PA sync connections")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_conn.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -803,8 +803,10 @@ static int hci_le_big_terminate(struct h
d->big_sync_term = true;
}
- if (!d->pa_sync_term && !d->big_sync_term)
+ if (!d->pa_sync_term && !d->big_sync_term) {
+ kfree(d);
return 0;
+ }
ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
terminate_big_destroy);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 123/307] arm64: io: Extract user memory type in ioremap_prot()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 122/307] arm64: io: Rename ioremap_prot() to __ioremap_prot() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 124/307] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
` (185 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zeng Heng, Jinjiang Tu,
Catalin Marinas, Will Deacon, Xiangyu Chen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
[ Upstream commit 8f098037139b294050053123ab2bc0f819d08932 ]
The only caller of ioremap_prot() outside of the generic ioremap()
implementation is generic_access_phys(), which passes a 'pgprot_t' value
determined from the user mapping of the target 'pfn' being accessed by
the kernel. On arm64, the 'pgprot_t' contains all of the non-address
bits from the pte, including the permission controls, and so we end up
returning a new user mapping from ioremap_prot() which faults when
accessed from the kernel on systems with PAN:
| Unable to handle kernel read from unreadable memory at virtual address ffff80008ea89000
| ...
| Call trace:
| __memcpy_fromio+0x80/0xf8
| generic_access_phys+0x20c/0x2b8
| __access_remote_vm+0x46c/0x5b8
| access_remote_vm+0x18/0x30
| environ_read+0x238/0x3e8
| vfs_read+0xe4/0x2b0
| ksys_read+0xcc/0x178
| __arm64_sys_read+0x4c/0x68
Extract only the memory type from the user 'pgprot_t' in ioremap_prot()
and assert that we're being passed a user mapping, to protect us against
any changes in future that may require additional handling. To avoid
falsely flagging users of ioremap(), provide our own ioremap() macro
which simply wraps __ioremap_prot().
Cc: Zeng Heng <zengheng4@huawei.com>
Cc: Jinjiang Tu <tujinjiang@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Fixes: 893dea9ccd08 ("arm64: Add HAVE_IOREMAP_PROT support")
Reported-by: Jinjiang Tu <tujinjiang@huawei.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
[ Modified ioremap_prot() parameter, using "unsigned long user_prot" instead of
"pgprot_t user_prot" to fix conflict with generic header ]
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/io.h | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h
index e6ad41131d80b4..46bd37707e080e 100644
--- a/arch/arm64/include/asm/io.h
+++ b/arch/arm64/include/asm/io.h
@@ -276,10 +276,23 @@ typedef int (*ioremap_prot_hook_t)(phys_addr_t phys_addr, size_t size,
int arm64_ioremap_prot_hook_register(const ioremap_prot_hook_t hook);
void __iomem *__ioremap_prot(phys_addr_t phys, size_t size, pgprot_t prot);
-#define ioremap_prot ioremap_prot
+static inline void __iomem *ioremap_prot(phys_addr_t phys, size_t size,
+ unsigned long user_prot)
+{
+ pgprot_t prot;
+ pteval_t user_prot_val = pgprot_val(__pgprot(user_prot));
+
+ if (WARN_ON_ONCE(!(user_prot_val & PTE_USER)))
+ return NULL;
-#define _PAGE_IOREMAP PROT_DEVICE_nGnRE
+ prot = __pgprot_modify(PAGE_KERNEL, PTE_ATTRINDX_MASK,
+ user_prot_val & PTE_ATTRINDX_MASK);
+ return __ioremap_prot(phys, size, prot);
+}
+#define ioremap_prot ioremap_prot
+#define ioremap(addr, size) \
+ __ioremap_prot((addr), (size), __pgprot(PROT_DEVICE_nGnRE))
#define ioremap_wc(addr, size) \
__ioremap_prot((addr), (size), __pgprot(PROT_NORMAL_NC))
#define ioremap_np(addr, size) \
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 134/315] Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 133/315] Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 135/315] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Greg Kroah-Hartman
` (182 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Shuai Zhang,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
commit fa21e86caba2347e89eb65af926205a36a097c53 upstream.
When bt_en is pulled high by hardware, the host does not re-download
the firmware after SSR. The controller loads the rampatch and NVM
internally.
On HMT chip, the rampatch is ~264 KB and the NVM is ~9.4 KB. The
loading process takes approximately 70 ms. The previous 50 ms delay is
too short, causing the controller to not respond to the reset command
sent by the host, which leads to BT initialization failure:
Bluetooth: hci0: QCA memdump Done, received 458752, total 458752
Bluetooth: hci0: mem_dump_status: 2
Bluetooth: hci0: Opcode 0x0c03 failed: -110
Increase the delay to 100 ms, which was confirmed as a safe value by
the controller, to ensure the controller has finished loading the
firmware before the host sends commands.
Steps to reproduce:
1. Trigger SSR and wait for SSR to complete:
hcitool cmd 0x3f 0c 26
2. Run "bluetoothctl power on" and observe that BT fails to start.
Fixes: fce1a9244a0f ("Bluetooth: hci_qca: Fix SSR (SubSystem Restart) fail when BT_EN is pulled up by hw")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1676,8 +1676,8 @@ static void qca_hw_error(struct hci_dev
mod_timer(&qca->tx_idle_timer, jiffies +
msecs_to_jiffies(qca->tx_idle_delay));
- /* Controller reset completion time is 50ms */
- msleep(50);
+ /* Wait for the controller to load the rampatch and NVM. */
+ msleep(100);
clear_bit(QCA_SSR_TRIGGERED, &qca->flags);
clear_bit(QCA_IBS_DISABLED, &qca->flags);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 124/307] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 123/307] arm64: io: Extract user memory type in ioremap_prot() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 125/307] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
` (184 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ]
As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B,
we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY.
Because of this change then there is not need the check if it is a
different revision than rev B in the function vsc8584_probe() as we
already know that this will never happen.
These changes are a preparation for the next patch because in that patch
we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and
these PHYs have multiple revision.
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 8 ++++----
drivers/net/phy/mscc/mscc_main.c | 23 ++++-------------------
2 files changed, 8 insertions(+), 23 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index 2bfe314ef881c3..105191c43a2c2a 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -286,12 +286,12 @@ enum rgmii_clock_delay {
#define PHY_ID_VSC8540 0x00070760
#define PHY_ID_VSC8541 0x00070770
#define PHY_ID_VSC8552 0x000704e0
-#define PHY_ID_VSC856X 0x000707e0
+#define PHY_ID_VSC856X 0x000707e1
#define PHY_ID_VSC8572 0x000704d0
#define PHY_ID_VSC8574 0x000704a0
-#define PHY_ID_VSC8575 0x000707d0
-#define PHY_ID_VSC8582 0x000707b0
-#define PHY_ID_VSC8584 0x000707c0
+#define PHY_ID_VSC8575 0x000707d1
+#define PHY_ID_VSC8582 0x000707b1
+#define PHY_ID_VSC8584 0x000707c1
#define PHY_VENDOR_MSCC 0x00070400
#define MSCC_VDDMAC_1500 1500
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index a8e587dd96c5cb..7297dea1602734 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -1724,12 +1724,6 @@ static int vsc8584_config_init(struct phy_device *phydev)
* in this pre-init function.
*/
if (phy_package_init_once(phydev)) {
- /* The following switch statement assumes that the lowest
- * nibble of the phy_id_mask is always 0. This works because
- * the lowest nibble of the PHY_ID's below are also 0.
- */
- WARN_ON(phydev->drv->phy_id_mask & 0xf);
-
switch (phydev->phy_id & phydev->drv->phy_id_mask) {
case PHY_ID_VSC8504:
case PHY_ID_VSC8552:
@@ -2268,11 +2262,6 @@ static int vsc8584_probe(struct phy_device *phydev)
VSC8531_DUPLEX_COLLISION};
int ret;
- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) {
- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n");
- return -ENOTSUPP;
- }
-
vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL);
if (!vsc8531)
return -ENOMEM;
@@ -2559,9 +2548,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC856X,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X),
.name = "Microsemi GE VSC856X SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2633,9 +2621,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8575,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575),
.name = "Microsemi GE VSC8575 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2657,9 +2644,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8582,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582),
.name = "Microsemi GE VSC8582 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2681,9 +2667,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8584,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584),
.name = "Microsemi GE VSC8584 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 125/307] batman-adv: tt: prevent TVLV entry number overflow
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 124/307] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 126/307] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
` (183 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 99d9958fa10fb684b2a8e2c48a8d704122721420 upstream.
The helpers to prepare the buffers for the local and global TT based
replies are trying to sum up all TT entries which can be found for each
VLAN. In theory, this sum can be too big for an u16 and therefore overflow.
A too small buffer would then be allocated for the TVLV.
The too small buffer will be handled gracefully by
batadv_tt_tvlv_generate() and is not causing a buffer overflow - just a
truncated reply. But this overflow shouldn't have happened in the first and
the too small buffer should never have been allocated when an overflow was
detected.
Cc: stable@kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 4045ddefc29b47..7041cd69e20070 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -850,11 +850,18 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
u16 total_entries = 0;
u8 *tt_change_ptr;
int vlan_entries;
+ u16 sum_entries;
spin_lock_bh(&orig_node->vlan_list_lock);
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
- total_entries += vlan_entries;
+
+ if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) {
+ *tt_len = 0;
+ goto out;
+ }
+
+ total_entries = sum_entries;
num_vlan++;
}
@@ -941,15 +948,22 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
struct batadv_softif_vlan *vlan;
size_t change_offset;
u16 num_vlan = 0;
- u16 vlan_entries = 0;
u16 total_entries = 0;
u16 tvlv_len;
u8 *tt_change_ptr;
+ int vlan_entries;
+ u16 sum_entries;
spin_lock_bh(&bat_priv->softif_vlan_list_lock);
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
- total_entries += vlan_entries;
+
+ if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) {
+ tvlv_len = 0;
+ goto out;
+ }
+
+ total_entries = sum_entries;
num_vlan++;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 135/315] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 134/315] Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 136/315] Input: xpad - fix out-of-bounds access for Share button Greg Kroah-Hartman
` (181 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doruk Tan Ozturk,
Luiz Augusto von Dentz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doruk Tan Ozturk <doruk@0sec.ai>
commit bfea6091e0fffb270c20e74384b660910277eb6c upstream.
hci_le_create_cis_sync() dereferences conn->conn_timeout after releasing
both rcu_read_lock() and hci_dev_lock(hdev). The conn pointer was
obtained from an RCU-protected iteration over hdev->conn_hash.list and
is not valid once these locks are dropped. A concurrent disconnect can
free the hci_conn between the unlock and the dereference, causing a
use-after-free read.
The cancellation mechanism in hci_conn_del() cannot prevent this because
hci_le_create_cis_pending() queues hci_create_cis_sync with data=NULL:
hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
While hci_conn_del() dequeues with data=conn:
hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
Since NULL != conn, the lookup in _hci_cmd_sync_lookup_entry() never
matches, and the pending work item is not cancelled.
Fix this by saving conn->conn_timeout into a local variable while the
locks are still held, so the stale conn pointer is never dereferenced
after unlock.
This is the same class of bug as the one fixed by commit 035c25007c9e
("Bluetooth: hci_sync: Fix UAF on le_read_features_complete") which
addressed the identical pattern in a different function.
This vulnerability was identified using 0sec.ai, an open-source
automated security auditing platform (https://github.com/0sec-labs).
Fixes: c09b80be6ffc ("Bluetooth: hci_conn: Fix not waiting for HCI_EVT_LE_CIS_ESTABLISHED")
Cc: stable@vger.kernel.org
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_sync.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6656,6 +6656,7 @@ int hci_le_create_cis_sync(struct hci_de
DEFINE_FLEX(struct hci_cp_le_create_cis, cmd, cis, num_cis, 0x1f);
size_t aux_num_cis = 0;
struct hci_conn *conn;
+ u16 timeout = 0;
u8 cig = BT_ISO_QOS_CIG_UNSET;
/* The spec allows only one pending LE Create CIS command at a time. If
@@ -6726,6 +6727,7 @@ int hci_le_create_cis_sync(struct hci_de
set_bit(HCI_CONN_CREATE_CIS, &conn->flags);
cis->acl_handle = cpu_to_le16(conn->parent->handle);
cis->cis_handle = cpu_to_le16(conn->handle);
+ timeout = conn->conn_timeout;
aux_num_cis++;
if (aux_num_cis >= cmd->num_cis)
@@ -6745,7 +6747,7 @@ done:
return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CIS,
struct_size(cmd, cis, cmd->num_cis),
cmd, HCI_EVT_LE_CIS_ESTABLISHED,
- conn->conn_timeout, NULL);
+ timeout, NULL);
}
int hci_le_remove_cig_sync(struct hci_dev *hdev, u8 handle)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 126/307] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 125/307] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 127/307] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
` (182 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jonathan Cameron,
David Lechner, Nuno Sá, Andy Shevchenko, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream.
The tagged FIFO path declares iio_buff on the stack with __aligned(8)
but no initializer, but there is a hole in the structure, which will
then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
copied, but the space between that and the timestamp are not
initialized.
Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
but for the tagged path it only added the alignment qualifier and not
the initializer :(
Fix this by just zero-initializing the structure on the stack.
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
@@ -608,7 +608,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s
* must be passed a buffer that is aligned to 8 bytes so
* as to allow insertion of a naturally aligned timestamp.
*/
- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
+ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
u8 tag;
bool reset_ts = false;
int i, err, read_len;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 136/315] Input: xpad - fix out-of-bounds access for Share button
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 135/315] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 137/315] parport: Fix race between port and client registration Greg Kroah-Hartman
` (180 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 6cdc46b38cf146ce81d4831b6472dbf7731849a2 upstream.
xpadone_process_packet() receives len directly from urb->actual_length
and uses it to index the share-button byte at data[len - 18] or
data[len - 26]. Since both len and data[0] are under the device's
control, a broken controller can send a GIP_CMD_INPUT packet with
actual_length < 18 (e.g. 5 bytes) and reach this code path, causing
accesses beyond the actual array.
Fix this by calculating the offset and checking bounds against the
packet length.
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: 4ef46367073b ("Input: xpad - fix Share button on Xbox One controllers")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1110,10 +1110,10 @@ static void xpadone_process_packet(struc
input_report_key(dev, BTN_START, data[4] & BIT(2));
input_report_key(dev, BTN_SELECT, data[4] & BIT(3));
if (xpad->mapping & MAP_SHARE_BUTTON) {
- if (xpad->mapping & MAP_SHARE_OFFSET)
- input_report_key(dev, KEY_RECORD, data[len - 26] & BIT(0));
- else
- input_report_key(dev, KEY_RECORD, data[len - 18] & BIT(0));
+ u32 offset = (xpad->mapping & MAP_SHARE_OFFSET) ? 26 : 18;
+
+ if (len >= offset)
+ input_report_key(dev, KEY_RECORD, data[len - offset] & BIT(0));
}
/* buttons A,B,X,Y */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 127/307] usb: typec: ucsi: ccg: reject firmware images without a : record header
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 126/307] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 128/307] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers Greg Kroah-Hartman
` (181 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream.
do_flash() locates the first .cyacd record with
p = strnchr(fw->data, fw->size, ':');
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
...
}
If the firmware image contains no ':' byte, strnchr() returns NULL.
NULL compares less than the valid kernel pointer eof, so the loop body
runs and strnchr() is called with p + 1 == (void *)1 and a length of
roughly (unsigned long)eof, causing a wonderful crash.
The not_signed_fw fallthrough earlier in do_flash() and the chip-state
branches in ccg_fw_update_needed() allow an unsigned blob to reach this
loop, so a root user who can place a crafted file under /lib/firmware
and write the do_flash sysfs attribute can trigger the oops.
Bail out with -EINVAL when the initial strnchr() returns NULL.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
+++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
@@ -1241,6 +1241,11 @@ not_signed_fw:
*****************************************************************/
p = strnchr(fw->data, fw->size, ':');
+ if (!p) {
+ dev_err(dev, "Bad FW format: no ':' record header found\n");
+ err = -EINVAL;
+ goto release_mem;
+ }
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 137/315] parport: Fix race between port and client registration
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 136/315] Input: xpad - fix out-of-bounds access for Share button Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 138/315] rust_binder: Avoid holding lock when dropping delivered_death Greg Kroah-Hartman
` (179 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ben Hutchings,
Sudip Mukherjee
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
commit ef15ccbb3e8640a723c42ad90eaf81d66ae02017 upstream.
The parport subsystem registers port devices before they are fully
initialised, resulting in a race condition where client drivers such
as lp can attach to ports that are not completely initialised or even
being torn down.
When the port and client drivers are built as modules and loaded
around the same time during boot, this occasionally results in a
crash. I was able to make this happen reliably in a VM with a
PC-style parallel port by patching parport_pc to fail probing:
> --- a/drivers/parport/parport_pc.c
> +++ b/drivers/parport/parport_pc.c
> @@ -2069,7 +2069,7 @@ static struct parport *__parport_pc_probe_port(unsigned long int base,
> if (!p)
> goto out3;
>
> - base_res = request_region(base, 3, p->name);
> + base_res = NULL;
> if (!base_res)
> goto out4;
>
and then running:
while true; do
modprobe lp & modprobe parport_pc
wait
rmmod lp parport_pc
done
for a few seconds.
In the long term I think port registration should be changed to put
the call to device_add() inside parport_announce_port(), but since the
latter currently cannot fail this will require changing all port
drivers.
For now, add a flag to indicate whether a port has been "announced"
and only try to attach client drivers to ports when the flag is set.
Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem")
Closes: https://bugs.debian.org/1130365
Closes: https://lore.kernel.org/all/6ba903ad-9897-42bb-8c2d-337385cc3746@molgen.mpg.de/
Cc: stable <stable@kernel.org>
Signed-off-by: Ben Hutchings <benh@debian.org>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Link: https://patch.msgid.link/afo6uBv68GDevbMD@decadent.org.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parport/share.c | 11 +++++++++--
include/linux/parport.h | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/parport/share.c
+++ b/drivers/parport/share.c
@@ -214,10 +214,14 @@ static void get_lowlevel_driver(void)
static int port_check(struct device *dev, void *dev_drv)
{
struct parport_driver *drv = dev_drv;
+ struct parport *port;
/* only send ports, do not send other devices connected to bus */
- if (is_parport(dev))
- drv->match_port(to_parport_dev(dev));
+ if (is_parport(dev)) {
+ port = to_parport_dev(dev);
+ if (test_bit(PARPORT_ANNOUNCED, &port->devflags))
+ drv->match_port(port);
+ }
return 0;
}
@@ -532,6 +536,7 @@ void parport_announce_port(struct parpor
if (slave)
attach_driver_chain(slave);
}
+ set_bit(PARPORT_ANNOUNCED, &port->devflags);
mutex_unlock(®istration_lock);
}
EXPORT_SYMBOL(parport_announce_port);
@@ -561,6 +566,8 @@ void parport_remove_port(struct parport
mutex_lock(®istration_lock);
+ clear_bit(PARPORT_ANNOUNCED, &port->devflags);
+
/* Spread the word. */
detach_driver_chain(port);
--- a/include/linux/parport.h
+++ b/include/linux/parport.h
@@ -240,6 +240,7 @@ struct parport {
unsigned long devflags;
#define PARPORT_DEVPROC_REGISTERED 0
+#define PARPORT_ANNOUNCED 1
struct pardevice *proc_device; /* Currently register proc device */
struct list_head full_list;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 138/315] rust_binder: Avoid holding lock when dropping delivered_death
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 137/315] parport: Fix race between port and client registration Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 139/315] rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN Greg Kroah-Hartman
` (178 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Stevens, Matthew Maurer,
stable, Alice Ryhl, Carlos Llamas
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Maurer <mmaurer@google.com>
commit f6d8fea9e3953151a4adb4f603503dc3dc9c69da upstream.
In 6c37bebd8c926, we switched to looping over the list and dropping each
individual node, ostensibly without the lock held in the loop body.
If the kernel were using Rust Edition 2024, the comment would be
accurate, and the lock would not be held across the drop. However, the
kernel is currently using 2021, so tail expression lifetime extension
results in the lock being held across the drop. Explicitly binding the
expression result to a variable makes the lockguard no longer part of a
tail expression, causing the lock to be dropped before entering the loop
body.
This was detected via `CONFIG_PROVE_LOCKING` identifying an invalid wait
context at the drop site.
Reported-by: David Stevens <stevensd@google.com>
Signed-off-by: Matthew Maurer <mmaurer@google.com>
Cc: stable <stable@kernel.org>
Fixes: 6c37bebd8c92 ("rust_binder: avoid mem::take on delivered_deaths")
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://patch.msgid.link/20260403-lockhold-v1-1-c332b56cd8ae@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/process.rs | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/android/binder/process.rs
+++ b/drivers/android/binder/process.rs
@@ -1366,7 +1366,12 @@ impl Process {
// Clear delivered_deaths list.
//
// Scope ensures that MutexGuard is dropped while executing the body.
- while let Some(delivered_death) = { self.inner.lock().delivered_deaths.pop_front() } {
+ while let Some(delivered_death) = {
+ // Explicitly bind to avoid tail expression lifetime extension of the lockguard
+ // Can be removed when the kernel moves to edition 2024
+ let maybe_death = self.inner.lock().delivered_deaths.pop_front();
+ maybe_death
+ } {
drop(delivered_death);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 128/307] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 127/307] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 129/307] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() Greg Kroah-Hartman
` (180 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, stable,
Badhri Jagan Sridharan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8fbc349e8383125dd2d8de1c1e926279d398ab17 upstream.
Properly validate the count passed from a device when calling
svdm_consume_identity() or svdm_consume_identity_sop_prime() as the
device-controlled value could index off of the static arrays, which
could leak data.
Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://patch.msgid.link/2026051350-plated-salute-0efe@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1639,6 +1639,9 @@ static void svdm_consume_identity(struct
u32 vdo = p[VDO_INDEX_IDH];
u32 product = p[VDO_INDEX_PRODUCT];
+ if (cnt <= VDO_INDEX_PRODUCT)
+ return;
+
memset(&port->mode_data, 0, sizeof(port->mode_data));
port->partner_ident.id_header = vdo;
@@ -1659,6 +1662,9 @@ static void svdm_consume_identity_sop_pr
u32 product = p[VDO_INDEX_PRODUCT];
int svdm_version;
+ if (cnt <= VDO_INDEX_CABLE_1)
+ return;
+
/*
* Attempt to consume identity only if cable currently is not set
*/
@@ -1682,7 +1688,7 @@ static void svdm_consume_identity_sop_pr
switch (port->negotiated_rev_prime) {
case PD_REV30:
port->cable_desc.pd_revision = 0x0300;
- if (port->cable_desc.active)
+ if (port->cable_desc.active && cnt > VDO_INDEX_CABLE_2)
port->cable_ident.vdo[1] = p[VDO_INDEX_CABLE_2];
break;
case PD_REV20:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 139/315] rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 138/315] rust_binder: Avoid holding lock when dropping delivered_death Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 140/315] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
` (177 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alice Ryhl, Carlos Llamas
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 4c19719eb8b8df08c5bec7c499f73ddaea6f09fc upstream.
When an outdated transaction is removed from `oneway_todo` due to
`TF_UPDATE_TXN`, its `Allocation` is dropped. The current implementation
of `Allocation::drop` calls `pending_oneway_finished()`, assuming the
transaction was executed. This leads to premature execution of the next
queued one-way transaction.
Fix this by taking the `oneway_node` from the `Allocation` of the
outdated transaction before it is dropped. This prevents
`Allocation::drop` from signaling completion.
We do not call `take_oneway_node()` from `Transaction::cancel` because
it's actually correct to call `pending_oneway_finished()` on cancel if
the transaction did not come from `oneway_todo`. This ensures that if
`BINDER_THREAD_EXIT` is invoked and cancels a oneway transaction, then
the next transaction is taken from `oneway_todo`.
This bug does not lead to any issues in the kernel, but may lead to
Binder delivering transactions to userspace earlier than userspace
expected to receive them.
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Assisted-by: Antigravity:gemini
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Acked-by: Carlos Llamas <cmllamas@google.com>
Link: https://patch.msgid.link/20260414-tf-update-txn-fix-v1-1-d2b83303acc9@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/allocation.rs | 8 ++++++++
drivers/android/binder/transaction.rs | 11 ++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
--- a/drivers/android/binder/allocation.rs
+++ b/drivers/android/binder/allocation.rs
@@ -160,6 +160,14 @@ impl Allocation {
self.get_or_init_info().target_node = Some(target_node);
}
+ pub(crate) fn take_oneway_node(&mut self) -> Option<DArc<Node>> {
+ if let Some(info) = self.allocation_info.as_mut() {
+ info.oneway_node.take()
+ } else {
+ None
+ }
+ }
+
/// Reserve enough space to push at least `num_fds` fds.
pub(crate) fn info_add_fd_reserve(&mut self, num_fds: usize) -> Result {
self.get_or_init_info()
--- a/drivers/android/binder/transaction.rs
+++ b/drivers/android/binder/transaction.rs
@@ -239,7 +239,8 @@ impl Transaction {
/// Not used for replies.
pub(crate) fn submit(self: DLArc<Self>) -> BinderResult {
// Defined before `process_inner` so that the destructor runs after releasing the lock.
- let mut _t_outdated;
+ let _t_outdated;
+ let _oneway_node;
let oneway = self.flags & TF_ONE_WAY != 0;
let process = self.to.clone();
@@ -255,6 +256,14 @@ impl Transaction {
if let Some(t_outdated) =
target_node.take_outdated_transaction(&self, &mut process_inner)
{
+ let mut alloc_guard = t_outdated.allocation.lock();
+ if let Some(alloc) = (*alloc_guard).as_mut() {
+ // Take the oneway node to prevent `Allocation::drop` from calling
+ // `pending_oneway_finished()`, which would be incorrect as this
+ // transaction is not being submitted.
+ _oneway_node = alloc.take_oneway_node();
+ }
+ drop(alloc_guard);
// Save the transaction to be dropped after locks are released.
_t_outdated = t_outdated;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 129/307] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 128/307] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 130/307] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
` (179 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Badhri Jagan Sridharan,
Heikki Krogerus, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3389c149c68c3fea61910ad5d34f7bf3bff44e32 upstream.
svdm_consume_modes() checks pmdata->altmodes against the array size once
before the loop over the count, but forgot to check the bound at every
point in the loop.
In the well-behaved SVDM discovery flow this is harmless because each of
at most SVID_DISCOVERY_MAX SVIDs contributes at most MODE_DISCOVERY_MAX
modes, exactly filling altmode_desc[ALTMODE_DISCOVERY_MAX]. But the
CMDT_RSP_ACK handler in tcpm_pd_svdm() does not correlate an incoming
ACK with any request the port actually sent. Once port->partner is set,
an unsolicited Discover Modes ACK is consumed unconditionally. A broken
or malicious port partner can therefore drive altmodes to
ALTMODE_DISCOVERY_MAX - 1 via the normal flow, and then send one extra
Discover Modes ACK with seven VDOs. Because the pre-loop check passes,
the loop could then writes up to five entries past altmode_desc[]. For
mode_data_prime the next field in struct tcpm_port is the
partner_altmode[] pointer array, which then receives partner-chosen
SVID/VDO bytes.
Move the bound check inside the loop so the array can never be indexed
past ALTMODE_DISCOVERY_MAX regardless of how many VDOs the partner
supplies or how the function was reached.
Assisted-by: gkh_clanker_t1000
Cc: Badhri Jagan Sridharan <badhri@google.com>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026051351-reshuffle-skillful-90af@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1776,23 +1776,19 @@ static void svdm_consume_modes(struct tc
switch (rx_sop_type) {
case TCPC_TX_SOP_PRIME:
pmdata = &port->mode_data_prime;
- if (pmdata->altmodes >= ARRAY_SIZE(port->plug_prime_altmode)) {
- /* Already logged in svdm_consume_svids() */
- return;
- }
break;
case TCPC_TX_SOP:
pmdata = &port->mode_data;
- if (pmdata->altmodes >= ARRAY_SIZE(port->partner_altmode)) {
- /* Already logged in svdm_consume_svids() */
- return;
- }
break;
default:
return;
}
for (i = 1; i < cnt; i++) {
+ if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) {
+ /* Already logged in svdm_consume_svids() */
+ return;
+ }
paltmode = &pmdata->altmode_desc[pmdata->altmodes];
memset(paltmode, 0, sizeof(*paltmode));
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 140/315] USB: cdc-acm: Fix bit overlap and move quirk definitions to header
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 139/315] rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 141/315] KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor Greg Kroah-Hartman
` (176 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wentao Guan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 5eb070769ea5e18405535609d1d3f6886f3755bd upstream.
The VENDOR_CLASS_DATA_IFACE and ALWAYS_POLL_CTRL quirk flags added in
commit f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10
INGENIC touchscreen") were placed inside the acm_ctrl_msg() function
rather than in the header with the other quirk flags. Then, their
values (BIT(9) and BIT(10)) collided with NO_UNION_12 which is already
BIT(9).
Move the definitions to drivers/usb/class/cdc-acm.h where they belong
and shift them to BIT(10) and BIT(11) to avoid the overlap.
Fixes: f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen")
Cc: stable <stable@kernel.org>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://patch.msgid.link/20260522091357.1301196-1-guanwentao@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 2 --
drivers/usb/class/cdc-acm.h | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -114,8 +114,6 @@ static int acm_ctrl_msg(struct acm *acm,
int retval;
retval = usb_autopm_get_interface(acm->control);
-#define VENDOR_CLASS_DATA_IFACE BIT(9) /* data interface uses vendor-specific class */
-#define ALWAYS_POLL_CTRL BIT(10) /* keep ctrl URB active even without an open TTY */
if (retval)
return retval;
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -115,3 +115,5 @@ struct acm {
#define DISABLE_ECHO BIT(7)
#define MISSING_CAP_BRK BIT(8)
#define NO_UNION_12 BIT(9)
+#define VENDOR_CLASS_DATA_IFACE BIT(10) /* data interface uses vendor-specific class */
+#define ALWAYS_POLL_CTRL BIT(11) /* keep ctrl URB active even without an open TTY */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 130/307] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 129/307] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 131/307] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
` (178 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pooja Katiyar, Johan Hovold, stable,
Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream.
ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
payload VDO from data[], but unlike the equivalent handler in
altmodes/displayport.c it does not check that count covers a VDO beyond
the header. A header-only Configure VDM (count == 1) would read one u32
past the caller's array.
In the normal UCSI path the caller controls count, so this is hardening
for non-standard delivery paths. NAK and bail when no configuration VDO
is present, matching the generic DP altmode driver's existing guard.
Assisted-by: gkh_clanker_t1000
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/displayport.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/typec/ucsi/displayport.c
+++ b/drivers/usb/typec/ucsi/displayport.c
@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t
dp->header |= VDO_CMDT(CMDT_RSP_ACK);
break;
case DP_CMD_CONFIGURE:
+ if (count < 2) {
+ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
+ break;
+ }
dp->data.conf = *data;
if (ucsi_displayport_configure(dp)) {
dp->header |= VDO_CMDT(CMDT_RSP_NAK);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 141/315] KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 140/315] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 17:47 ` Marc Zyngier
2026-06-07 9:58 ` [PATCH 6.18 142/315] KVM: arm64: PMU: Preserve AArch32 counter low bits Greg Kroah-Hartman
` (175 subsequent siblings)
316 siblings, 1 reply; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown, Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
commit 83726330748981372bde86ed5411d7b306612991 upstream.
ZCR_EL2 can be updated by a VHE guest hypervisor either using ZCR_EL2
(which traps) or ZCR_EL1 (which does not trap). KVM handles both in
different way:
- on ZCR_EL2 trap, ZCR_EL2.LEN is immediately capped at the VM's own
VL limit. This has the potential to break existing SW that relies
on the full LEN field to be stateful.
- on ZCR_EL1 access, we do absolutely nothing.
On restoring the SVE context for an L2 guest, we directly restore the
guest hypervisor's view of ZCR_EL2 into the physical ZCR_EL2. If the
guest's view of the register was updated using the ZCR_EL2 accessor,
the value has already been sanitised (with the caveat mentioned above).
But if the guest used ZCR_EL1, the raw value is written into the HW,
and the L2 guest can now access VLs that it shouldn't.
Fix all the above by moving the VL capping to the restore points,
ensuring that:
- the HW is always programmed with a capped value, irrespective of
the accessor being used,
- the ZCR_EL2.LEN field is always completely stateful, irrespective
of the accessor being used.
Additionally, move ZCR_EL2 to be a sanitised register, ensuring that
only the LEN field is actually stateful. This requires some creative
construction of the RES0 mask, as the sysreg generation script does
not yet generate RAZ/WI fields.
Fixes: b3d29a823099 ("KVM: arm64: nv: Handle ZCR_EL2 traps")
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260529-kvm-arm64-fix-zcr-len-nv-v2-1-86cad51992bd@kernel.org
[maz: rewrote commit message, tidy up access_zcr_el2()]
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/kvm_host.h | 2 +-
arch/arm64/kvm/hyp/include/hyp/switch.h | 16 ++++++++++------
arch/arm64/kvm/nested.c | 5 +++++
arch/arm64/kvm/sys_regs.c | 11 +++--------
4 files changed, 19 insertions(+), 15 deletions(-)
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -496,7 +496,6 @@ enum vcpu_sysreg {
ACTLR_EL2, /* Auxiliary Control Register (EL2) */
CPTR_EL2, /* Architectural Feature Trap Register (EL2) */
HACR_EL2, /* Hypervisor Auxiliary Control Register */
- ZCR_EL2, /* SVE Control Register (EL2) */
TTBR0_EL2, /* Translation Table Base Register 0 (EL2) */
TTBR1_EL2, /* Translation Table Base Register 1 (EL2) */
TCR_EL2, /* Translation Control Register (EL2) */
@@ -527,6 +526,7 @@ enum vcpu_sysreg {
SCTLR2_EL2, /* System Control Register 2 (EL2) */
MDCR_EL2, /* Monitor Debug Configuration Register (EL2) */
CNTHCTL_EL2, /* Counter-timer Hypervisor Control register */
+ ZCR_EL2, /* SVE Control Register (EL2) */
/* Any VNCR-capable reg goes after this point */
MARKER(__VNCR_START__),
--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
@@ -433,11 +433,13 @@ static inline bool kvm_hyp_handle_mops(s
static inline void __hyp_sve_restore_guest(struct kvm_vcpu *vcpu)
{
+ u64 zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
+
/*
* The vCPU's saved SVE state layout always matches the max VL of the
* vCPU. Start off with the max VL so we can load the SVE state.
*/
- sve_cond_update_zcr_vq(vcpu_sve_max_vq(vcpu) - 1, SYS_ZCR_EL2);
+ sve_cond_update_zcr_vq(zcr_el2, SYS_ZCR_EL2);
__sve_restore_state(vcpu_sve_pffr(vcpu),
&vcpu->arch.ctxt.fp_regs.fpsr,
true);
@@ -447,8 +449,10 @@ static inline void __hyp_sve_restore_gue
* nested guest, as the guest hypervisor could select a smaller VL. Slap
* that into hardware before wrapping up.
*/
- if (is_nested_ctxt(vcpu))
- sve_cond_update_zcr_vq(__vcpu_sys_reg(vcpu, ZCR_EL2), SYS_ZCR_EL2);
+ if (is_nested_ctxt(vcpu)) {
+ zcr_el2 = min(zcr_el2, __vcpu_sys_reg(vcpu, ZCR_EL2));
+ sve_cond_update_zcr_vq(zcr_el2, SYS_ZCR_EL2);
+ }
write_sysreg_el1(__vcpu_sys_reg(vcpu, vcpu_sve_zcr_elx(vcpu)), SYS_ZCR);
}
@@ -472,11 +476,11 @@ static inline void fpsimd_lazy_switch_to
return;
if (vcpu_has_sve(vcpu)) {
+ zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
+
/* A guest hypervisor may restrict the effective max VL. */
if (is_nested_ctxt(vcpu))
- zcr_el2 = __vcpu_sys_reg(vcpu, ZCR_EL2);
- else
- zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
+ zcr_el2 = min(zcr_el2, __vcpu_sys_reg(vcpu, ZCR_EL2));
write_sysreg_el2(zcr_el2, SYS_ZCR);
--- a/arch/arm64/kvm/nested.c
+++ b/arch/arm64/kvm/nested.c
@@ -1772,6 +1772,11 @@ int kvm_init_nv_sysregs(struct kvm_vcpu
/* VNCR_EL2 */
set_sysreg_masks(kvm, VNCR_EL2, VNCR_EL2_RES0, VNCR_EL2_RES1);
+ /* ZCR_EL2 - bits 8:4 are RAZ/WI so treat them as RES0 */
+ resx.res0 = ZCR_ELx_RES0 | GENMASK_ULL(8, 4);
+ resx.res1 = ZCR_ELx_RES1;
+ set_sysreg_masks(kvm, ZCR_EL2, resx);
+
out:
for (enum vcpu_sysreg sr = __SANITISED_REG_START__; sr < NR_SYS_REGS; sr++)
__vcpu_rmw_sys_reg(vcpu, sr, |=, 0);
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -2749,21 +2749,16 @@ static bool access_zcr_el2(struct kvm_vc
struct sys_reg_params *p,
const struct sys_reg_desc *r)
{
- unsigned int vq;
-
if (guest_hyp_sve_traps_enabled(vcpu)) {
kvm_inject_nested_sve_trap(vcpu);
return false;
}
- if (!p->is_write) {
+ if (!p->is_write)
p->regval = __vcpu_sys_reg(vcpu, ZCR_EL2);
- return true;
- }
+ else
+ __vcpu_assign_sys_reg(vcpu, ZCR_EL2, p->regval);
- vq = SYS_FIELD_GET(ZCR_ELx, LEN, p->regval) + 1;
- vq = min(vq, vcpu_sve_max_vq(vcpu));
- __vcpu_assign_sys_reg(vcpu, ZCR_EL2, vq - 1);
return true;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 131/307] usb: typec: altmodes/displayport: validate count before reading Status Update VDO
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 130/307] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 132/307] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
` (177 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream.
A broken/malicious device can send the incorrect count for a status
update VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.
Fix this up by correctly verifying the count for the update object.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -386,6 +386,8 @@ static int dp_altmode_vdm(struct typec_a
dp->state = DP_STATE_EXIT_PRIME;
break;
case DP_CMD_STATUS_UPDATE:
+ if (count < 2)
+ break;
dp->data.status = *vdo;
ret = dp_altmode_status_update(dp);
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 142/315] KVM: arm64: PMU: Preserve AArch32 counter low bits
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 141/315] KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 143/315] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC Greg Kroah-Hartman
` (174 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ma, Marc Zyngier
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 1750ad1388e03fb27068cd1f22c9c8b4590fe936 upstream.
AArch32 writes to PMU event counters cannot update the top 32 bits,
even when PMUv3p5 makes the counters 64-bit. KVM therefore needs to
preserve the existing high half and only update the low half written by
the guest, unless the caller explicitly forces a full reset through
PMCR.P.
The current code masks @val down to the old high half before taking
lower_32_bits(val), which means the low half is always zero. As a
result, AArch32 writes to event counters discard the guest-provided low
32 bits instead of storing them.
Build the new value from the old high 32 bits and the low 32 bits of
the value supplied by the guest.
Fixes: 26d2d0594d70 ("KVM: arm64: PMU: Do not let AArch32 change the counters' top 32 bits")
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://patch.msgid.link/20260526074640.791991-1-maqianga@uniontech.com
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/pmu-emul.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/pmu-emul.c
+++ b/arch/arm64/kvm/pmu-emul.c
@@ -174,8 +174,8 @@ static void kvm_pmu_set_pmc_value(struct
* action is to use PMCR.P, which will reset them to
* 0 (the only use of the 'force' parameter).
*/
- val = __vcpu_sys_reg(vcpu, reg) & GENMASK(63, 32);
- val |= lower_32_bits(val);
+ val = (__vcpu_sys_reg(vcpu, reg) & GENMASK(63, 32)) |
+ lower_32_bits(val);
}
__vcpu_assign_sys_reg(vcpu, reg, val);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 132/307] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 131/307] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 133/307] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT Greg Kroah-Hartman
` (176 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream.
wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
struct pd_message with
for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
which has two problems:
USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
The byte count latched in RXINFO is the number of bytes the port partner
put on the wire, so a malicious partner that transmits a 31-byte frame
can drive the loop one byte past the destination if the WCOVE BMC
receiver does not enforce the PD object-count limit in hardware. The
existing FIXME flagged this as unverified.
Independently, regmap_read() takes an unsigned int * and stores a full
unsigned int at the destination. Passing the byte pointer msg + i means
each iteration writes four bytes; the high three are zero (val_bits is
8) and are normally overwritten by the next iteration, but the final
iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
already writes three zero bytes past msg, which sits on the IRQ thread's
stack in wcove_typec_irq().
Clamp the loop to sizeof(struct pd_message) and read each register into
a local before storing only its low byte, so the copy can never exceed
the destination regardless of what RXINFO reports.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/wcove.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/usb/typec/tcpm/wcove.c
+++ b/drivers/usb/typec/tcpm/wcove.c
@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t
return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl);
}
-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
+static int wcove_read_rx_buffer(struct wcove_typec *wcove,
+ struct pd_message *msg)
{
- unsigned int info;
+ unsigned int info, val, len;
+ u8 *buf = (u8 *)msg;
int ret;
int i;
@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w
if (ret)
return ret;
- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */
+ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg));
- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) {
- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
+ for (i = 0; i < len; i++) {
+ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val);
if (ret)
return ret;
+ buf[i] = val;
}
return regmap_write(wcove->regmap, USBC_RXSTATUS,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 143/315] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 142/315] KVM: arm64: PMU: Preserve AArch32 counter low bits Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 144/315] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Greg Kroah-Hartman
` (173 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD),
Sean Christopherson
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit a9e18aa3263f356edae305e29830e5fe63d8597a upstream.
Flush the current TLB when xAVIC *or* x2AVIC is activated, as KVM is
(apparently) responsible for purging TLB entries when transitioning from
xAVIC to x2AVIC. The APM says a whole lot of nothing about TLB flushing
with respect to (x2)AVIC, but empirical data strongly suggests hardware
also does a whole lot of nothing.
Failure to flush the TLB when enabling x2AVIC can lead to guest accesses
to the APIC base address getting incorrectly redirected to the virtual
APIC page. The flaw most visibly manifests as failures in KVM-Unit-Test's
verify_disabled_apic_mmio() testcase when x2APIC is enabled (though for
reasons unknown, the test only reliably fails with EFI builds).
Fixes: 0ccf3e7cb95a ("KVM: SVM: Flush the "current" TLB when activating AVIC")
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Cc: Naveen N Rao (AMD) <naveen@kernel.org>
Link: https://patch.msgid.link/20260515171536.1841645-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -187,6 +187,35 @@ static void avic_activate_vmcb(struct vc
svm_clr_intercept(svm, INTERCEPT_CR8_WRITE);
/*
+ * Flush the TLB when enabling (x2)AVIC and when transitioning between
+ * xAVIC and x2AVIC, as the CPU may have inserted a TLB entry for the
+ * "wrong" mapping.
+ *
+ * KVM uses a per-VM "scratch" page to back the APIC memslot, because
+ * KVM also uses per-VM page tables *and* maintains the page table (NPT
+ * or shadow page) mappings for said memslot even if one or more vCPUs
+ * have their local APIC hardware-disabled or are in x2APIC mode, i.e.
+ * even if one or more vCPUs' APIC MMIO BAR is effectively disabled.
+ *
+ * If xAVIC is fully enabled, hardware ignores the physical address in
+ * KVM's page tables, i.e. in the leaf SPTE for the APIC memslot, and
+ * instead redirects the access to the AVIC backing page, i.e. to the
+ * vCPU's virtual APIC page. If xAVIC is not enabled (APIC is either
+ * hardware-disabled or in x2APIC mode), then guest accesses will use
+ * the page table mapping verbatim, i.e. will access the per-VM scratch
+ * page, as normal memory.
+ *
+ * In both cases, the CPU is allowed to cache TLB entries for the APIC
+ * base GPA. So, KVM needs to flush the TLB when enabling xAVIC, as
+ * accesses need to be redirected to the virtual APIC page, but the TLB
+ * may contain entries pointing at the scratch page. KVM also needs to
+ * flush the TLB when enabling x2AVIC, as accesses need to go to the
+ * scratch page, but the TLB may contain entries tagged as xAVIC, i.e.
+ * entries pointing to the vCPU's virtual APIC page.
+ */
+ kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, &svm->vcpu);
+
+ /*
* Note: KVM supports hybrid-AVIC mode, where KVM emulates x2APIC MSR
* accesses, while interrupt injection to a running vCPU can be
* achieved using AVIC doorbell. KVM disables the APIC access page
@@ -199,12 +228,6 @@ static void avic_activate_vmcb(struct vc
/* Disabling MSR intercept for x2APIC registers */
avic_set_x2apic_msr_interception(svm, false);
} else {
- /*
- * Flush the TLB, the guest may have inserted a non-APIC
- * mapping into the TLB while AVIC was disabled.
- */
- kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, &svm->vcpu);
-
/* Enabling MSR intercept for x2APIC registers */
avic_set_x2apic_msr_interception(svm, true);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 133/307] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 132/307] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 134/307] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
` (175 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, André Draszik,
Badhri Jagan Sridharan, Amit Sunil Dhamne, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aa2f716327be1818e1cb156da8a2844804aaec2f upstream.
A broken/malicious port can transmit a CRC-valid frame whose header
advertises up to seven data objects but whose body carries fewer than
that. Check for this, and rightfully reject the message, instead of
reading from uninitialized stack memory.
Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: "André Draszik" <andre.draszik@linaro.org>
Cc: Badhri Jagan Sridharan <badhri@google.com>
Cc: Amit Sunil Dhamne <amitsd@google.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/2026051350-sitter-canopener-9045@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
+++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
@@ -186,6 +186,15 @@ static void process_rx(struct max_tcpci_
rx_buf_ptr = rx_buf + TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET;
msg.header = cpu_to_le16(*(u16 *)rx_buf_ptr);
rx_buf_ptr = rx_buf_ptr + sizeof(msg.header);
+
+ if (count < TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET + sizeof(msg.header) +
+ pd_header_cnt_le(msg.header) * sizeof(msg.payload[0])) {
+ max_tcpci_write16(chip, TCPC_ALERT, TCPC_ALERT_RX_STATUS);
+ dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d for header cnt %d\n",
+ count, pd_header_cnt_le(msg.header));
+ return;
+ }
+
for (payload_index = 0; payload_index < pd_header_cnt_le(msg.header); payload_index++,
rx_buf_ptr += sizeof(msg.payload[0]))
msg.payload[payload_index] = cpu_to_le32(*(u32 *)rx_buf_ptr);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 144/315] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 143/315] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 145/315] KVM: SEV: Ignore Port I/O requests of length 0 Greg Kroah-Hartman
` (172 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stan Shaw, Michael Roth,
Tom Lendacky, Peter Gonda, Jacky Li, Sean Christopherson,
Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Roth <michael.roth@amd.com>
commit db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7 upstream.
As per the GHCB spec, when using GHCB v2+ require the software scratch area
to reside in the GHCB's shared buffer. Note, things like Page State Change
(PSC) requests _rely_ on this behavior, as the guest can't provide a length
when making the request, i.e. the size of the guest payload is bounded by
the size of the shared buffer.
Failure to force usage of the GHCB, and a slew of other flaws, lets a
malicious SNP guest corrupt host kernel heap memory, and leak host heap
layout information.
setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2),
where exit_info_2 is guest-controlled. With exit_info_2=24, this yields
a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer
holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only
entries[0] and entries[1] are in-bounds.
snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253)
but NOT against the actual buffer size:
idx_end = hdr->end_entry;
if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer
snp_complete_psc(svm, ...);
return 1;
}
for (idx = idx_start; idx <= idx_end; idx++) {
entry_start = entries[idx]; // OOB when idx >= 2
The guest sets end_entry=10+, causing the host to iterate entries[2+]
which are OOB into adjacent slab objects. For each OOB entry:
- The host reads 8 bytes (OOB READ / info leak oracle)
- If the data passes PSC validation, __snp_complete_one_psc() writes
cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806)
- If validation fails, the error response reveals whether adjacent
memory is zero vs non-zero (information disclosure to guest)
The guest controls allocation size (exit_info_2), entry range
(cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly
hit different slab positions.
By exploiting the variety of bugs, a malicious SEV-SNP guest can:
- OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure)
- OOB write cur_page bits into adjacent objects (heap corruption)
- Trigger use-after-free conditions across VMGEXITs
E.g. with KASAN enabled, a single insmod of the PoC guest module
produces 73 KASAN reports:
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890
Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890
Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199
The buggy address belongs to the object at ffff888XXXXXXXXX
which belongs to the cache kmalloc-cg-32 of size 32
The buggy address is located N bytes to the right of
allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX)
Breakdown:
62 slab-out-of-bounds (reads + writes past allocation)
7 slab-use-after-free
4 use-after-free
All credit to Stan for the wonderful description and reproducer!
Reported-by: Stan Shaw <shawstan96@gmail.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Peter Gonda <pgonda@google.com>
Cc: Jacky Li <jackyli@google.com>
Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB protocol version")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Roth <michael.roth@amd.com>
[sean: write changelog]
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3651,6 +3651,10 @@ static int setup_vmgexit_scratch(struct
scratch_va = (void *)svm->sev_es.ghcb;
scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
} else {
+ /* GHCB v2 requires the scratch area to be within the GHCB. */
+ if (to_kvm_sev_info(svm->vcpu.kvm)->ghcb_version >= 2)
+ goto e_scratch;
+
/*
* The guest memory must be read into a kernel buffer, so
* limit the size
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 134/307] usb: typec: ucsi: validate connector number in ucsi_connector_change()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 133/307] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 135/307] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
` (174 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Benson Leung,
Jameson Thies, Nathan Rebello, Johan Hovold, Pooja Katiyar,
Hsin-Te Yuan, Abel Vesa, stable, Abel Vesa
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 288a81a8507052bcfbf884d39a463c44c42c5fd9 upstream.
The connector number in a UCSI CCI notification is a 7-bit field
supplied by the PPM. ucsi_connector_change() uses it to index the
ucsi->connector[] array without checking it against the number of
connectors the PPM reported at init time, so a buggy or malicious PPM
(EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 /
glink transports) can drive schedule_work() on memory past the end of
the array.
Reject connector numbers that are zero or exceed cap.num_connectors
before dereferencing the array.
Assisted-by: gkh_clanker_t1000
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: Benson Leung <bleung@chromium.org>
Cc: Jameson Thies <jthies@google.com>
Cc: Nathan Rebello <nathan.c.rebello@gmail.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Hsin-Te Yuan <yuanhsinte@chromium.org>
Cc: Abel Vesa <abelvesa@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Benson Leung <bleung@chromium.org>
Link: https://patch.msgid.link/2026051351-truck-steadfast-df48@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1290,13 +1290,22 @@ out_unlock:
*/
void ucsi_connector_change(struct ucsi *ucsi, u8 num)
{
- struct ucsi_connector *con = &ucsi->connector[num - 1];
+ struct ucsi_connector *con;
if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
dev_dbg(ucsi->dev, "Early connector change event\n");
return;
}
+ if (!num || num > ucsi->cap.num_connectors) {
+ dev_warn_ratelimited(ucsi->dev,
+ "Bogus connector change on %u (max %u)\n",
+ num, ucsi->cap.num_connectors);
+ return;
+ }
+
+ con = &ucsi->connector[num - 1];
+
if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
schedule_work(&con->work);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 145/315] KVM: SEV: Ignore Port I/O requests of length 0
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 144/315] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 146/315] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Greg Kroah-Hartman
` (171 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Sean Christopherson,
Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 3988bd2723de407ae90fa7a6f6029b4e60238c58 upstream.
Explicitly ignore Port I/O requests of length '0' (or count '0'), so that
setting up the software scratch area (and other code) doesn't have to
worry about underflowing the length, and to allow for WARNing on trying
to configure the scratch area with len==0.
Fixes: 291bd20d5d88 ("KVM: SVM: Add initial support for a VMGEXIT VMEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-5-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -4499,6 +4499,11 @@ int sev_handle_vmgexit(struct kvm_vcpu *
control->exit_info_1, control->exit_info_2);
ret = -EINVAL;
break;
+ case SVM_EXIT_IOIO:
+ if (!((control->exit_info_1 & SVM_IOIO_SIZE_MASK) >> SVM_IOIO_SIZE_SHIFT))
+ return 1;
+
+ fallthrough;
default:
ret = svm_invoke_exit_handler(vcpu, exit_code);
}
@@ -4519,6 +4524,9 @@ int sev_es_string_io(struct vcpu_svm *sv
if (unlikely(check_mul_overflow(count, size, &bytes)))
return -EINVAL;
+ if (!bytes)
+ return 1;
+
r = setup_vmgexit_scratch(svm, in, bytes);
if (r)
return r;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 135/307] USB: serial: safe_serial: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 134/307] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 136/307] media: rc: igorplugusb: fix control request setup packet Greg Kroah-Hartman
` (173 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 438061ed1ad85e6743e2dce826671772d81089ec upstream.
Make sure that the bulk-out buffer size is at least eight bytes to avoid
user-controlled slab corruption in "safe" mode should a malicious device
report a smaller size.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/safe_serial.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/usb/serial/safe_serial.c
+++ b/drivers/usb/serial/safe_serial.c
@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str
static int safe_startup(struct usb_serial *serial)
{
struct usb_interface_descriptor *desc;
+ int bulk_out_size;
if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS)
return -ENODEV;
@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria
default:
return -EINVAL;
}
+
+ /*
+ * The bulk-out buffer needs to be large enough for the two-byte
+ * trailer in safe mode, but assume anything smaller than eight bytes
+ * is broken.
+ */
+ bulk_out_size = serial->port[0]->bulk_out_size;
+ if (bulk_out_size > 0 && bulk_out_size < 8)
+ return -EINVAL;
+
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 146/315] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 145/315] KVM: SEV: Ignore Port I/O requests of length 0 Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 147/315] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Greg Kroah-Hartman
` (170 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 2be54670bdc017004c4a4b8bddb6ff02ebe7dbe2 upstream.
When handling a Page State Change (PSC) #VMGEXIT use the size of the PSC
header as the minimum size for the scratch area. Per the GHCB spec, PSC
requests do NOT provide the length, i.e. using control->exit_info_2 for the
length is completely made up behavior. The existing code "works", e.g.
even though Linux-as-a-guest always passes '0', because KVM doesn't do
anything with the length when the request is in the GHCB's shared buffer.
Use the header as the min length. Once the header is retrieved, KVM can
use the specified indices to compute the full size of the request.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-6-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -4473,7 +4473,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *
vcpu->run->system_event.data[0] = control->ghcb_gpa;
break;
case SVM_VMGEXIT_PSC:
- ret = setup_vmgexit_scratch(svm, true, control->exit_info_2);
+ ret = setup_vmgexit_scratch(svm, true, sizeof(struct psc_hdr));
if (ret)
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 136/307] media: rc: igorplugusb: fix control request setup packet
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 135/307] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 137/307] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
` (172 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+11f0e4f957c7c3bf3d51, Henri A,
Sean Young, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henri A <contact@henrialfonso.com>
commit 171022c7d594c133a45f92357a2a91475edabe20 upstream.
Commit eac69475b01f ("media: rc: igorplugusb: heed coherency
rules") changed the control request storage from an embedded struct to
an allocated pointer so it can obey DMA coherency rules.
However, the driver still passes &ir->request to usb_fill_control_urb().
That points the URB setup packet at the pointer field itself rather than
at the allocated struct usb_ctrlrequest.
USB core then interprets pointer bytes as the setup packet. This can
produce an invalid bRequestType and trigger the control direction warning
reported by syzbot:
usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0
Pass ir->request itself as the setup packet.
Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules")
Reported-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=11f0e4f957c7c3bf3d51
Tested-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Assisted-by: Codex:GPT-5.5
Signed-off-by: Henri A <contact@henrialfonso.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/igorplugusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_
if (!ir->buf_in)
goto fail;
usb_fill_control_urb(ir->urb, udev,
- usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request,
+ usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request,
ir->buf_in, MAX_PACKET, igorplugusb_callback, ir);
usb_make_path(udev, ir->phys, sizeof(ir->phys));
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 147/315] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 146/315] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 148/315] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Greg Kroah-Hartman
` (169 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f185e05dce6f170f83c4ba602e969b1c3c7a22e6 upstream.
Now that all paths in KVM properly validate the length needed for the
scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM
attempts to configured the scratch area with min_len==0 to guard against
future bugs.
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-8-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3617,6 +3617,9 @@ static int setup_vmgexit_scratch(struct
u64 scratch_gpa_beg, scratch_gpa_end;
void *scratch_va;
+ if (WARN_ON_ONCE(!min_len))
+ goto e_scratch;
+
scratch_gpa_beg = svm->sev_es.sw_scratch;
if (!scratch_gpa_beg) {
pr_err("vmgexit: scratch gpa not provided\n");
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 137/307] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 136/307] media: rc: igorplugusb: fix control request setup packet Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 138/307] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
` (171 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream.
The input buffer size is pcu->max_in_size, but pcu->max_out_size is
passed to usb_free_coherent().
Change size to match the allocation size.
Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/ims-pcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1604,7 +1604,7 @@ static void ims_pcu_buffers_free(struct
usb_kill_urb(pcu->urb_in);
usb_free_urb(pcu->urb_in);
- usb_free_coherent(pcu->udev, pcu->max_out_size,
+ usb_free_coherent(pcu->udev, pcu->max_in_size,
pcu->urb_in_buf, pcu->read_dma);
kfree(pcu->urb_out_buf);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 148/315] KVM: SEV: Compute the correct max length of the in-GHCB scratch area
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 147/315] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 149/315] KVM: SEV: Check PSC request indices against the actual size of the buffer Greg Kroah-Hartman
` (168 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 5867d7e202e09f037cefe77f7af4413c7c0fa088 upstream.
When setting the length of the GHCB scratch area, and the area is in the
GHCB shared buffer, set the effective length of the scratch area to the max
possible size given the start of the guest-provided pointer, and the end of
the shared buffer.
The code was "fine" when first introduced, as KVM doesn't consult the
length of the buffer when emulating MMIO, because the passed in @len always
specifies the *max* size required. But for PSC requests, the incoming @len
is just the minimum length (to process the header), and KVM needs to know
the full size of the scratch area to avoid buffer overflows (spoiler alert).
Opportunistically rename @len => @min_len to better reflect its role.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-7-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3610,7 +3610,7 @@ int pre_sev_run(struct vcpu_svm *svm, in
}
#define GHCB_SCRATCH_AREA_LIMIT (16ULL * PAGE_SIZE)
-static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 len)
+static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 min_len)
{
struct vmcb_control_area *control = &svm->vmcb->control;
u64 ghcb_scratch_beg, ghcb_scratch_end;
@@ -3626,10 +3626,10 @@ static int setup_vmgexit_scratch(struct
goto e_scratch;
}
- scratch_gpa_end = scratch_gpa_beg + len;
+ scratch_gpa_end = scratch_gpa_beg + min_len;
if (scratch_gpa_end < scratch_gpa_beg) {
pr_err("vmgexit: scratch length (%#llx) not valid for scratch address (%#llx)\n",
- len, scratch_gpa_beg);
+ min_len, scratch_gpa_beg);
goto e_scratch;
}
@@ -3653,6 +3653,8 @@ static int setup_vmgexit_scratch(struct
scratch_va = (void *)svm->sev_es.ghcb;
scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
+
+ svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg;
} else {
/* GHCB v2 requires the scratch area to be within the GHCB. */
if (to_kvm_sev_info(svm->vcpu.kvm)->ghcb_version >= 2)
@@ -3662,16 +3664,16 @@ static int setup_vmgexit_scratch(struct
* The guest memory must be read into a kernel buffer, so
* limit the size
*/
- if (len > GHCB_SCRATCH_AREA_LIMIT) {
+ if (min_len > GHCB_SCRATCH_AREA_LIMIT) {
pr_err("vmgexit: scratch area exceeds KVM limits (%#llx requested, %#llx limit)\n",
- len, GHCB_SCRATCH_AREA_LIMIT);
+ min_len, GHCB_SCRATCH_AREA_LIMIT);
goto e_scratch;
}
- scratch_va = kvzalloc(len, GFP_KERNEL_ACCOUNT);
+ scratch_va = kvzalloc(min_len, GFP_KERNEL_ACCOUNT);
if (!scratch_va)
return -ENOMEM;
- if (kvm_read_guest(svm->vcpu.kvm, scratch_gpa_beg, scratch_va, len)) {
+ if (kvm_read_guest(svm->vcpu.kvm, scratch_gpa_beg, scratch_va, min_len)) {
/* Unable to copy scratch area from guest */
pr_err("vmgexit: kvm_read_guest for scratch area failed\n");
@@ -3687,11 +3689,10 @@ static int setup_vmgexit_scratch(struct
*/
svm->sev_es.ghcb_sa_sync = sync;
svm->sev_es.ghcb_sa_free = true;
+ svm->sev_es.ghcb_sa_len = min_len;
}
svm->sev_es.ghcb_sa = scratch_va;
- svm->sev_es.ghcb_sa_len = len;
-
return 0;
e_scratch:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 138/307] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 137/307] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 139/307] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
` (170 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, hlleng, Benjamin Tissoires
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: hlleng <a909204013@gmail.com>
commit 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd upstream.
The SIGMACHIP USB mouse with VID/PID 1c4f:0034 can disconnect and
re-enumerate repeatedly after it has been enumerated if its interrupt
endpoint is not continuously polled.
This was observed with the device reporting itself as "SIGMACHIP Usb
Mouse". Keeping the input event device open avoids the disconnects.
Add HID_QUIRK_ALWAYS_POLL for this device so the HID core keeps polling
it even when there is no userspace input consumer.
Cc: stable@vger.kernel.org
Signed-off-by: hlleng <a909204013@gmail.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-quirks.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -1230,6 +1230,7 @@
#define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f
#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002
+#define USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE 0x0034
#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD2 0x0059
#define USB_VENDOR_ID_SIGMATEL 0x066F
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -186,6 +186,7 @@ static const struct hid_device_id hid_qu
{ HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS },
{ HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE), HID_QUIRK_ALWAYS_POLL },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS1030_TOUCH), HID_QUIRK_NOGET },
{ HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS817_TOUCH), HID_QUIRK_NOGET },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 149/315] KVM: SEV: Check PSC request indices against the actual size of the buffer
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 148/315] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 150/315] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Greg Kroah-Hartman
` (167 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 121d88de56bc5c0ba0ce2f6381af67f948a7e7c1 upstream.
When processing Page State Change (PSC) requests, validate the PSC buffer
against the effective size of the scratch area, which could be less than
the maximum size if the guest provided a pointer that isn't exactly at the
start of the GHCB shared buffer.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-10-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3850,7 +3850,7 @@ static int snp_begin_psc(struct vcpu_svm
struct kvm_vcpu *vcpu = &svm->vcpu;
struct psc_hdr *hdr = &psc->hdr;
struct psc_entry entry_start;
- u16 idx, idx_start, idx_end;
+ u16 idx, idx_start, idx_end, max_nr_entries;
int npages;
bool huge;
u64 gfn;
@@ -3860,6 +3860,19 @@ static int snp_begin_psc(struct vcpu_svm
return 1;
}
+ /*
+ * GHCB v2 requires the scratch area to reside within the GHCB itself,
+ * and PSC requests are only supported for GHCB v2+. Thus it should be
+ * impossible to exceed the max PSC entry count (which is derived from
+ * the size of the shared GHCB buffer).
+ */
+ max_nr_entries = (sev_es->ghcb_sa_len - sizeof(struct psc_hdr)) /
+ sizeof(struct psc_entry);
+ if (WARN_ON_ONCE(max_nr_entries > VMGEXIT_PSC_MAX_COUNT)) {
+ snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC);
+ return 1;
+ }
+
next_range:
/* There should be no other PSCs in-flight at this point. */
if (WARN_ON_ONCE(svm->sev_es.psc_inflight)) {
@@ -3875,7 +3888,7 @@ next_range:
idx_start = hdr->cur_entry;
idx_end = hdr->end_entry;
- if (idx_end >= VMGEXIT_PSC_MAX_COUNT) {
+ if (idx_end >= max_nr_entries) {
snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR);
return 1;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 139/307] Bluetooth: btusb: Allow firmware re-download when version matches
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 138/307] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 140/307] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
` (169 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuai Zhang, Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream.
The Bluetooth host decides whether to download firmware by reading the
controller firmware download completion flag and firmware version
information.
If a USB error occurs during the firmware download process (for example
due to a USB disconnect), the download is aborted immediately. An
incomplete firmware transfer does not cause the controller to set the
download completion flag, but the firmware version information may be
updated at an early stage of the download process.
In this case, after USB reconnection, the host attempts to re-download
the firmware because the download completion flag is not set. However,
since the controller reports the same firmware version as the target
firmware, the download is skipped. This ultimately results in the
firmware not being properly updated on the controller.
This change removes the restriction that skips firmware download when
the versions are equal. It covers scenarios where the USB connection
can be disconnected at any time and ensures that firmware download can
be retriggered after USB reconnection, allowing the Bluetooth firmware
to be correctly and completely updated.
Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family")
Cc: stable@vger.kernel.org
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3430,7 +3430,13 @@ static int btusb_setup_qca_load_rampatch
"firmware rome 0x%x build 0x%x",
rver_rom, rver_patch, ver_rom, ver_patch);
- if (rver_rom != ver_rom || rver_patch <= ver_patch) {
+ /* Allow rampatch when the patch version equals the firmware version.
+ * A firmware download may be aborted by a transient USB error (e.g.
+ * disconnect) after the controller updates version info but before
+ * completion.
+ * Allowing equal versions enables re-flashing during recovery.
+ */
+ if (rver_rom != ver_rom || rver_patch < ver_patch) {
bt_dev_err(hdev, "rampatch file version did not match with firmware");
err = -EINVAL;
goto done;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 150/315] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 149/315] KVM: SEV: Check PSC request indices against the actual size of the buffer Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 151/315] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc() Greg Kroah-Hartman
` (166 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Sean Christopherson,
Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit c8cc238093ca6c99267032f6cfe78f59389f3157 upstream.
Use READ_ONCE() when reading entries/indices from the guest-accessible
Page State Change buffer to defend against TOCTOU bugs.
Don't bother with READ_ONCE()/WRITE_ONCE() for cases where KVM is writing
(and not consuming the result!), as the guest isn't supposed to touch the
buffer while it's being processed. I.e. using READ_ONCE() is all about
protecting against misbehaving guests.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-11-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3820,9 +3820,9 @@ static void __snp_complete_one_psc(struc
*/
for (idx = svm->sev_es.psc_idx; svm->sev_es.psc_inflight;
svm->sev_es.psc_inflight--, idx++) {
- struct psc_entry *entry = &entries[idx];
+ struct psc_entry entry = READ_ONCE(entries[idx]);
- entry->cur_page = entry->pagesize ? 512 : 1;
+ entries[idx].cur_page = entry.pagesize ? 512 : 1;
}
hdr->cur_entry = idx;
@@ -3885,8 +3885,8 @@ next_range:
* validation, so take care to only use validated copies of values used
* for things like array indexing.
*/
- idx_start = hdr->cur_entry;
- idx_end = hdr->end_entry;
+ idx_start = READ_ONCE(hdr->cur_entry);
+ idx_end = READ_ONCE(hdr->end_entry);
if (idx_end >= max_nr_entries) {
snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR);
@@ -3895,7 +3895,7 @@ next_range:
/* Find the start of the next range which needs processing. */
for (idx = idx_start; idx <= idx_end; idx++, hdr->cur_entry++) {
- entry_start = entries[idx];
+ entry_start = READ_ONCE(entries[idx]);
gfn = entry_start.gfn;
huge = entry_start.pagesize;
@@ -3939,7 +3939,7 @@ next_range:
* KVM_HC_MAP_GPA_RANGE exit.
*/
while (++idx <= idx_end) {
- struct psc_entry entry = entries[idx];
+ struct psc_entry entry = READ_ONCE(entries[idx]);
if (entry.operation != entry_start.operation ||
entry.gfn != entry_start.gfn + npages ||
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 140/307] hpfs: fix a crash if hpfs_map_dnode_bitmap fails
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 139/307] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 141/307] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
` (168 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Farhad Alemi
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 974820a59efde7c1a7e1260bcfe9bb81f833cc9f upstream.
If hpfs_map_dnode_bitmap fails, the code would call hpfs_brelse4 on
uninitialized quad buffer head, causing a crash.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hpfs/alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/hpfs/alloc.c
+++ b/fs/hpfs/alloc.c
@@ -372,8 +372,8 @@ int hpfs_check_free_dnodes(struct super_
return 0;
}
}
+ hpfs_brelse4(&qbh);
}
- hpfs_brelse4(&qbh);
i = 0;
if (hpfs_sb(s)->sb_c_bitmap != -1) {
bmp = hpfs_map_bitmap(s, b, &qbh, "chkdn1");
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 151/315] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 150/315] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 152/315] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
` (165 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit ebe4b2dc9cfbfb2d8f665667c4d08f4c6c9bec05 upstream.
Stop explicitly passing the PSC buffer to snp_begin_psc(): it *must*
be the scratch area. This will allow fixing a variety of bugs without
further complicating the code.
No functional change intended.
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-9-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3789,7 +3789,7 @@ struct psc_buffer {
struct psc_entry entries[];
} __packed;
-static int snp_begin_psc(struct vcpu_svm *svm, struct psc_buffer *psc);
+static int snp_begin_psc(struct vcpu_svm *svm);
static void snp_complete_psc(struct vcpu_svm *svm, u64 psc_ret)
{
@@ -3831,7 +3831,6 @@ static void __snp_complete_one_psc(struc
static int snp_complete_one_psc(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
- struct psc_buffer *psc = svm->sev_es.ghcb_sa;
if (vcpu->run->hypercall.ret) {
snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC);
@@ -3841,11 +3840,13 @@ static int snp_complete_one_psc(struct k
__snp_complete_one_psc(svm);
/* Handle the next range (if any). */
- return snp_begin_psc(svm, psc);
+ return snp_begin_psc(svm);
}
-static int snp_begin_psc(struct vcpu_svm *svm, struct psc_buffer *psc)
+static int snp_begin_psc(struct vcpu_svm *svm)
{
+ struct vcpu_sev_es_state *sev_es = &svm->sev_es;
+ struct psc_buffer *psc = sev_es->ghcb_sa;
struct psc_entry *entries = psc->entries;
struct kvm_vcpu *vcpu = &svm->vcpu;
struct psc_hdr *hdr = &psc->hdr;
@@ -4494,7 +4495,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *
if (ret)
break;
- ret = snp_begin_psc(svm, svm->sev_es.ghcb_sa);
+ ret = snp_begin_psc(svm);
break;
case SVM_VMGEXIT_AP_CREATION:
ret = sev_snp_ap_creation(svm);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 141/307] ipc: limit next_id allocation to the valid ID range
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 140/307] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 142/307] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
` (167 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linpu Yu, Ren Wei, Yuan Tan,
Yifan Wu, Juefei Pu, Xin Liu, Kees Cook, Stanislav Kinsbursky,
Davidlohr Bueso, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linpu Yu <linpu5433@gmail.com>
commit fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 upstream.
The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next_id. ipc_idr_alloc() currently forwards that request to
idr_alloc() with an open-ended upper bound.
If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc_mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.
The bug is in ipc_idr_alloc() in the checkpoint/restore path.
1. ids->next_id is passed to:
idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)
2. The zero upper bound makes the allocation effectively open-ended.
Once the valid SysV IPC tail is occupied, idr_alloc() can spill past
ipc_mni and allocate an entry beyond the valid IPC id range.
3. The new object id is still encoded with the narrower SysV IPC index
width:
new->id = (new->seq << ipcmni_seq_shift()) + idx
4. Later removal goes through ipc_rmid(), which uses:
ipcid_to_idx(ipcp->id)
That truncates the real IDR index. An object actually stored at a
high index can then be removed as if it lived at a low in-range
index.
5. For shared memory, shm_destroy() frees the current object anyway, but
the real high IDR slot is left behind as a dangling pointer.
6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry
and dereferences freed memory.
Prevent this by bounding the requested allocation to ipc_mni so the
checkpoint/restore path fails once the valid range is exhausted.
Link: https://lore.kernel.org/cover.1778336914.git.linpu5433@gmail.com
Link: https://lore.kernel.org/2eebe949bfa7d1f6e13b5be6a92c64c850ce9d45.1778336914.git.linpu5433@gmail.com
Fixes: 03f595668017 ("ipc: add sysctl to specify desired next object id")
Signed-off-by: Linpu Yu <linpu5433@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -253,7 +253,7 @@ static inline int ipc_idr_alloc(struct i
} else {
new->seq = ipcid_to_seqx(next_id);
idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id),
- 0, GFP_NOWAIT);
+ ipc_mni, GFP_NOWAIT);
}
if (idx >= 0)
new->id = (new->seq << ipcmni_seq_shift()) + idx;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 152/315] Disable -Wattribute-alias for clang-23 and newer
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 151/315] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc() Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 153/315] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
` (164 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
Clang recently added support for -Wattribute-alias [1], which results in
the same warnings that necessitated commit bee20031772a ("disable
-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
| ^
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
251 | __attribute__((alias(__stringify(__se_sys##name)))); \
| ^
kernel/time/itimer.c:325:1: note: aliasee is declared here
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
| ^
<scratch space>:16:1: note: expanded from here
16 | __se_sys_alarm
| ^
Disable the warnings in the same way for clang-23 and newer. Disable the
warning about unknown warning options to avoid breaking the build for
versions of clang-23 that do not have -Wattribute-alias, such as ones
deployed by vendors like Android or CI systems or when bisecting LLVM
between llvmorg-23-init and release/23.x.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/syscall_wrapper.h | 4 ++++
include/linux/compat.h | 4 ++++
include/linux/compiler-clang.h | 6 ++++++
include/linux/compiler_types.h | 4 ++++
include/linux/syscalls.h | 4 ++++
5 files changed, 22 insertions(+)
--- a/arch/riscv/include/asm/syscall_wrapper.h
+++ b/arch/riscv/include/asm/syscall_wrapper.h
@@ -32,6 +32,10 @@ asmlinkage long __riscv_sys_ni_syscall(c
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments"); \
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias"); \
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments"); \
static long __se_##prefix##name(ulong, ulong, ulong, ulong, ulong, ulong, \
ulong) \
__attribute__((alias(__stringify(___se_##prefix##name)))); \
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -72,6 +72,10 @@
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias"); \
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments"); \
asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_compat_sys##name)))); \
ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -131,6 +131,12 @@
#define __diag_str(s) __diag_str1(s)
#define __diag(s) _Pragma(__diag_str(clang diagnostic s))
+#if CONFIG_CLANG_VERSION >= 230000
+#define __diag_clang_23(s) __diag(s)
+#else
+#define __diag_clang_23(s)
+#endif
+
#define __diag_clang_13(s) __diag(s)
#define __diag_ignore_all(option, comment) \
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -636,6 +636,10 @@ struct ftrace_likely_data {
#define __diag_GCC(version, severity, string)
#endif
+#ifndef __diag_clang
+#define __diag_clang(version, severity, string)
+#endif
+
#define __diag_push() __diag(push)
#define __diag_pop() __diag(pop)
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -247,6 +247,10 @@ static inline int is_syscall_trace_event
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias");\
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_sys##name)))); \
ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 142/307] auxdisplay: line-display: fix OOB read on zero-length message_store()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 141/307] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
@ 2026-06-07 9:58 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 143/307] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
` (166 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stepan Ionichev, Andy Shevchenko
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stepan Ionichev <sozdayvek@gmail.com>
commit a7511dcd9dd4bc55d123f9b800c8a4ed2662e5c6 upstream.
linedisp_display() unconditionally reads msg[count - 1] before
checking whether count is zero, so a write of zero bytes to the
message sysfs attribute hits msg[-1]:
write(fd, "", 0);
-> message_store(..., buf, count=0)
-> linedisp_display(linedisp, buf, count=0)
-> msg[count - 1] == '\n' ; OOB read
The kernfs write buffer for that store is a 1-byte allocation
(kernfs_fop_write_iter() does kmalloc(len + 1) with len == 0),
so msg[-1] is a 1-byte read before the slab object. On a
KASAN-enabled kernel this trips an out-of-bounds report and
panics; on stock kernels it silently reads adjacent slab data
and, if that byte happens to be '\n', the following count--
wraps ssize_t 0 to -1 and is then passed to kmemdup_nul().
linedisp_display() is reached from the message_store() sysfs
callback (drivers/auxdisplay/line-display.c message attribute,
mode 0644) and from the in-tree initial-message setup with
count == -1, so the OOB path is only userspace-triggerable via
zero-byte writes; vfs_write() does not short-circuit on
count == 0 and kernfs_fop_write_iter() dispatches the store
callback regardless.
Guard the trailing-newline trim with a count check. The
existing if (!count) block then takes the clear-display path
unchanged.
Affects every auxdisplay driver that registers via
linedisp_register() / linedisp_attach(): ht16k33, max6959,
img-ascii-lcd, seg-led-gpio.
Fixes: 7e76aece6f03 ("auxdisplay: Extract character line display core support")
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/auxdisplay/line-display.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/auxdisplay/line-display.c
+++ b/drivers/auxdisplay/line-display.c
@@ -90,7 +90,7 @@ static int linedisp_display(struct lined
count = strlen(msg);
/* if the string ends with a newline, trim it */
- if (msg[count - 1] == '\n')
+ if (count && msg[count - 1] == '\n')
count--;
if (!count) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 153/315] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.18 152/315] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 154/315] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
` (163 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christofer Jonason, Andy Shevchenko,
Nuno Sá, Salih Erim, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christofer Jonason <christofer.jonason@guidelinegeo.com>
commit 852534744c2d35626a604f128ff0b8ec12805591 upstream.
xadc_postdisable() unconditionally sets the sequencer to continuous
mode. For dual external multiplexer configurations this is incorrect:
simultaneous sampling mode is required so that ADC-A samples through
the mux on VAUX[0-7] while ADC-B simultaneously samples through the
mux on VAUX[8-15]. In continuous mode only ADC-A is active, so
VAUX[8-15] channels return incorrect data.
Since postdisable is also called from xadc_probe() to set the initial
idle state, the wrong sequencer mode is active from the moment the
driver loads.
The preenable path already uses xadc_get_seq_mode() which returns
SIMULTANEOUS for dual mux. Fix postdisable to do the same.
Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Christofer Jonason <christofer.jonason@guidelinegeo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Salih Erim <salih.erim@amd.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/xilinx-xadc-core.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/xilinx-xadc-core.c
+++ b/drivers/iio/adc/xilinx-xadc-core.c
@@ -817,6 +817,7 @@ static int xadc_postdisable(struct iio_d
{
struct xadc *xadc = iio_priv(indio_dev);
unsigned long scan_mask;
+ int seq_mode;
int ret;
int i;
@@ -824,6 +825,12 @@ static int xadc_postdisable(struct iio_d
for (i = 0; i < indio_dev->num_channels; i++)
scan_mask |= BIT(indio_dev->channels[i].scan_index);
+ /*
+ * Use the correct sequencer mode for the idle state: simultaneous
+ * mode for dual external mux configurations, continuous otherwise.
+ */
+ seq_mode = xadc_get_seq_mode(xadc, scan_mask);
+
/* Enable all channels and calibration */
ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(0), scan_mask & 0xffff);
if (ret)
@@ -834,11 +841,11 @@ static int xadc_postdisable(struct iio_d
return ret;
ret = xadc_update_adc_reg(xadc, XADC_REG_CONF1, XADC_CONF1_SEQ_MASK,
- XADC_CONF1_SEQ_CONTINUOUS);
+ seq_mode);
if (ret)
return ret;
- return xadc_power_adc_b(xadc, XADC_CONF1_SEQ_CONTINUOUS);
+ return xadc_power_adc_b(xadc, seq_mode);
}
static int xadc_preenable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 143/307] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-06-07 9:58 ` [PATCH 6.12 142/307] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 144/307] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
` (165 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 8c8e620467a7b51562dbcefbd1f09f288d7d710d upstream.
l2cap_chan_close() removes the channel from conn->chan_l, which
must be done under conn->lock. cleanup_listen() runs under the
parent sk_lock, so acquiring conn->lock would invert the
established conn->lock -> chan->lock -> sk_lock order.
Instead of calling l2cap_chan_close() directly, schedule
l2cap_chan_timeout with delay 0 to close the channel
asynchronously. The timeout handler already acquires conn->lock
and chan->lock in the correct order.
The timer is only armed when chan->conn is still set: if it is
already NULL, l2cap_conn_del() has already processed this channel
(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),
so there is nothing left to do. If l2cap_conn_del() races in
after the timer is armed, __clear_chan_timer() inside
l2cap_chan_del() cancels it; if the timer has already fired, the
handler returns harmlessly because chan->conn was cleared.
Fixes: 3df91ea20e74 ("Bluetooth: Revert to mutexes from RCU list")
Cc: <stable@vger.kernel.org> # 0b58004: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1468,6 +1468,10 @@ static void l2cap_sock_cleanup_listen(st
* pin it (hold_unless_zero() additionally skips a chan already past
* its last reference). We then drop the sk lock before taking
* chan->lock, so sk and chan locks are never held together.
+ *
+ * Since we cannot call l2cap_chan_close() without conn->lock,
+ * schedule l2cap_chan_timeout to close the channel; it already
+ * acquires conn->lock -> chan->lock in the correct order.
*/
while ((sk = bt_accept_dequeue(parent, NULL))) {
struct l2cap_chan *chan;
@@ -1485,14 +1489,12 @@ static void l2cap_sock_cleanup_listen(st
state_to_string(chan->state));
l2cap_chan_lock(chan);
- __clear_chan_timer(chan);
- l2cap_chan_close(chan, ECONNRESET);
- /* l2cap_conn_del() may already have killed this socket
- * (it sets SOCK_DEAD); skip the duplicate to avoid a
- * double sock_put()/l2cap_chan_put().
+ /* Since we cannot call l2cap_chan_close() without
+ * conn->lock, schedule its timer to trigger the close
+ * and cleanup of this channel.
*/
- if (!sock_flag(sk, SOCK_DEAD))
- l2cap_sock_kill(sk);
+ if (chan->conn)
+ __set_chan_timer(chan, 0);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 154/315] iio: adc: npcm: fix unbalanced clk_disable_unprepare()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 153/315] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 155/315] iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings Greg Kroah-Hartman
` (162 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andy Shevchenko,
Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 0d42e2c0bd6ceb89e44c6e065f9bdf9b1df3ef0c upstream.
The driver acquired the ADC clock with devm_clk_get() and read its
rate, but never called clk_prepare_enable(). The probe error path and
npcm_adc_remove() both called clk_disable_unprepare() unconditionally,
causing the clk framework's enable/prepare counts to underflow on
probe failure or module unbind.
The issue went unnoticed because NPCM BMC firmware leaves the ADC
clock enabled at boot, so the driver happened to work in practice.
Switch to devm_clk_get_enabled() so the clock is properly enabled
during probe and automatically released by the device-managed
cleanup, and drop the now-redundant clk_disable_unprepare() from
both the probe error path and remove().
While at it, drop the duplicate error message on devm_request_irq()
failure since the IRQ core already logs it.
Fixes: 9bf85fbc9d8f ("iio: adc: add NPCM ADC driver")
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/npcm_adc.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
--- a/drivers/iio/adc/npcm_adc.c
+++ b/drivers/iio/adc/npcm_adc.c
@@ -231,7 +231,7 @@ static int npcm_adc_probe(struct platfor
if (IS_ERR(info->reset))
return PTR_ERR(info->reset);
- info->adc_clk = devm_clk_get(&pdev->dev, NULL);
+ info->adc_clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(info->adc_clk)) {
dev_warn(&pdev->dev, "ADC clock failed: can't read clk\n");
return PTR_ERR(info->adc_clk);
@@ -244,17 +244,13 @@ static int npcm_adc_probe(struct platfor
info->adc_sample_hz = clk_get_rate(info->adc_clk) / ((div + 1) * 2);
irq = platform_get_irq(pdev, 0);
- if (irq < 0) {
- ret = irq;
- goto err_disable_clk;
- }
+ if (irq < 0)
+ return irq;
ret = devm_request_irq(&pdev->dev, irq, npcm_adc_isr, 0,
"NPCM_ADC", indio_dev);
- if (ret < 0) {
- dev_err(dev, "failed requesting interrupt\n");
- goto err_disable_clk;
- }
+ if (ret < 0)
+ return ret;
reg_con = ioread32(info->regs + NPCM_ADCCON);
info->vref = devm_regulator_get_optional(&pdev->dev, "vref");
@@ -262,7 +258,7 @@ static int npcm_adc_probe(struct platfor
ret = regulator_enable(info->vref);
if (ret) {
dev_err(&pdev->dev, "Can't enable ADC reference voltage\n");
- goto err_disable_clk;
+ return ret;
}
iowrite32(reg_con & ~NPCM_ADCCON_REFSEL,
@@ -272,10 +268,8 @@ static int npcm_adc_probe(struct platfor
* Any error which is not ENODEV indicates the regulator
* has been specified and so is a failure case.
*/
- if (PTR_ERR(info->vref) != -ENODEV) {
- ret = PTR_ERR(info->vref);
- goto err_disable_clk;
- }
+ if (PTR_ERR(info->vref) != -ENODEV)
+ return PTR_ERR(info->vref);
/* Use internal reference */
iowrite32(reg_con | NPCM_ADCCON_REFSEL,
@@ -314,8 +308,6 @@ err_iio_register:
iowrite32(reg_con & ~NPCM_ADCCON_ADC_EN, info->regs + NPCM_ADCCON);
if (!IS_ERR(info->vref))
regulator_disable(info->vref);
-err_disable_clk:
- clk_disable_unprepare(info->adc_clk);
return ret;
}
@@ -332,7 +324,6 @@ static void npcm_adc_remove(struct platf
iowrite32(regtemp & ~NPCM_ADCCON_ADC_EN, info->regs + NPCM_ADCCON);
if (!IS_ERR(info->vref))
regulator_disable(info->vref);
- clk_disable_unprepare(info->adc_clk);
}
static struct platform_driver npcm_adc_driver = {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 144/307] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 143/307] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 145/307] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
` (164 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 upstream.
__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold()
before scheduling the delayed work. The normal path in
l2cap_chan_timeout() drops this reference with l2cap_chan_put() at the
end, but the early return when chan->conn is NULL skips the put,
leaking the reference.
Add the missing l2cap_chan_put() before the early return.
Fixes: adf0398cee86 ("Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -411,8 +411,10 @@ static void l2cap_chan_timeout(struct wo
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
- if (!conn)
+ if (!conn) {
+ l2cap_chan_put(chan);
return;
+ }
mutex_lock(&conn->lock);
/* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 155/315] iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 154/315] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 156/315] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
` (161 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kim Seer Paller, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kim Seer Paller <kimseer.paller@analog.com>
commit ebd250c2581ec46c64c73fdfa918c9a7f757505e upstream.
The AD3531/AD3531R has different output operating modes from the
AD3530/AD3530R. According to the AD3531/AD3531R datasheet, the
powerdown modes are:
01: 500 Ohm output impedance
10: 3.85 kOhm output impedance
11: 16 kOhm output impedance
The driver currently uses the AD3530R modes (1k, 7.7k, 32k) for all
variants, which is incorrect for AD3531/AD3531R.
Add AD3531R-specific powerdown mode strings and assign them to the
AD3531/AD3531R chip variants.
Fixes: 93583174a3df ("iio: dac: ad3530r: Add driver for AD3530R and AD3531R")
Signed-off-by: Kim Seer Paller <kimseer.paller@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad3530r.c | 54 ++++++++++++++++++++++++++++++++++------------
1 file changed, 40 insertions(+), 14 deletions(-)
--- a/drivers/iio/dac/ad3530r.c
+++ b/drivers/iio/dac/ad3530r.c
@@ -108,6 +108,12 @@ static const char * const ad3530r_powerd
"32kohm_to_gnd",
};
+static const char * const ad3531r_powerdown_modes[] = {
+ "500ohm_to_gnd",
+ "3.85kohm_to_gnd",
+ "16kohm_to_gnd",
+};
+
static int ad3530r_get_powerdown_mode(struct iio_dev *indio_dev,
const struct iio_chan_spec *chan)
{
@@ -136,6 +142,13 @@ static const struct iio_enum ad3530r_pow
.set = ad3530r_set_powerdown_mode,
};
+static const struct iio_enum ad3531r_powerdown_mode_enum = {
+ .items = ad3531r_powerdown_modes,
+ .num_items = ARRAY_SIZE(ad3531r_powerdown_modes),
+ .get = ad3530r_get_powerdown_mode,
+ .set = ad3530r_set_powerdown_mode,
+};
+
static ssize_t ad3530r_get_dac_powerdown(struct iio_dev *indio_dev,
uintptr_t private,
const struct iio_chan_spec *chan,
@@ -279,7 +292,20 @@ static const struct iio_chan_spec_ext_in
{ }
};
-#define AD3530R_CHAN(_chan) \
+static const struct iio_chan_spec_ext_info ad3531r_ext_info[] = {
+ {
+ .name = "powerdown",
+ .shared = IIO_SEPARATE,
+ .read = ad3530r_get_dac_powerdown,
+ .write = ad3530r_set_dac_powerdown,
+ },
+ IIO_ENUM("powerdown_mode", IIO_SEPARATE, &ad3531r_powerdown_mode_enum),
+ IIO_ENUM_AVAILABLE("powerdown_mode", IIO_SHARED_BY_TYPE,
+ &ad3531r_powerdown_mode_enum),
+ { }
+};
+
+#define AD3530R_CHAN(_chan, _ext_info) \
{ \
.type = IIO_VOLTAGE, \
.indexed = 1, \
@@ -287,25 +313,25 @@ static const struct iio_chan_spec_ext_in
.output = 1, \
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | \
BIT(IIO_CHAN_INFO_SCALE), \
- .ext_info = ad3530r_ext_info, \
+ .ext_info = _ext_info, \
}
static const struct iio_chan_spec ad3530r_channels[] = {
- AD3530R_CHAN(0),
- AD3530R_CHAN(1),
- AD3530R_CHAN(2),
- AD3530R_CHAN(3),
- AD3530R_CHAN(4),
- AD3530R_CHAN(5),
- AD3530R_CHAN(6),
- AD3530R_CHAN(7),
+ AD3530R_CHAN(0, ad3530r_ext_info),
+ AD3530R_CHAN(1, ad3530r_ext_info),
+ AD3530R_CHAN(2, ad3530r_ext_info),
+ AD3530R_CHAN(3, ad3530r_ext_info),
+ AD3530R_CHAN(4, ad3530r_ext_info),
+ AD3530R_CHAN(5, ad3530r_ext_info),
+ AD3530R_CHAN(6, ad3530r_ext_info),
+ AD3530R_CHAN(7, ad3530r_ext_info),
};
static const struct iio_chan_spec ad3531r_channels[] = {
- AD3530R_CHAN(0),
- AD3530R_CHAN(1),
- AD3530R_CHAN(2),
- AD3530R_CHAN(3),
+ AD3530R_CHAN(0, ad3531r_ext_info),
+ AD3530R_CHAN(1, ad3531r_ext_info),
+ AD3530R_CHAN(2, ad3531r_ext_info),
+ AD3530R_CHAN(3, ad3531r_ext_info),
};
static const struct ad3530r_chip_info ad3530_chip = {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 145/307] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 144/307] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 146/307] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
` (163 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream.
hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.
hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in an
out-of-bounds read of skb data. The OOB bytes may be interpreted as
phantom key presses or spurious mouse movement.
Replace the open-coded length tracking and pointer arithmetic with
skb_pull_data() calls. skb_pull_data() returns NULL if the requested
bytes are not present, eliminating the need for a manual size variable
and the separate skb->len guard.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hidp/core.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid
{
struct input_dev *dev = session->input;
unsigned char *keys = session->keys;
- unsigned char *udata = skb->data + 1;
- signed char *sdata = skb->data + 1;
- int i, size = skb->len - 1;
+ unsigned char *udata;
+ signed char *sdata;
+ u8 *hdr;
+ int i;
+
+ hdr = skb_pull_data(skb, 1);
+ if (!hdr)
+ return;
- switch (skb->data[0]) {
+ switch (*hdr) {
case 0x01: /* Keyboard report */
+ udata = skb_pull_data(skb, 8);
+ if (!udata)
+ break;
+
for (i = 0; i < 8; i++)
input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid
break;
case 0x02: /* Mouse report */
+ sdata = skb_pull_data(skb, 3);
+ if (!sdata)
+ break;
+
input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid
input_report_rel(dev, REL_X, sdata[1]);
input_report_rel(dev, REL_Y, sdata[2]);
- if (size > 3)
+ if (skb->len > 0)
input_report_rel(dev, REL_WHEEL, sdata[3]);
break;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 156/315] iio: dac: max5821: fix return value check in powerdown sync
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 155/315] iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 157/315] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
` (160 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Andy Shevchenko, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit d0a228d903425e653f18a4341e60c0538afb6d41 upstream.
The function max5821_sync_powerdown_mode() returned the result of
i2c_master_send() directly. If a partial transfer occurred, it would
be incorrectly treated as a success by the caller.
While the caller currently handles the positive return value of 2 as
success, this patch refactors the function to return 0 on full success
and -EIO on short writes. This ensures robust error handling for
incomplete transfers and improves code maintainability by using
sizeof(outbuf).
Fixes: 472988972737 ("iio: add support of the max5821")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/max5821.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/iio/dac/max5821.c
+++ b/drivers/iio/dac/max5821.c
@@ -90,6 +90,7 @@ static int max5821_sync_powerdown_mode(s
const struct iio_chan_spec *chan)
{
u8 outbuf[2];
+ int ret;
outbuf[0] = MAX5821_EXTENDED_COMMAND_MODE;
@@ -103,7 +104,13 @@ static int max5821_sync_powerdown_mode(s
else
outbuf[1] |= MAX5821_EXTENDED_POWER_UP;
- return i2c_master_send(data->client, outbuf, 2);
+ ret = i2c_master_send(data->client, outbuf, sizeof(outbuf));
+ if (ret < 0)
+ return ret;
+ if (ret != sizeof(outbuf))
+ return -EIO;
+
+ return 0;
}
static ssize_t max5821_write_dac_powerdown(struct iio_dev *indio_dev,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 146/307] Bluetooth: ISO: fix UAF in iso_recv_frame
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 145/307] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 147/307] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
` (162 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 47f23a259517abbdb8032c057a1e8a6bf3734878 upstream.
iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock
before using sk, with no reference held. A concurrent iso_sock_kill()
can free sk in that window, causing use-after-free on sk->sk_state and
sock_queue_rcv_skb().
Fix by replacing the bare pointer read with iso_sock_hold(conn), which
calls sock_hold() while the spinlock is held, atomically elevating the
refcount before the lock drops. Add a drop_put label so sock_put() is
called on all exit paths where the hold succeeded.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -553,7 +553,7 @@ static void iso_recv_frame(struct iso_co
struct sock *sk;
iso_conn_lock(conn);
- sk = conn->sk;
+ sk = iso_sock_hold(conn);
iso_conn_unlock(conn);
if (!sk)
@@ -562,11 +562,15 @@ static void iso_recv_frame(struct iso_co
BT_DBG("sk %p len %d", sk, skb->len);
if (sk->sk_state != BT_CONNECTED)
- goto drop;
+ goto drop_put;
- if (!sock_queue_rcv_skb(sk, skb))
+ if (!sock_queue_rcv_skb(sk, skb)) {
+ sock_put(sk);
return;
+ }
+drop_put:
+ sock_put(sk);
drop:
kfree_skb(skb);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 157/315] iio: dac: ad5686: fix ref bit initialization for single-channel parts
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 156/315] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 158/315] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
` (159 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit ecae2ae606d493cf11457946436335bd0e726663 upstream.
The reference bit position was ignored when writing the register at the
probe() function (!!val was used). When such bit is 1, internal voltage
reference is disabled so that an external one can be used. For
multi-channel devices, bit 0 of the Internal Reference Setup command
behaves the same way, so AD5686_REF_BIT_MSK is created. The issue exists
since support for single-channel devices were first introduced.
Fixes: be1b24d24541 ("iio:dac:ad5686: Add AD5691R/AD5692R/AD5693/AD5693R support")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 6 +++---
drivers/iio/dac/ad5686.h | 1 +
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -509,7 +509,7 @@ int ad5686_probe(struct device *dev,
break;
case AD5686_REGMAP:
cmd = AD5686_CMD_INTERNAL_REFER_SETUP;
- ref_bit_msk = 0;
+ ref_bit_msk = AD5686_REF_BIT_MSK;
break;
case AD5693_REGMAP:
cmd = AD5686_CMD_CONTROL_REG;
@@ -520,9 +520,9 @@ int ad5686_probe(struct device *dev,
return -EINVAL;
}
- val = (has_external_vref | ref_bit_msk);
+ val = has_external_vref ? ref_bit_msk : 0;
- ret = st->write(st, cmd, 0, !!val);
+ ret = st->write(st, cmd, 0, val);
if (ret)
return ret;
--- a/drivers/iio/dac/ad5686.h
+++ b/drivers/iio/dac/ad5686.h
@@ -46,6 +46,7 @@
#define AD5310_REF_BIT_MSK BIT(8)
#define AD5683_REF_BIT_MSK BIT(12)
+#define AD5686_REF_BIT_MSK BIT(0)
#define AD5693_REF_BIT_MSK BIT(12)
/**
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 147/307] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 146/307] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 148/307] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Greg Kroah-Hartman
` (161 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 4b5f8e608749b7e8fa386c6e4301cf9272595859 upstream.
iso_sock_close() calls iso_sock_clear_timer() before acquiring
lock_sock(sk).
iso_sock_clear_timer() reads iso_pi(sk)->conn twice without the
socket lock held:
if (!iso_pi(sk)->conn)
return;
cancel_delayed_work(&iso_pi(sk)->conn->timeout_work);
Concurrently, iso_conn_del() executes under lock_sock(sk) and calls
iso_chan_del(), which sets iso_pi(sk)->conn to NULL and may result in
the final reference to the connection being dropped:
CPU0 CPU1
---- ----
iso_sock_clear_timer()
if (conn != NULL) ... lock_sock(sk)
iso_chan_del()
iso_pi(sk)->conn = NULL
cancel_delayed_work(conn) /* NULL deref or UAF */
iso_pi(sk)->conn is not stable across the unlock window, causing a
NULL pointer dereference or use-after-free.
Serialize iso_sock_clear_timer() with the socket lock by moving it
inside lock_sock()/release_sock(), matching the pattern used in
iso_conn_del() and all other call sites.
Fixes: ccf74f2390d60a2f9a75ef496d2564abb478f46a ("Bluetooth: Add BTPROTO_ISO socket type")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -835,8 +835,8 @@ static void __iso_sock_close(struct sock
/* Must be called on unlocked socket. */
static void iso_sock_close(struct sock *sk)
{
- iso_sock_clear_timer(sk);
lock_sock(sk);
+ iso_sock_clear_timer(sk);
__iso_sock_close(sk);
release_sock(sk);
iso_sock_kill(sk);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 158/315] iio: dac: ad5686: fix input raw value check
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 157/315] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 159/315] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
` (158 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit d01220ee5e43c65a206df827b39bf5cf5f7b9dce upstream.
Fix range check for input raw value, which is off by one, i.e., for a
10-bit DAC the max valid value is 1023, but 1 << 10 equals 1024, which
passes the previous check, allowing an out-of-range write. The issue
exists since the ad5686 driver was first introduced.
Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -154,7 +154,7 @@ static int ad5686_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val > (1 << chan->scan_type.realbits) || val < 0)
+ if (val >= (1 << chan->scan_type.realbits) || val < 0)
return -EINVAL;
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 148/307] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 147/307] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 149/307] Input: xpad - fix out-of-bounds access for Share button Greg Kroah-Hartman
` (160 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doruk Tan Ozturk,
Luiz Augusto von Dentz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doruk Tan Ozturk <doruk@0sec.ai>
commit bfea6091e0fffb270c20e74384b660910277eb6c upstream.
hci_le_create_cis_sync() dereferences conn->conn_timeout after releasing
both rcu_read_lock() and hci_dev_lock(hdev). The conn pointer was
obtained from an RCU-protected iteration over hdev->conn_hash.list and
is not valid once these locks are dropped. A concurrent disconnect can
free the hci_conn between the unlock and the dereference, causing a
use-after-free read.
The cancellation mechanism in hci_conn_del() cannot prevent this because
hci_le_create_cis_pending() queues hci_create_cis_sync with data=NULL:
hci_cmd_sync_queue(hdev, hci_create_cis_sync, NULL, NULL);
While hci_conn_del() dequeues with data=conn:
hci_cmd_sync_dequeue(hdev, NULL, conn, NULL);
Since NULL != conn, the lookup in _hci_cmd_sync_lookup_entry() never
matches, and the pending work item is not cancelled.
Fix this by saving conn->conn_timeout into a local variable while the
locks are still held, so the stale conn pointer is never dereferenced
after unlock.
This is the same class of bug as the one fixed by commit 035c25007c9e
("Bluetooth: hci_sync: Fix UAF on le_read_features_complete") which
addressed the identical pattern in a different function.
This vulnerability was identified using 0sec.ai, an open-source
automated security auditing platform (https://github.com/0sec-labs).
Fixes: c09b80be6ffc ("Bluetooth: hci_conn: Fix not waiting for HCI_EVT_LE_CIS_ESTABLISHED")
Cc: stable@vger.kernel.org
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_sync.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6626,6 +6626,7 @@ int hci_le_create_cis_sync(struct hci_de
DEFINE_FLEX(struct hci_cp_le_create_cis, cmd, cis, num_cis, 0x1f);
size_t aux_num_cis = 0;
struct hci_conn *conn;
+ u16 timeout = 0;
u8 cig = BT_ISO_QOS_CIG_UNSET;
/* The spec allows only one pending LE Create CIS command at a time. If
@@ -6696,6 +6697,7 @@ int hci_le_create_cis_sync(struct hci_de
set_bit(HCI_CONN_CREATE_CIS, &conn->flags);
cis->acl_handle = cpu_to_le16(conn->parent->handle);
cis->cis_handle = cpu_to_le16(conn->handle);
+ timeout = conn->conn_timeout;
aux_num_cis++;
if (aux_num_cis >= cmd->num_cis)
@@ -6715,7 +6717,7 @@ done:
return __hci_cmd_sync_status_sk(hdev, HCI_OP_LE_CREATE_CIS,
struct_size(cmd, cis, cmd->num_cis),
cmd, HCI_EVT_LE_CIS_ESTABLISHED,
- conn->conn_timeout, NULL);
+ timeout, NULL);
}
int hci_le_remove_cig_sync(struct hci_dev *hdev, u8 handle)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 159/315] iio: dac: ad5686: acquire lock when doing powerdown control
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 158/315] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 160/315] iio: dac: ad5686: fix powerdown control on dual-channel devices Greg Kroah-Hartman
` (157 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Alencar, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit 5237c3175cae5ab05f18878cec3301a04403859e upstream.
Protect access of pwr_down_mode and pwr_down_mask fields with existing
mutex lock. Each channel exposes their own attributes for controlling
powerdown modes and powerdown state. This fixes potential race conditions
as those the write functions perform non-atomic read-modify-write
operations to those pwr_down_* fields. This issue exists since the ad5686
driver was first introduced.
Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -30,6 +30,8 @@ static int ad5686_get_powerdown_mode(str
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
return ((st->pwr_down_mode >> (chan->channel * 2)) & 0x3) - 1;
}
@@ -39,6 +41,8 @@ static int ad5686_set_powerdown_mode(str
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
st->pwr_down_mode &= ~(0x3 << (chan->channel * 2));
st->pwr_down_mode |= ((mode + 1) << (chan->channel * 2));
@@ -57,6 +61,8 @@ static ssize_t ad5686_read_dac_powerdown
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask &
(0x3 << (chan->channel * 2))));
}
@@ -77,6 +83,8 @@ static ssize_t ad5686_write_dac_powerdow
if (ret)
return ret;
+ guard(mutex)(&st->lock);
+
if (readin)
st->pwr_down_mask |= (0x3 << (chan->channel * 2));
else
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 149/307] Input: xpad - fix out-of-bounds access for Share button
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 148/307] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 150/307] parport: Fix race between port and client registration Greg Kroah-Hartman
` (159 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 6cdc46b38cf146ce81d4831b6472dbf7731849a2 upstream.
xpadone_process_packet() receives len directly from urb->actual_length
and uses it to index the share-button byte at data[len - 18] or
data[len - 26]. Since both len and data[0] are under the device's
control, a broken controller can send a GIP_CMD_INPUT packet with
actual_length < 18 (e.g. 5 bytes) and reach this code path, causing
accesses beyond the actual array.
Fix this by calculating the offset and checking bounds against the
packet length.
Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: 4ef46367073b ("Input: xpad - fix Share button on Xbox One controllers")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1081,10 +1081,10 @@ static void xpadone_process_packet(struc
input_report_key(dev, BTN_START, data[4] & BIT(2));
input_report_key(dev, BTN_SELECT, data[4] & BIT(3));
if (xpad->mapping & MAP_SHARE_BUTTON) {
- if (xpad->mapping & MAP_SHARE_OFFSET)
- input_report_key(dev, KEY_RECORD, data[len - 26] & BIT(0));
- else
- input_report_key(dev, KEY_RECORD, data[len - 18] & BIT(0));
+ u32 offset = (xpad->mapping & MAP_SHARE_OFFSET) ? 26 : 18;
+
+ if (len >= offset)
+ input_report_key(dev, KEY_RECORD, data[len - offset] & BIT(0));
}
/* buttons A,B,X,Y */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 150/307] parport: Fix race between port and client registration
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 149/307] Input: xpad - fix out-of-bounds access for Share button Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 151/307] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
` (158 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ben Hutchings,
Sudip Mukherjee
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
commit ef15ccbb3e8640a723c42ad90eaf81d66ae02017 upstream.
The parport subsystem registers port devices before they are fully
initialised, resulting in a race condition where client drivers such
as lp can attach to ports that are not completely initialised or even
being torn down.
When the port and client drivers are built as modules and loaded
around the same time during boot, this occasionally results in a
crash. I was able to make this happen reliably in a VM with a
PC-style parallel port by patching parport_pc to fail probing:
> --- a/drivers/parport/parport_pc.c
> +++ b/drivers/parport/parport_pc.c
> @@ -2069,7 +2069,7 @@ static struct parport *__parport_pc_probe_port(unsigned long int base,
> if (!p)
> goto out3;
>
> - base_res = request_region(base, 3, p->name);
> + base_res = NULL;
> if (!base_res)
> goto out4;
>
and then running:
while true; do
modprobe lp & modprobe parport_pc
wait
rmmod lp parport_pc
done
for a few seconds.
In the long term I think port registration should be changed to put
the call to device_add() inside parport_announce_port(), but since the
latter currently cannot fail this will require changing all port
drivers.
For now, add a flag to indicate whether a port has been "announced"
and only try to attach client drivers to ports when the flag is set.
Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem")
Closes: https://bugs.debian.org/1130365
Closes: https://lore.kernel.org/all/6ba903ad-9897-42bb-8c2d-337385cc3746@molgen.mpg.de/
Cc: stable <stable@kernel.org>
Signed-off-by: Ben Hutchings <benh@debian.org>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Link: https://patch.msgid.link/afo6uBv68GDevbMD@decadent.org.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parport/share.c | 11 +++++++++--
include/linux/parport.h | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/parport/share.c
+++ b/drivers/parport/share.c
@@ -214,10 +214,14 @@ static void get_lowlevel_driver(void)
static int port_check(struct device *dev, void *dev_drv)
{
struct parport_driver *drv = dev_drv;
+ struct parport *port;
/* only send ports, do not send other devices connected to bus */
- if (is_parport(dev))
- drv->match_port(to_parport_dev(dev));
+ if (is_parport(dev)) {
+ port = to_parport_dev(dev);
+ if (test_bit(PARPORT_ANNOUNCED, &port->devflags))
+ drv->match_port(port);
+ }
return 0;
}
@@ -532,6 +536,7 @@ void parport_announce_port(struct parpor
if (slave)
attach_driver_chain(slave);
}
+ set_bit(PARPORT_ANNOUNCED, &port->devflags);
mutex_unlock(®istration_lock);
}
EXPORT_SYMBOL(parport_announce_port);
@@ -561,6 +566,8 @@ void parport_remove_port(struct parport
mutex_lock(®istration_lock);
+ clear_bit(PARPORT_ANNOUNCED, &port->devflags);
+
/* Spread the word. */
detach_driver_chain(port);
--- a/include/linux/parport.h
+++ b/include/linux/parport.h
@@ -240,6 +240,7 @@ struct parport {
unsigned long devflags;
#define PARPORT_DEVPROC_REGISTERED 0
+#define PARPORT_ANNOUNCED 1
struct pardevice *proc_device; /* Currently register proc device */
struct list_head full_list;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 160/315] iio: dac: ad5686: fix powerdown control on dual-channel devices
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 159/315] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 161/315] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp Greg Kroah-Hartman
` (156 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Alencar, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit 8aeaf25a85263a7a43357e16ad78ab969f6f8aeb upstream.
Fix powerdown control by using a proper bit shift for the powerdown mask
values. During initialization, powerdown bits are initialized so that
unused bits are set to 1 and the correct bit shift is used. Dual-channel
devices use one-hot encoding in the address and that reflects on the
position of the powerdown bits, which are not channel-index based
for that case. Quad-channel devices also use one-hot encoding for the
channel address but the result of log2(address) coincides with the channel
index value. Mask as 0x3U is used rather than 0x3, because shift can reach
value of 30 (last channel of a 16-channel device), which would mess with
the sign bit. The issue was introduced when first adding support for
dual-channel devices, which overlooked powerdown control differences.
Fixes: 7dc8faeab3e3 ("iio: dac: ad5686: add support for AD5338R")
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -25,26 +25,37 @@ static const char * const ad5686_powerdo
"three_state"
};
+static inline unsigned int ad5686_pd_mask_shift(const struct iio_chan_spec *chan)
+{
+ if (chan->channel == chan->address)
+ return chan->channel * 2;
+
+ /* one-hot encoding is used in dual/quad channel devices */
+ return __ffs(chan->address) * 2;
+}
+
static int ad5686_get_powerdown_mode(struct iio_dev *indio_dev,
const struct iio_chan_spec *chan)
{
+ unsigned int shift = ad5686_pd_mask_shift(chan);
struct ad5686_state *st = iio_priv(indio_dev);
guard(mutex)(&st->lock);
- return ((st->pwr_down_mode >> (chan->channel * 2)) & 0x3) - 1;
+ return ((st->pwr_down_mode >> shift) & 0x3U) - 1;
}
static int ad5686_set_powerdown_mode(struct iio_dev *indio_dev,
const struct iio_chan_spec *chan,
unsigned int mode)
{
+ unsigned int shift = ad5686_pd_mask_shift(chan);
struct ad5686_state *st = iio_priv(indio_dev);
guard(mutex)(&st->lock);
- st->pwr_down_mode &= ~(0x3 << (chan->channel * 2));
- st->pwr_down_mode |= ((mode + 1) << (chan->channel * 2));
+ st->pwr_down_mode &= ~(0x3U << shift);
+ st->pwr_down_mode |= (mode + 1) << shift;
return 0;
}
@@ -59,12 +70,12 @@ static const struct iio_enum ad5686_powe
static ssize_t ad5686_read_dac_powerdown(struct iio_dev *indio_dev,
uintptr_t private, const struct iio_chan_spec *chan, char *buf)
{
+ unsigned int shift = ad5686_pd_mask_shift(chan);
struct ad5686_state *st = iio_priv(indio_dev);
guard(mutex)(&st->lock);
- return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask &
- (0x3 << (chan->channel * 2))));
+ return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask & (0x3U << shift)));
}
static ssize_t ad5686_write_dac_powerdown(struct iio_dev *indio_dev,
@@ -86,9 +97,9 @@ static ssize_t ad5686_write_dac_powerdow
guard(mutex)(&st->lock);
if (readin)
- st->pwr_down_mask |= (0x3 << (chan->channel * 2));
+ st->pwr_down_mask |= 0x3U << ad5686_pd_mask_shift(chan);
else
- st->pwr_down_mask &= ~(0x3 << (chan->channel * 2));
+ st->pwr_down_mask &= ~(0x3U << ad5686_pd_mask_shift(chan));
switch (st->chip_info->regmap_type) {
case AD5310_REGMAP:
@@ -468,7 +479,7 @@ int ad5686_probe(struct device *dev,
{
struct ad5686_state *st;
struct iio_dev *indio_dev;
- unsigned int val, ref_bit_msk;
+ unsigned int val, ref_bit_msk, shift;
bool has_external_vref;
u8 cmd;
int ret, i;
@@ -492,9 +503,18 @@ int ad5686_probe(struct device *dev,
has_external_vref = ret != -ENODEV;
st->vref_mv = has_external_vref ? ret / 1000 : st->chip_info->int_vref_mv;
+ /* Initialize masks to all ones provided the max shift (last channel) */
+ shift = ad5686_pd_mask_shift(&st->chip_info->channels[st->chip_info->num_channels - 1]);
+ st->pwr_down_mask = GENMASK(shift + 1, 0);
+ st->pwr_down_mode = GENMASK(shift + 1, 0);
+
/* Set all the power down mode for all channels to 1K pulldown */
- for (i = 0; i < st->chip_info->num_channels; i++)
- st->pwr_down_mode |= (0x01 << (i * 2));
+ for (i = 0; i < st->chip_info->num_channels; i++) {
+ shift = ad5686_pd_mask_shift(&st->chip_info->channels[i]);
+ st->pwr_down_mask &= ~(0x3U << shift); /* powered up state */
+ st->pwr_down_mode &= ~(0x3U << shift);
+ st->pwr_down_mode |= 0x01U << shift;
+ }
indio_dev->name = name;
indio_dev->info = &ad5686_info;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 161/315] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 160/315] iio: dac: ad5686: fix powerdown control on dual-channel devices Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 162/315] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
` (155 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salah Triki, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit f9bbd943c34a9ad60e593a4b99ce2394e4e2381b upstream.
In mt6358_read_imp(), the variable val_v is passed to regmap_read()
but the return value is not checked. If the read fails, val_v remains
uninitialized and its random stack content is subsequently reported
as a measurement result.
Initialize val_v to zero to ensure a predictable value is reported
in case of bus failure and to prevent potential stack data leakage.
This also satisfies static analyzers that might otherwise flag the
variable as used uninitialized.
Fixes: 3587914bf61d ("iio: adc: Add support for MediaTek MT6357/8/9 Auxiliary ADC")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/mt6359-auxadc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/mt6359-auxadc.c
+++ b/drivers/iio/adc/mt6359-auxadc.c
@@ -497,6 +497,7 @@ static int mt6358_read_imp(struct mt6359
return ret;
/* Read the params before stopping */
+ val_v = 0;
regmap_read(regmap, reg_adc0 + (cinfo->imp_adc_num << 1), &val_v);
mt6358_stop_imp_conv(adc_dev);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 151/307] USB: cdc-acm: Fix bit overlap and move quirk definitions to header
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 150/307] parport: Fix race between port and client registration Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 152/307] KVM: arm64: PMU: Preserve AArch32 counter low bits Greg Kroah-Hartman
` (157 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wentao Guan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 5eb070769ea5e18405535609d1d3f6886f3755bd upstream.
The VENDOR_CLASS_DATA_IFACE and ALWAYS_POLL_CTRL quirk flags added in
commit f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10
INGENIC touchscreen") were placed inside the acm_ctrl_msg() function
rather than in the header with the other quirk flags. Then, their
values (BIT(9) and BIT(10)) collided with NO_UNION_12 which is already
BIT(9).
Move the definitions to drivers/usb/class/cdc-acm.h where they belong
and shift them to BIT(10) and BIT(11) to avoid the overlap.
Fixes: f58752ebcb35 ("USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen")
Cc: stable <stable@kernel.org>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://patch.msgid.link/20260522091357.1301196-1-guanwentao@uniontech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 2 --
drivers/usb/class/cdc-acm.h | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -114,8 +114,6 @@ static int acm_ctrl_msg(struct acm *acm,
int retval;
retval = usb_autopm_get_interface(acm->control);
-#define VENDOR_CLASS_DATA_IFACE BIT(9) /* data interface uses vendor-specific class */
-#define ALWAYS_POLL_CTRL BIT(10) /* keep ctrl URB active even without an open TTY */
if (retval)
return retval;
--- a/drivers/usb/class/cdc-acm.h
+++ b/drivers/usb/class/cdc-acm.h
@@ -115,3 +115,5 @@ struct acm {
#define DISABLE_ECHO BIT(7)
#define MISSING_CAP_BRK BIT(8)
#define NO_UNION_12 BIT(9)
+#define VENDOR_CLASS_DATA_IFACE BIT(10) /* data interface uses vendor-specific class */
+#define ALWAYS_POLL_CTRL BIT(11) /* keep ctrl URB active even without an open TTY */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 162/315] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 161/315] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 163/315] iio: adc: ad4695: Fix call ordering in offload buffer postenable Greg Kroah-Hartman
` (154 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Joshua Crofts,
Maxwell Doose, Nuno Sá, Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 422b5bbf333f75fb486855ad0eedc23cf21f3277 upstream.
The driver proceeds to the reception phase even if the preceding
transmission fails.
This uses a goto error label for an early bail out and ensures the mutex is
properly unlocked in case of failure.
Fixes: ffd8a6e7a778 ("iio: adc: Add viperboard adc driver")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/viperboard_adc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/viperboard_adc.c
+++ b/drivers/iio/adc/viperboard_adc.c
@@ -70,8 +70,10 @@ static int vprbrd_iio_read_raw(struct ii
VPRBRD_USB_TYPE_OUT, 0x0000, 0x0000, admsg,
sizeof(struct vprbrd_adc_msg), VPRBRD_USB_TIMEOUT_MS);
if (ret != sizeof(struct vprbrd_adc_msg)) {
- dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ mutex_unlock(&vb->lock);
error = -EREMOTEIO;
+ dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ goto error;
}
ret = usb_control_msg(vb->usb_dev,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 152/307] KVM: arm64: PMU: Preserve AArch32 counter low bits
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 151/307] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 153/307] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC Greg Kroah-Hartman
` (156 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ma, Marc Zyngier
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 1750ad1388e03fb27068cd1f22c9c8b4590fe936 upstream.
AArch32 writes to PMU event counters cannot update the top 32 bits,
even when PMUv3p5 makes the counters 64-bit. KVM therefore needs to
preserve the existing high half and only update the low half written by
the guest, unless the caller explicitly forces a full reset through
PMCR.P.
The current code masks @val down to the old high half before taking
lower_32_bits(val), which means the low half is always zero. As a
result, AArch32 writes to event counters discard the guest-provided low
32 bits instead of storing them.
Build the new value from the old high 32 bits and the low 32 bits of
the value supplied by the guest.
Fixes: 26d2d0594d70 ("KVM: arm64: PMU: Do not let AArch32 change the counters' top 32 bits")
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://patch.msgid.link/20260526074640.791991-1-maqianga@uniontech.com
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/pmu-emul.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kvm/pmu-emul.c
+++ b/arch/arm64/kvm/pmu-emul.c
@@ -163,8 +163,8 @@ static void kvm_pmu_set_pmc_value(struct
* action is to use PMCR.P, which will reset them to
* 0 (the only use of the 'force' parameter).
*/
- val = __vcpu_sys_reg(vcpu, reg) & GENMASK(63, 32);
- val |= lower_32_bits(val);
+ val = (__vcpu_sys_reg(vcpu, reg) & GENMASK(63, 32)) |
+ lower_32_bits(val);
}
__vcpu_sys_reg(vcpu, reg) = val;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 163/315] iio: adc: ad4695: Fix call ordering in offload buffer postenable
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 162/315] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 164/315] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
` (153 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, David Lechner,
Radu Sabau, Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radu Sabau <radu.sabau@analog.com>
commit 1a772719318c11e146f6fbe621fffd230a6f456a upstream.
ad4695_enter_advanced_sequencer_mode() was called after
spi_offload_trigger_enable(). That is wrong because
ad4695_enter_advanced_sequencer_mode() issues regular SPI transfers to
put the ADC into advanced sequencer mode, and not all SPI offload capable
controllers support regular SPI transfers while offloading is enabled.
Fix this by calling ad4695_enter_advanced_sequencer_mode() before
spi_offload_trigger_enable(), so the ADC is fully configured before the
first CNV pulse can occur. This is consistent with the same constraint
that already applies to the BUSY_GP_EN write above it.
Update the error unwind labels accordingly: add err_exit_conversion_mode
so that a failure of spi_offload_trigger_enable() correctly exits
conversion mode before clearing BUSY_GP_EN.
Fixes: f09f140e3ea8 ("iio: adc: ad4695: Add support for SPI offload")
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Radu Sabau <radu.sabau@analog.com>
Cc: Stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad4695.c | 23 ++++++++---------------
1 file changed, 8 insertions(+), 15 deletions(-)
diff --git a/drivers/iio/adc/ad4695.c b/drivers/iio/adc/ad4695.c
index cda419638d9a..53642de7330d 100644
--- a/drivers/iio/adc/ad4695.c
+++ b/drivers/iio/adc/ad4695.c
@@ -876,14 +876,14 @@ static int ad4695_offload_buffer_postenable(struct iio_dev *indio_dev)
if (ret)
goto err_unoptimize_message;
- ret = spi_offload_trigger_enable(st->offload, st->offload_trigger,
- &config);
+ ret = ad4695_enter_advanced_sequencer_mode(st, num_slots);
if (ret)
goto err_disable_busy_output;
- ret = ad4695_enter_advanced_sequencer_mode(st, num_slots);
+ ret = spi_offload_trigger_enable(st->offload, st->offload_trigger,
+ &config);
if (ret)
- goto err_offload_trigger_disable;
+ goto err_exit_conversion_mode;
mutex_lock(&st->cnv_pwm_lock);
pwm_get_state(st->cnv_pwm, &state);
@@ -895,23 +895,16 @@ static int ad4695_offload_buffer_postenable(struct iio_dev *indio_dev)
ret = pwm_apply_might_sleep(st->cnv_pwm, &state);
mutex_unlock(&st->cnv_pwm_lock);
if (ret)
- goto err_offload_exit_conversion_mode;
+ goto err_offload_trigger_disable;
return 0;
-err_offload_exit_conversion_mode:
- /*
- * We have to unwind in a different order to avoid triggering offload.
- * ad4695_exit_conversion_mode() triggers a conversion, so it has to be
- * done after spi_offload_trigger_disable().
- */
- spi_offload_trigger_disable(st->offload, st->offload_trigger);
- ad4695_exit_conversion_mode(st);
- goto err_disable_busy_output;
-
err_offload_trigger_disable:
spi_offload_trigger_disable(st->offload, st->offload_trigger);
+err_exit_conversion_mode:
+ ad4695_exit_conversion_mode(st);
+
err_disable_busy_output:
regmap_clear_bits(st->regmap, AD4695_REG_GP_MODE,
AD4695_REG_GP_MODE_BUSY_GP_EN);
--
2.54.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 153/307] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 152/307] KVM: arm64: PMU: Preserve AArch32 counter low bits Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 154/307] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Greg Kroah-Hartman
` (155 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Naveen N Rao (AMD),
Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit a9e18aa3263f356edae305e29830e5fe63d8597a upstream.
Flush the current TLB when xAVIC *or* x2AVIC is activated, as KVM is
(apparently) responsible for purging TLB entries when transitioning from
xAVIC to x2AVIC. The APM says a whole lot of nothing about TLB flushing
with respect to (x2)AVIC, but empirical data strongly suggests hardware
also does a whole lot of nothing.
Failure to flush the TLB when enabling x2AVIC can lead to guest accesses
to the APIC base address getting incorrectly redirected to the virtual
APIC page. The flaw most visibly manifests as failures in KVM-Unit-Test's
verify_disabled_apic_mmio() testcase when x2APIC is enabled (though for
reasons unknown, the test only reliably fails with EFI builds).
Fixes: 0ccf3e7cb95a ("KVM: SVM: Flush the "current" TLB when activating AVIC")
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Cc: Naveen N Rao (AMD) <naveen@kernel.org>
Link: https://patch.msgid.link/20260515171536.1841645-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/avic.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -111,6 +111,35 @@ static void avic_activate_vmcb(struct vc
svm_clr_intercept(svm, INTERCEPT_CR8_WRITE);
/*
+ * Flush the TLB when enabling (x2)AVIC and when transitioning between
+ * xAVIC and x2AVIC, as the CPU may have inserted a TLB entry for the
+ * "wrong" mapping.
+ *
+ * KVM uses a per-VM "scratch" page to back the APIC memslot, because
+ * KVM also uses per-VM page tables *and* maintains the page table (NPT
+ * or shadow page) mappings for said memslot even if one or more vCPUs
+ * have their local APIC hardware-disabled or are in x2APIC mode, i.e.
+ * even if one or more vCPUs' APIC MMIO BAR is effectively disabled.
+ *
+ * If xAVIC is fully enabled, hardware ignores the physical address in
+ * KVM's page tables, i.e. in the leaf SPTE for the APIC memslot, and
+ * instead redirects the access to the AVIC backing page, i.e. to the
+ * vCPU's virtual APIC page. If xAVIC is not enabled (APIC is either
+ * hardware-disabled or in x2APIC mode), then guest accesses will use
+ * the page table mapping verbatim, i.e. will access the per-VM scratch
+ * page, as normal memory.
+ *
+ * In both cases, the CPU is allowed to cache TLB entries for the APIC
+ * base GPA. So, KVM needs to flush the TLB when enabling xAVIC, as
+ * accesses need to be redirected to the virtual APIC page, but the TLB
+ * may contain entries pointing at the scratch page. KVM also needs to
+ * flush the TLB when enabling x2AVIC, as accesses need to go to the
+ * scratch page, but the TLB may contain entries tagged as xAVIC, i.e.
+ * entries pointing to the vCPU's virtual APIC page.
+ */
+ kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, &svm->vcpu);
+
+ /*
* Note: KVM supports hybrid-AVIC mode, where KVM emulates x2APIC MSR
* accesses, while interrupt injection to a running vCPU can be
* achieved using AVIC doorbell. KVM disables the APIC access page
@@ -123,12 +152,6 @@ static void avic_activate_vmcb(struct vc
/* Disabling MSR intercept for x2APIC registers */
svm_set_x2apic_msr_interception(svm, false);
} else {
- /*
- * Flush the TLB, the guest may have inserted a non-APIC
- * mapping into the TLB while AVIC was disabled.
- */
- kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, &svm->vcpu);
-
/* Enabling MSR intercept for x2APIC registers */
svm_set_x2apic_msr_interception(svm, true);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 154/307] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 153/307] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 155/307] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Greg Kroah-Hartman
` (154 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stan Shaw, Michael Roth,
Tom Lendacky, Peter Gonda, Jacky Li, Sean Christopherson,
Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Roth <michael.roth@amd.com>
commit db3f2195d29344a3cf1e9dd9ab7f21ced7308cf7 upstream.
As per the GHCB spec, when using GHCB v2+ require the software scratch area
to reside in the GHCB's shared buffer. Note, things like Page State Change
(PSC) requests _rely_ on this behavior, as the guest can't provide a length
when making the request, i.e. the size of the guest payload is bounded by
the size of the shared buffer.
Failure to force usage of the GHCB, and a slew of other flaws, lets a
malicious SNP guest corrupt host kernel heap memory, and leak host heap
layout information.
setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2),
where exit_info_2 is guest-controlled. With exit_info_2=24, this yields
a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer
holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only
entries[0] and entries[1] are in-bounds.
snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253)
but NOT against the actual buffer size:
idx_end = hdr->end_entry;
if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer
snp_complete_psc(svm, ...);
return 1;
}
for (idx = idx_start; idx <= idx_end; idx++) {
entry_start = entries[idx]; // OOB when idx >= 2
The guest sets end_entry=10+, causing the host to iterate entries[2+]
which are OOB into adjacent slab objects. For each OOB entry:
- The host reads 8 bytes (OOB READ / info leak oracle)
- If the data passes PSC validation, __snp_complete_one_psc() writes
cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806)
- If validation fails, the error response reveals whether adjacent
memory is zero vs non-zero (information disclosure to guest)
The guest controls allocation size (exit_info_2), entry range
(cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly
hit different slab positions.
By exploiting the variety of bugs, a malicious SEV-SNP guest can:
- OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure)
- OOB write cur_page bits into adjacent objects (heap corruption)
- Trigger use-after-free conditions across VMGEXITs
E.g. with KASAN enabled, a single insmod of the PoC guest module
produces 73 KASAN reports:
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890
Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199
BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890
Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199
The buggy address belongs to the object at ffff888XXXXXXXXX
which belongs to the cache kmalloc-cg-32 of size 32
The buggy address is located N bytes to the right of
allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX)
Breakdown:
62 slab-out-of-bounds (reads + writes past allocation)
7 slab-use-after-free
4 use-after-free
All credit to Stan for the wonderful description and reproducer!
Reported-by: Stan Shaw <shawstan96@gmail.com>
Cc: Michael Roth <michael.roth@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Peter Gonda <pgonda@google.com>
Cc: Jacky Li <jackyli@google.com>
Fixes: 4af663c2f64a ("KVM: SEV: Allow per-guest configuration of GHCB protocol version")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Roth <michael.roth@amd.com>
[sean: write changelog]
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3543,6 +3543,10 @@ static int setup_vmgexit_scratch(struct
scratch_va = (void *)svm->sev_es.ghcb;
scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
} else {
+ /* GHCB v2 requires the scratch area to be within the GHCB. */
+ if (to_kvm_sev_info(svm->vcpu.kvm)->ghcb_version >= 2)
+ goto e_scratch;
+
/*
* The guest memory must be read into a kernel buffer, so
* limit the size
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 164/315] iio: gyro: itg3200: fix i2c read into the wrong stack location
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 163/315] iio: adc: ad4695: Fix call ordering in offload buffer postenable Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 165/315] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
` (152 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andy Shevchenko,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae upstream.
itg3200_read_all_channels() takes `__be16 *buf' as a parameter and
fills the i2c_msg destination as `(char *)&buf'. Since `buf' is the
parameter (a pointer), `&buf' is the address of the local pointer
slot on the stack of itg3200_read_all_channels(), not the address
of the caller's scan buffer. The (char *) cast hides the type
mismatch.
i2c_transfer() therefore writes ITG3200_SCAN_ELEMENTS * sizeof(s16)
= 8 bytes into the parameter's stack slot, which is discarded when
the function returns. The caller's scan buffer in
itg3200_trigger_handler() is never written to, so
iio_push_to_buffers_with_timestamp() pushes uninitialised stack
contents to userspace via /dev/iio:deviceX every scan -- both a
functional bug (no actual gyroscope or temperature data is
delivered through the triggered buffer) and an information leak.
The non-buffered read_raw() path is unaffected: it goes through
itg3200_read_reg_s16() which uses `&out' on a local s16 value,
where that is correct.
Drop the spurious `&' so the i2c read writes into the caller's
buffer.
Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/itg3200_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -34,7 +34,7 @@ static int itg3200_read_all_channels(str
.addr = i2c->addr,
.flags = i2c->flags | I2C_M_RD,
.len = ITG3200_SCAN_ELEMENTS * sizeof(s16),
- .buf = (char *)&buf,
+ .buf = (char *)buf,
},
};
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 155/307] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 154/307] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 156/307] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Greg Kroah-Hartman
` (153 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 2be54670bdc017004c4a4b8bddb6ff02ebe7dbe2 upstream.
When handling a Page State Change (PSC) #VMGEXIT use the size of the PSC
header as the minimum size for the scratch area. Per the GHCB spec, PSC
requests do NOT provide the length, i.e. using control->exit_info_2 for the
length is completely made up behavior. The existing code "works", e.g.
even though Linux-as-a-guest always passes '0', because KVM doesn't do
anything with the length when the request is in the GHCB's shared buffer.
Use the header as the min length. Once the header is retrieved, KVM can
use the specified indices to compute the full size of the request.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-6-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -4393,7 +4393,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *
vcpu->run->system_event.data[0] = control->ghcb_gpa;
break;
case SVM_VMGEXIT_PSC:
- ret = setup_vmgexit_scratch(svm, true, control->exit_info_2);
+ ret = setup_vmgexit_scratch(svm, true, sizeof(struct psc_hdr));
if (ret)
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 165/315] iio: gyro: adis16260: fix division by zero in write_raw
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 164/315] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 166/315] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
` (151 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Nuno Sá,
Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 761e8b489e6cf166c574034b70637f8a7eadd0ee upstream.
Add a validation check for the sampling frequency value before using it
as a divisor. A user writing zero to the sampling_frequency sysfs
attribute triggers a division by zero in the kernel.
Fixes: 089a41985c6c ("staging: iio: adis16260 digital gyro driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/adis16260.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iio/gyro/adis16260.c
+++ b/drivers/iio/gyro/adis16260.c
@@ -287,6 +287,9 @@ static int adis16260_write_raw(struct ii
addr = adis16260_addresses[chan->scan_index][1];
return adis_write_reg_16(adis, addr, val);
case IIO_CHAN_INFO_SAMP_FREQ:
+ if (val <= 0)
+ return -EINVAL;
+
if (spi_get_device_id(adis->spi)->driver_data)
t = 256 / val;
else
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 166/315] iio: ssp_sensors: cancel delayed work_refresh on remove
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 165/315] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 167/315] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
` (150 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjay Chitroda, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
commit eedf7602fbd929e97e0c480da501dc7a34beb2a8 upstream.
The work_refresh may still be pending or running when the device is
removed, cancel the delayed work_refresh in remove path.
Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/common/ssp_sensors/ssp_dev.c
+++ b/drivers/iio/common/ssp_sensors/ssp_dev.c
@@ -590,6 +590,7 @@ static void ssp_remove(struct spi_device
ssp_clean_pending_list(data);
free_irq(data->spi->irq, data);
+ cancel_delayed_work_sync(&data->work_refresh);
timer_delete_sync(&data->wdt_timer);
cancel_work_sync(&data->work_wdt);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 156/307] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 155/307] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 157/307] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Greg Kroah-Hartman
` (152 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f185e05dce6f170f83c4ba602e969b1c3c7a22e6 upstream.
Now that all paths in KVM properly validate the length needed for the
scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM
attempts to configured the scratch area with min_len==0 to guard against
future bugs.
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-8-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3509,6 +3509,9 @@ static int setup_vmgexit_scratch(struct
u64 scratch_gpa_beg, scratch_gpa_end;
void *scratch_va;
+ if (WARN_ON_ONCE(!min_len))
+ goto e_scratch;
+
scratch_gpa_beg = svm->sev_es.sw_scratch;
if (!scratch_gpa_beg) {
pr_err("vmgexit: scratch gpa not provided\n");
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 167/315] iio: temperature: tsys01: fix broken PROM checksum validation
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 166/315] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 168/315] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
` (149 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salah Triki, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 upstream.
The current implementation of tsys01_crc_valid() incorrectly sums the
first word (n_prom[0]) repeatedly instead of iterating over the 8 words
retrieved from the PROM. This leads to a checksum mismatch and probe
failure on hardware.
According to the TSYS01 datasheet, the PROM consists of 8 words. A valid
check must iterate through all 8 words to verify the integrity of the
calibration data. The current driver only checks the first word 8 times.
Note: This fix was identified during a code audit and is based on
datasheet specifications. It has not been tested on real hardware.
Fixes: 43e53407f680 ("Add tsys01 meas-spec driver support")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/tsys01.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/temperature/tsys01.c
+++ b/drivers/iio/temperature/tsys01.c
@@ -119,7 +119,7 @@ static bool tsys01_crc_valid(u16 *n_prom
u8 sum = 0;
for (cnt = 0; cnt < TSYS01_PROM_WORDS_NB; cnt++)
- sum += ((n_prom[0] >> 8) + (n_prom[0] & 0xFF));
+ sum += ((n_prom[cnt] >> 8) + (n_prom[cnt] & 0xFF));
return (sum == 0);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 157/307] KVM: SEV: Compute the correct max length of the in-GHCB scratch area
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 156/307] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 158/307] KVM: SEV: Check PSC request indices against the actual size of the buffer Greg Kroah-Hartman
` (151 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 5867d7e202e09f037cefe77f7af4413c7c0fa088 upstream.
When setting the length of the GHCB scratch area, and the area is in the
GHCB shared buffer, set the effective length of the scratch area to the max
possible size given the start of the guest-provided pointer, and the end of
the shared buffer.
The code was "fine" when first introduced, as KVM doesn't consult the
length of the buffer when emulating MMIO, because the passed in @len always
specifies the *max* size required. But for PSC requests, the incoming @len
is just the minimum length (to process the header), and KVM needs to know
the full size of the scratch area to avoid buffer overflows (spoiler alert).
Opportunistically rename @len => @min_len to better reflect its role.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-7-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3502,7 +3502,7 @@ void pre_sev_run(struct vcpu_svm *svm, i
}
#define GHCB_SCRATCH_AREA_LIMIT (16ULL * PAGE_SIZE)
-static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 len)
+static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 min_len)
{
struct vmcb_control_area *control = &svm->vmcb->control;
u64 ghcb_scratch_beg, ghcb_scratch_end;
@@ -3518,10 +3518,10 @@ static int setup_vmgexit_scratch(struct
goto e_scratch;
}
- scratch_gpa_end = scratch_gpa_beg + len;
+ scratch_gpa_end = scratch_gpa_beg + min_len;
if (scratch_gpa_end < scratch_gpa_beg) {
pr_err("vmgexit: scratch length (%#llx) not valid for scratch address (%#llx)\n",
- len, scratch_gpa_beg);
+ min_len, scratch_gpa_beg);
goto e_scratch;
}
@@ -3545,6 +3545,8 @@ static int setup_vmgexit_scratch(struct
scratch_va = (void *)svm->sev_es.ghcb;
scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
+
+ svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg;
} else {
/* GHCB v2 requires the scratch area to be within the GHCB. */
if (to_kvm_sev_info(svm->vcpu.kvm)->ghcb_version >= 2)
@@ -3554,16 +3556,16 @@ static int setup_vmgexit_scratch(struct
* The guest memory must be read into a kernel buffer, so
* limit the size
*/
- if (len > GHCB_SCRATCH_AREA_LIMIT) {
+ if (min_len > GHCB_SCRATCH_AREA_LIMIT) {
pr_err("vmgexit: scratch area exceeds KVM limits (%#llx requested, %#llx limit)\n",
- len, GHCB_SCRATCH_AREA_LIMIT);
+ min_len, GHCB_SCRATCH_AREA_LIMIT);
goto e_scratch;
}
- scratch_va = kvzalloc(len, GFP_KERNEL_ACCOUNT);
+ scratch_va = kvzalloc(min_len, GFP_KERNEL_ACCOUNT);
if (!scratch_va)
return -ENOMEM;
- if (kvm_read_guest(svm->vcpu.kvm, scratch_gpa_beg, scratch_va, len)) {
+ if (kvm_read_guest(svm->vcpu.kvm, scratch_gpa_beg, scratch_va, min_len)) {
/* Unable to copy scratch area from guest */
pr_err("vmgexit: kvm_read_guest for scratch area failed\n");
@@ -3579,11 +3581,10 @@ static int setup_vmgexit_scratch(struct
*/
svm->sev_es.ghcb_sa_sync = sync;
svm->sev_es.ghcb_sa_free = true;
+ svm->sev_es.ghcb_sa_len = min_len;
}
svm->sev_es.ghcb_sa = scratch_va;
- svm->sev_es.ghcb_sa_len = len;
-
return 0;
e_scratch:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 168/315] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 167/315] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 169/315] iio: light: veml6070: Fix resource leak in probe error path Greg Kroah-Hartman
` (148 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Advait Dhamorikar, Andy Shevchenko,
Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Advait Dhamorikar <advaitd@mechasystems.com>
commit 49f79cd28f1e3333cbe0d616ce59ead0b24bf34e upstream.
The device tree binding for st,lis2mdl does not support
st,drdy-int-pin property. However, when no platform data is provided
and the property is absent, the driver falls back to default_magn_pdata
which hardcodes drdy_int_pin = 2. This causes
`st_sensors_set_drdy_int_pin` to fail with -EINVAL because the LIS2MDL
sensor settings have no INT2 DRDY mask defined.
Fix this by checking the sensor's INT2 DRDY mask availability at
probe time and selecting the appropriate default pin. Sensors that
do not support INT2 DRDY will default to INT1, while all others
retain the existing default of INT2.
Fixes: 38934daf7b5c ("iio: magnetometer: st_magn: Provide default platform data")
Signed-off-by: Advait Dhamorikar <advaitd@mechasystems.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/st_magn_core.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/iio/magnetometer/st_magn_core.c
+++ b/drivers/iio/magnetometer/st_magn_core.c
@@ -506,6 +506,11 @@ static const struct st_sensors_platform_
.drdy_int_pin = 2,
};
+/* LIS2MDL only supports DRDY on INT1 */
+static const struct st_sensors_platform_data alt_magn_pdata = {
+ .drdy_int_pin = 1,
+};
+
static int st_magn_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *ch, int *val,
int *val2, long mask)
@@ -628,8 +633,12 @@ int st_magn_common_probe(struct iio_dev
mdata->current_fullscale = &mdata->sensor_settings->fs.fs_avl[0];
mdata->odr = mdata->sensor_settings->odr.odr_avl[0].hz;
- if (!pdata)
- pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ if (!pdata) {
+ if (mdata->sensor_settings->drdy_irq.int2.mask)
+ pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ else
+ pdata = (struct st_sensors_platform_data *)&alt_magn_pdata;
+ }
err = st_sensors_init_sensor(indio_dev, pdata);
if (err < 0)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 158/307] KVM: SEV: Check PSC request indices against the actual size of the buffer
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 157/307] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 159/307] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Greg Kroah-Hartman
` (150 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 121d88de56bc5c0ba0ce2f6381af67f948a7e7c1 upstream.
When processing Page State Change (PSC) requests, validate the PSC buffer
against the effective size of the scratch area, which could be less than
the maximum size if the guest provided a pointer that isn't exactly at the
start of the GHCB shared buffer.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-10-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3729,7 +3729,7 @@ static int snp_begin_psc(struct vcpu_svm
struct kvm_vcpu *vcpu = &svm->vcpu;
struct psc_hdr *hdr = &psc->hdr;
struct psc_entry entry_start;
- u16 idx, idx_start, idx_end;
+ u16 idx, idx_start, idx_end, max_nr_entries;
int npages;
bool huge;
u64 gfn;
@@ -3739,6 +3739,19 @@ static int snp_begin_psc(struct vcpu_svm
return 1;
}
+ /*
+ * GHCB v2 requires the scratch area to reside within the GHCB itself,
+ * and PSC requests are only supported for GHCB v2+. Thus it should be
+ * impossible to exceed the max PSC entry count (which is derived from
+ * the size of the shared GHCB buffer).
+ */
+ max_nr_entries = (sev_es->ghcb_sa_len - sizeof(struct psc_hdr)) /
+ sizeof(struct psc_entry);
+ if (WARN_ON_ONCE(max_nr_entries > VMGEXIT_PSC_MAX_COUNT)) {
+ snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC);
+ return 1;
+ }
+
next_range:
/* There should be no other PSCs in-flight at this point. */
if (WARN_ON_ONCE(svm->sev_es.psc_inflight)) {
@@ -3754,7 +3767,7 @@ next_range:
idx_start = hdr->cur_entry;
idx_end = hdr->end_entry;
- if (idx_end >= VMGEXIT_PSC_MAX_COUNT) {
+ if (idx_end >= max_nr_entries) {
snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR);
return 1;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 169/315] iio: light: veml6070: Fix resource leak in probe error path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 168/315] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 170/315] iio: Fix iio_multiply_value use in iio_read_channel_processed_scale Greg Kroah-Hartman
` (147 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Felix Gu, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit b66f922f6a4fa92840f662fbcfeb4f8a0f774bcc upstream.
The driver calls i2c_new_dummy_device() to create a dummy device,
then calls i2c_smbus_write_byte(). If i2c_smbus_write_byte() fails and
returns, the cleanup via devm_add_action_or_reset() was never registered,
so the dummy device leaks.
Switch to devm_i2c_new_dummy_device() which registers cleanup atomically
with device creation, eliminating the error-path window.
Fixes: 7501bff87c3e ("iio: light: veml6070: add action for i2c_unregister_device")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/veml6070.c | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
--- a/drivers/iio/light/veml6070.c
+++ b/drivers/iio/light/veml6070.c
@@ -245,13 +245,6 @@ static const struct iio_info veml6070_in
.write_raw = veml6070_write_raw,
};
-static void veml6070_i2c_unreg(void *p)
-{
- struct veml6070_data *data = p;
-
- i2c_unregister_device(data->client2);
-}
-
static int veml6070_probe(struct i2c_client *client)
{
struct veml6070_data *data;
@@ -281,7 +274,8 @@ static int veml6070_probe(struct i2c_cli
if (ret < 0)
return ret;
- data->client2 = i2c_new_dummy_device(client->adapter, VEML6070_ADDR_DATA_LSB);
+ data->client2 = devm_i2c_new_dummy_device(&client->dev, client->adapter,
+ VEML6070_ADDR_DATA_LSB);
if (IS_ERR(data->client2))
return dev_err_probe(&client->dev, PTR_ERR(data->client2),
"i2c device for second chip address failed\n");
@@ -292,10 +286,6 @@ static int veml6070_probe(struct i2c_cli
if (ret < 0)
return ret;
- ret = devm_add_action_or_reset(&client->dev, veml6070_i2c_unreg, data);
- if (ret < 0)
- return ret;
-
return devm_iio_device_register(&client->dev, indio_dev);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 159/307] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 158/307] KVM: SEV: Check PSC request indices against the actual size of the buffer Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 160/307] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc() Greg Kroah-Hartman
` (149 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Sean Christopherson,
Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit c8cc238093ca6c99267032f6cfe78f59389f3157 upstream.
Use READ_ONCE() when reading entries/indices from the guest-accessible
Page State Change buffer to defend against TOCTOU bugs.
Don't bother with READ_ONCE()/WRITE_ONCE() for cases where KVM is writing
(and not consuming the result!), as the guest isn't supposed to touch the
buffer while it's being processed. I.e. using READ_ONCE() is all about
protecting against misbehaving guests.
Fixes: 9b54e248d264 ("KVM: SEV: Add support to handle Page State Change VMGEXIT")
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-11-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3699,9 +3699,9 @@ static void __snp_complete_one_psc(struc
*/
for (idx = svm->sev_es.psc_idx; svm->sev_es.psc_inflight;
svm->sev_es.psc_inflight--, idx++) {
- struct psc_entry *entry = &entries[idx];
+ struct psc_entry entry = READ_ONCE(entries[idx]);
- entry->cur_page = entry->pagesize ? 512 : 1;
+ entries[idx].cur_page = entry.pagesize ? 512 : 1;
}
hdr->cur_entry = idx;
@@ -3764,8 +3764,8 @@ next_range:
* validation, so take care to only use validated copies of values used
* for things like array indexing.
*/
- idx_start = hdr->cur_entry;
- idx_end = hdr->end_entry;
+ idx_start = READ_ONCE(hdr->cur_entry);
+ idx_end = READ_ONCE(hdr->end_entry);
if (idx_end >= max_nr_entries) {
snp_complete_psc(svm, VMGEXIT_PSC_ERROR_INVALID_HDR);
@@ -3774,7 +3774,7 @@ next_range:
/* Find the start of the next range which needs processing. */
for (idx = idx_start; idx <= idx_end; idx++, hdr->cur_entry++) {
- entry_start = entries[idx];
+ entry_start = READ_ONCE(entries[idx]);
gfn = entry_start.gfn;
huge = entry_start.pagesize;
@@ -3818,7 +3818,7 @@ next_range:
* KVM_HC_MAP_GPA_RANGE exit.
*/
while (++idx <= idx_end) {
- struct psc_entry entry = entries[idx];
+ struct psc_entry entry = READ_ONCE(entries[idx]);
if (entry.operation != entry_start.operation ||
entry.gfn != entry_start.gfn + npages ||
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 170/315] iio: Fix iio_multiply_value use in iio_read_channel_processed_scale
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 169/315] iio: light: veml6070: Fix resource leak in probe error path Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 171/315] iio: chemical: mhz19b: reject oversized serial replies Greg Kroah-Hartman
` (146 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Svyatoslav Ryhel, Hans de Goede,
Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Svyatoslav Ryhel <clamor95@gmail.com>
commit bb21ee31f5753a7972148798fd7dfb841dd33bdb upstream.
The function iio_multiply_value returns IIO_VAL_INT (1) on success or a
negative error number on failure, while iio_read_channel_processed_scale
should return an error code or 0. This creates a situation where the
expected result is treated as an error. Fix this by checking the
iio_multiply_value result separately, instead of passing it as a return
value.
Fixes: 05f958d003c9 ("iio: Improve iio_read_channel_processed_scale() precision")
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/inkern.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index 0df0ab3de270..9ce20cb05a9b 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -738,7 +738,11 @@ int iio_read_channel_processed_scale(struct iio_channel *chan, int *val,
if (ret < 0)
return ret;
- return iio_multiply_value(val, scale, ret, pval, pval2);
+ ret = iio_multiply_value(val, scale, ret, pval, pval2);
+ if (ret < 0)
+ return ret;
+
+ return 0;
} else {
ret = iio_channel_read(chan, val, NULL, IIO_CHAN_INFO_RAW);
if (ret < 0)
--
2.54.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 160/307] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 159/307] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 161/307] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
` (148 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, Michael Roth,
Sean Christopherson, Paolo Bonzini
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit ebe4b2dc9cfbfb2d8f665667c4d08f4c6c9bec05 upstream.
Stop explicitly passing the PSC buffer to snp_begin_psc(): it *must*
be the scratch area. This will allow fixing a variety of bugs without
further complicating the code.
No functional change intended.
Cc: stable@vger.kernel.org
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Reviewed-by: Michael Roth <michael.roth@amd.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260501202250.2115252-9-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -3675,7 +3675,7 @@ struct psc_buffer {
struct psc_entry entries[];
} __packed;
-static int snp_begin_psc(struct vcpu_svm *svm, struct psc_buffer *psc);
+static int snp_begin_psc(struct vcpu_svm *svm);
static void snp_complete_psc(struct vcpu_svm *svm, u64 psc_ret)
{
@@ -3710,7 +3710,6 @@ static void __snp_complete_one_psc(struc
static int snp_complete_one_psc(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
- struct psc_buffer *psc = svm->sev_es.ghcb_sa;
if (vcpu->run->hypercall.ret) {
snp_complete_psc(svm, VMGEXIT_PSC_ERROR_GENERIC);
@@ -3720,11 +3719,13 @@ static int snp_complete_one_psc(struct k
__snp_complete_one_psc(svm);
/* Handle the next range (if any). */
- return snp_begin_psc(svm, psc);
+ return snp_begin_psc(svm);
}
-static int snp_begin_psc(struct vcpu_svm *svm, struct psc_buffer *psc)
+static int snp_begin_psc(struct vcpu_svm *svm)
{
+ struct vcpu_sev_es_state *sev_es = &svm->sev_es;
+ struct psc_buffer *psc = sev_es->ghcb_sa;
struct psc_entry *entries = psc->entries;
struct kvm_vcpu *vcpu = &svm->vcpu;
struct psc_hdr *hdr = &psc->hdr;
@@ -4414,7 +4415,7 @@ int sev_handle_vmgexit(struct kvm_vcpu *
if (ret)
break;
- ret = snp_begin_psc(svm, svm->sev_es.ghcb_sa);
+ ret = snp_begin_psc(svm);
break;
case SVM_VMGEXIT_AP_CREATION:
ret = sev_snp_ap_creation(svm);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 171/315] iio: chemical: mhz19b: reject oversized serial replies
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 170/315] iio: Fix iio_multiply_value use in iio_read_channel_processed_scale Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 172/315] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
` (145 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Gyeyoung Baek,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
commit 673478bc29cf72010faaf293c1c8c667393335a0 upstream.
mhz19b_receive_buf() appends each serdev chunk into the fixed
MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
checking that the chunk fits in the remaining space. A large callback
can therefore overflow st->buf before the command path validates the
reply.
Reset the reply state before each command and reject oversized serial
replies before copying them into the fixed buffer. When an oversized
reply is detected, wake the waiter and report -EMSGSIZE instead of
overwriting st->buf.
Fixes: 4572a70b3681 ("iio: chemical: Add support for Winsen MHZ19B CO2 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Acked-by: Gyeyoung Baek <gye976@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/mhz19b.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/drivers/iio/chemical/mhz19b.c
+++ b/drivers/iio/chemical/mhz19b.c
@@ -52,6 +52,8 @@ struct mhz19b_state {
struct completion buf_ready;
u8 buf_idx;
+ bool buf_overflow;
+
/*
* Serdev receive buffer.
* When data is received from the MH-Z19B,
@@ -106,6 +108,10 @@ static int mhz19b_serdev_cmd(struct iio_
cmd_buf[8] = mhz19b_get_checksum(cmd_buf);
/* Write buf to uart ctrl synchronously */
+ st->buf_idx = 0;
+ st->buf_overflow = false;
+ reinit_completion(&st->buf_ready);
+
ret = serdev_device_write(serdev, cmd_buf, MHZ19B_CMD_SIZE, 0);
if (ret < 0)
return ret;
@@ -121,6 +127,9 @@ static int mhz19b_serdev_cmd(struct iio_
if (!ret)
return -ETIMEDOUT;
+ if (st->buf_overflow)
+ return -EMSGSIZE;
+
if (st->buf[8] != mhz19b_get_checksum(st->buf)) {
dev_err(dev, "checksum err");
return -EINVAL;
@@ -240,6 +249,14 @@ static size_t mhz19b_receive_buf(struct
{
struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
struct mhz19b_state *st = iio_priv(indio_dev);
+ size_t remaining = MHZ19B_CMD_SIZE - st->buf_idx;
+
+ if (len > remaining) {
+ st->buf_idx = 0;
+ st->buf_overflow = true;
+ complete(&st->buf_ready);
+ return len;
+ }
memcpy(st->buf + st->buf_idx, data, len);
st->buf_idx += len;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 161/307] Disable -Wattribute-alias for clang-23 and newer
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 160/307] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 162/307] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
` (147 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
Clang recently added support for -Wattribute-alias [1], which results in
the same warnings that necessitated commit bee20031772a ("disable
-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
| ^
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
251 | __attribute__((alias(__stringify(__se_sys##name)))); \
| ^
kernel/time/itimer.c:325:1: note: aliasee is declared here
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
| ^
<scratch space>:16:1: note: expanded from here
16 | __se_sys_alarm
| ^
Disable the warnings in the same way for clang-23 and newer. Disable the
warning about unknown warning options to avoid breaking the build for
versions of clang-23 that do not have -Wattribute-alias, such as ones
deployed by vendors like Android or CI systems or when bisecting LLVM
between llvmorg-23-init and release/23.x.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/syscall_wrapper.h | 4 ++++
include/linux/compat.h | 4 ++++
include/linux/compiler-clang.h | 6 ++++++
include/linux/compiler_types.h | 4 ++++
include/linux/syscalls.h | 4 ++++
5 files changed, 22 insertions(+)
--- a/arch/riscv/include/asm/syscall_wrapper.h
+++ b/arch/riscv/include/asm/syscall_wrapper.h
@@ -32,6 +32,10 @@ asmlinkage long __riscv_sys_ni_syscall(c
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments"); \
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias"); \
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments"); \
static long __se_##prefix##name(ulong, ulong, ulong, ulong, ulong, ulong, \
ulong) \
__attribute__((alias(__stringify(___se_##prefix##name)))); \
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -72,6 +72,10 @@
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias"); \
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments"); \
asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_compat_sys##name)))); \
ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -133,6 +133,12 @@
#define __diag_str(s) __diag_str1(s)
#define __diag(s) _Pragma(__diag_str(clang diagnostic s))
+#if CONFIG_CLANG_VERSION >= 230000
+#define __diag_clang_23(s) __diag(s)
+#else
+#define __diag_clang_23(s)
+#endif
+
#define __diag_clang_13(s) __diag(s)
#define __diag_ignore_all(option, comment) \
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -569,6 +569,10 @@ struct ftrace_likely_data {
#define __diag_GCC(version, severity, string)
#endif
+#ifndef __diag_clang
+#define __diag_clang(version, severity, string)
+#endif
+
#define __diag_push() __diag(push)
#define __diag_pop() __diag(pop)
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -245,6 +245,10 @@ static inline int is_syscall_trace_event
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias");\
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_sys##name)))); \
ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 172/315] iio: chemical: scd30: fix division by zero in write_raw
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 171/315] iio: chemical: mhz19b: reject oversized serial replies Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 173/315] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
` (144 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 5aba4f94b225617a55fed442a70329b2ee19c0a5 upstream.
Add a zero check for val2 before using it as a divisor when setting the
sampling frequency. A user writing a zero fractional part to the
sampling_frequency sysfs attribute triggers a division by zero in the
kernel.
Fixes: 64b3d8b1b0f5 ("iio: chemical: scd30: add core driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -256,7 +256,7 @@ static int scd30_write_raw(struct iio_de
guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_SAMP_FREQ:
- if (val)
+ if (val || !val2)
return -EINVAL;
val = 1000000000 / val2;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 162/307] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 161/307] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 163/307] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
` (146 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christofer Jonason, Andy Shevchenko,
Nuno Sá, Salih Erim, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christofer Jonason <christofer.jonason@guidelinegeo.com>
commit 852534744c2d35626a604f128ff0b8ec12805591 upstream.
xadc_postdisable() unconditionally sets the sequencer to continuous
mode. For dual external multiplexer configurations this is incorrect:
simultaneous sampling mode is required so that ADC-A samples through
the mux on VAUX[0-7] while ADC-B simultaneously samples through the
mux on VAUX[8-15]. In continuous mode only ADC-A is active, so
VAUX[8-15] channels return incorrect data.
Since postdisable is also called from xadc_probe() to set the initial
idle state, the wrong sequencer mode is active from the moment the
driver loads.
The preenable path already uses xadc_get_seq_mode() which returns
SIMULTANEOUS for dual mux. Fix postdisable to do the same.
Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Christofer Jonason <christofer.jonason@guidelinegeo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Salih Erim <salih.erim@amd.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/xilinx-xadc-core.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/xilinx-xadc-core.c
+++ b/drivers/iio/adc/xilinx-xadc-core.c
@@ -817,6 +817,7 @@ static int xadc_postdisable(struct iio_d
{
struct xadc *xadc = iio_priv(indio_dev);
unsigned long scan_mask;
+ int seq_mode;
int ret;
int i;
@@ -824,6 +825,12 @@ static int xadc_postdisable(struct iio_d
for (i = 0; i < indio_dev->num_channels; i++)
scan_mask |= BIT(indio_dev->channels[i].scan_index);
+ /*
+ * Use the correct sequencer mode for the idle state: simultaneous
+ * mode for dual external mux configurations, continuous otherwise.
+ */
+ seq_mode = xadc_get_seq_mode(xadc, scan_mask);
+
/* Enable all channels and calibration */
ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(0), scan_mask & 0xffff);
if (ret)
@@ -834,11 +841,11 @@ static int xadc_postdisable(struct iio_d
return ret;
ret = xadc_update_adc_reg(xadc, XADC_REG_CONF1, XADC_CONF1_SEQ_MASK,
- XADC_CONF1_SEQ_CONTINUOUS);
+ seq_mode);
if (ret)
return ret;
- return xadc_power_adc_b(xadc, XADC_CONF1_SEQ_CONTINUOUS);
+ return xadc_power_adc_b(xadc, seq_mode);
}
static int xadc_preenable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 173/315] iio: light: cm3323: fix reg_conf not being initialized correctly
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 172/315] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 174/315] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
` (143 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aldo Conte, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aldo Conte <aldocontelk@gmail.com>
commit 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 upstream.
The code stores the return value of i2c_smbus_write_word_data()
in data->reg_conf; however, this value represents the result
of the write operation and not the value actually written to
the configuration register. This meant that the contents of
data->reg_conf did not truly reflect the contents
of the hardware register.
Instead, save the value of the register before the write
and use this value in the I2C write.
The bug was found by code inspection: i2c_smbus_write_word_data()
returns 0 on success, not the value written to the register.
Tested using i2c-stub on a Raspberry Pi 3B running a custom 6.19.10
kernel. Before loading the driver, the configuration register 0x00
CM3323_CMD_CONF was populated with 0x0030 using
`i2cset -y 11 0x10 0x00 0x0030 w`, encoding an integration time of 320ms
in bits[6:4].
Due to incorrect initialization of data->reg_conf in
cm3323_init(), the print of integration_time returns 0.040000
instead of the expected 0.320000. This happens because the read of the
integration_time depends on cm3323_get_it_bits() that is based on the
value of data->reg_conf, which is erroneously set to 0.
With this fix applied, data->reg_conf correctly saves 0x0030 after init
and the successive integration_time reports 0.320000 as expected.
Fixes: 8b0544263761 ("iio: light: Add support for Capella CM3323 color sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Aldo Conte <aldocontelk@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/cm3323.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/light/cm3323.c
+++ b/drivers/iio/light/cm3323.c
@@ -89,15 +89,14 @@ static int cm3323_init(struct iio_dev *i
/* enable sensor and set auto force mode */
ret &= ~(CM3323_CONF_SD_BIT | CM3323_CONF_AF_BIT);
+ data->reg_conf = ret;
- ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, ret);
+ ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, data->reg_conf);
if (ret < 0) {
dev_err(&data->client->dev, "Error writing reg_conf\n");
return ret;
}
- data->reg_conf = ret;
-
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 163/307] iio: adc: npcm: fix unbalanced clk_disable_unprepare()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 162/307] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 164/307] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
` (145 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andy Shevchenko,
Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 0d42e2c0bd6ceb89e44c6e065f9bdf9b1df3ef0c upstream.
The driver acquired the ADC clock with devm_clk_get() and read its
rate, but never called clk_prepare_enable(). The probe error path and
npcm_adc_remove() both called clk_disable_unprepare() unconditionally,
causing the clk framework's enable/prepare counts to underflow on
probe failure or module unbind.
The issue went unnoticed because NPCM BMC firmware leaves the ADC
clock enabled at boot, so the driver happened to work in practice.
Switch to devm_clk_get_enabled() so the clock is properly enabled
during probe and automatically released by the device-managed
cleanup, and drop the now-redundant clk_disable_unprepare() from
both the probe error path and remove().
While at it, drop the duplicate error message on devm_request_irq()
failure since the IRQ core already logs it.
Fixes: 9bf85fbc9d8f ("iio: adc: add NPCM ADC driver")
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/npcm_adc.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
--- a/drivers/iio/adc/npcm_adc.c
+++ b/drivers/iio/adc/npcm_adc.c
@@ -231,7 +231,7 @@ static int npcm_adc_probe(struct platfor
if (IS_ERR(info->reset))
return PTR_ERR(info->reset);
- info->adc_clk = devm_clk_get(&pdev->dev, NULL);
+ info->adc_clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(info->adc_clk)) {
dev_warn(&pdev->dev, "ADC clock failed: can't read clk\n");
return PTR_ERR(info->adc_clk);
@@ -244,17 +244,13 @@ static int npcm_adc_probe(struct platfor
info->adc_sample_hz = clk_get_rate(info->adc_clk) / ((div + 1) * 2);
irq = platform_get_irq(pdev, 0);
- if (irq < 0) {
- ret = irq;
- goto err_disable_clk;
- }
+ if (irq < 0)
+ return irq;
ret = devm_request_irq(&pdev->dev, irq, npcm_adc_isr, 0,
"NPCM_ADC", indio_dev);
- if (ret < 0) {
- dev_err(dev, "failed requesting interrupt\n");
- goto err_disable_clk;
- }
+ if (ret < 0)
+ return ret;
reg_con = ioread32(info->regs + NPCM_ADCCON);
info->vref = devm_regulator_get_optional(&pdev->dev, "vref");
@@ -262,7 +258,7 @@ static int npcm_adc_probe(struct platfor
ret = regulator_enable(info->vref);
if (ret) {
dev_err(&pdev->dev, "Can't enable ADC reference voltage\n");
- goto err_disable_clk;
+ return ret;
}
iowrite32(reg_con & ~NPCM_ADCCON_REFSEL,
@@ -272,10 +268,8 @@ static int npcm_adc_probe(struct platfor
* Any error which is not ENODEV indicates the regulator
* has been specified and so is a failure case.
*/
- if (PTR_ERR(info->vref) != -ENODEV) {
- ret = PTR_ERR(info->vref);
- goto err_disable_clk;
- }
+ if (PTR_ERR(info->vref) != -ENODEV)
+ return PTR_ERR(info->vref);
/* Use internal reference */
iowrite32(reg_con | NPCM_ADCCON_REFSEL,
@@ -314,8 +308,6 @@ err_iio_register:
iowrite32(reg_con & ~NPCM_ADCCON_ADC_EN, info->regs + NPCM_ADCCON);
if (!IS_ERR(info->vref))
regulator_disable(info->vref);
-err_disable_clk:
- clk_disable_unprepare(info->adc_clk);
return ret;
}
@@ -332,7 +324,6 @@ static void npcm_adc_remove(struct platf
iowrite32(regtemp & ~NPCM_ADCCON_ADC_EN, info->regs + NPCM_ADCCON);
if (!IS_ERR(info->vref))
regulator_disable(info->vref);
- clk_disable_unprepare(info->adc_clk);
}
static struct platform_driver npcm_adc_driver = {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 174/315] iio: buffer: hw-consumer: fix use-after-free in error path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 173/315] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 175/315] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() Greg Kroah-Hartman
` (142 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sashiko, Felix Gu, Andy Shevchenko,
Nuno Sá, Maxwell Doose, Stable, Jonathan Cameron
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 upstream.
In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
was using list_for_each_entry() to iterate through buffers while calling
iio_buffer_put() which can free the current buffer if refcount drops to 0.
The list_for_each_entry() loop macro then evaluates buf->head.next to
continue iteration, accessing the freed buffer.
Fix this by using list_for_each_entry_safe().
Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
Reported-by: sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/buffer/industrialio-hw-consumer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/buffer/industrialio-hw-consumer.c
+++ b/drivers/iio/buffer/industrialio-hw-consumer.c
@@ -82,7 +82,7 @@ static struct hw_consumer_buffer *iio_hw
*/
struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev)
{
- struct hw_consumer_buffer *buf;
+ struct hw_consumer_buffer *buf, *tmp;
struct iio_hw_consumer *hwc;
struct iio_channel *chan;
int ret;
@@ -113,7 +113,7 @@ struct iio_hw_consumer *iio_hw_consumer_
return hwc;
err_put_buffers:
- list_for_each_entry(buf, &hwc->buffers, head)
+ list_for_each_entry_safe(buf, tmp, &hwc->buffers, head)
iio_buffer_put(&buf->buffer);
iio_channel_release_all(hwc->channels);
err_free_hwc:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 164/307] iio: dac: max5821: fix return value check in powerdown sync
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 163/307] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 165/307] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
` (144 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Andy Shevchenko, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit d0a228d903425e653f18a4341e60c0538afb6d41 upstream.
The function max5821_sync_powerdown_mode() returned the result of
i2c_master_send() directly. If a partial transfer occurred, it would
be incorrectly treated as a success by the caller.
While the caller currently handles the positive return value of 2 as
success, this patch refactors the function to return 0 on full success
and -EIO on short writes. This ensures robust error handling for
incomplete transfers and improves code maintainability by using
sizeof(outbuf).
Fixes: 472988972737 ("iio: add support of the max5821")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/max5821.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/iio/dac/max5821.c
+++ b/drivers/iio/dac/max5821.c
@@ -91,6 +91,7 @@ static int max5821_sync_powerdown_mode(s
const struct iio_chan_spec *chan)
{
u8 outbuf[2];
+ int ret;
outbuf[0] = MAX5821_EXTENDED_COMMAND_MODE;
@@ -104,7 +105,13 @@ static int max5821_sync_powerdown_mode(s
else
outbuf[1] |= MAX5821_EXTENDED_POWER_UP;
- return i2c_master_send(data->client, outbuf, 2);
+ ret = i2c_master_send(data->client, outbuf, sizeof(outbuf));
+ if (ret < 0)
+ return ret;
+ if (ret != sizeof(outbuf))
+ return -EIO;
+
+ return 0;
}
static ssize_t max5821_write_dac_powerdown(struct iio_dev *indio_dev,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 175/315] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 174/315] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 176/315] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
` (141 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benoît Monin, Paul Cercueil,
Stable, Jonathan Cameron, James Nuss
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benoît Monin <benoit.monin@bootlin.com>
commit a093999355084bdbfe6e97f1dd232e58a1525f0b upstream.
iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104 bytes,
kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the initial
kref to 1. It then calls dma_resv_add_fence() which takes a second
reference (kref=2), and stores a raw pointer in block->fence.
On the success path the function returns without calling dma_fence_put()
to release the initial reference, so every buffer enqueue permanently
leaks one kmalloc-128 allocation.
The iio_buffer_cleanup() work item only releases the temporary reference
taken during completion signalling by iio_buffer_signal_dmabuf_done();
the initial reference from dma_fence_init() is never released.
With four iio_rwdev instances at 240kHz and 512 samples per buffer,
this produces ~1875 kmalloc-128 allocations per second matching the
observed slab growth exactly. A test with ftrace confirmed that the
dma_fence_destroy event was never triggered.
Fix by calling dma_fence_put() after dma_resv_add_fence(), transferring
ownership of the fence to the DMA reservation object. The DMA fence then
gets properly discarded after being signalled.
Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface infrastructure")
Originally-by: James Nuss <jamesnuss@nanometrics.ca>
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1911,6 +1911,7 @@ static int iio_buffer_enqueue_dmabuf(str
dma_resv_add_fence(dmabuf->resv, &fence->base,
dma_to_ram ? DMA_RESV_USAGE_WRITE : DMA_RESV_USAGE_READ);
+ dma_fence_put(&fence->base);
dma_resv_unlock(dmabuf->resv);
cookie = dma_fence_begin_signalling();
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 165/307] iio: dac: ad5686: fix input raw value check
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 164/307] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 166/307] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
` (143 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit d01220ee5e43c65a206df827b39bf5cf5f7b9dce upstream.
Fix range check for input raw value, which is off by one, i.e., for a
10-bit DAC the max valid value is 1023, but 1 << 10 equals 1024, which
passes the previous check, allowing an out-of-range write. The issue
exists since the ad5686 driver was first introduced.
Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -154,7 +154,7 @@ static int ad5686_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val > (1 << chan->scan_type.realbits) || val < 0)
+ if (val >= (1 << chan->scan_type.realbits) || val < 0)
return -EINVAL;
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 176/315] USB: serial: omninet: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 175/315] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 177/315] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
` (140 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 60df93d30f9bdd27db17c4d80ed80ef718d7226b upstream.
Make sure that the bulk-out buffers are at least as large as the
hardcoded transfer size to avoid user-controlled slab corruption should
a malicious device report a smaller endpoint max packet size than
expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/omninet.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -30,6 +30,10 @@
/* This one seems to be a re-branded ZyXEL device */
#define BT_IGNITIONPRO_ID 0x2000
+#define OMNINET_HEADERLEN 4
+#define OMNINET_BULKOUTSIZE 64
+#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
+
/* function prototypes */
static void omninet_process_read_urb(struct urb *urb);
static int omninet_prepare_write_buffer(struct usb_serial_port *port,
@@ -54,6 +58,7 @@ static struct usb_serial_driver zyxel_om
.description = "ZyXEL - omni.net usb",
.id_table = id_table,
.num_bulk_out = 2,
+ .bulk_out_size = OMNINET_BULKOUTSIZE,
.calc_num_ports = omninet_calc_num_ports,
.port_probe = omninet_port_probe,
.port_remove = omninet_port_remove,
@@ -130,10 +135,6 @@ static void omninet_port_remove(struct u
kfree(od);
}
-#define OMNINET_HEADERLEN 4
-#define OMNINET_BULKOUTSIZE 64
-#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
-
static void omninet_process_read_urb(struct urb *urb)
{
struct usb_serial_port *port = urb->context;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 166/307] iio: dac: ad5686: acquire lock when doing powerdown control
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 165/307] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 167/307] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp Greg Kroah-Hartman
` (142 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Alencar, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit 5237c3175cae5ab05f18878cec3301a04403859e upstream.
Protect access of pwr_down_mode and pwr_down_mask fields with existing
mutex lock. Each channel exposes their own attributes for controlling
powerdown modes and powerdown state. This fixes potential race conditions
as those the write functions perform non-atomic read-modify-write
operations to those pwr_down_* fields. This issue exists since the ad5686
driver was first introduced.
Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -30,6 +30,8 @@ static int ad5686_get_powerdown_mode(str
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
return ((st->pwr_down_mode >> (chan->channel * 2)) & 0x3) - 1;
}
@@ -39,6 +41,8 @@ static int ad5686_set_powerdown_mode(str
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
st->pwr_down_mode &= ~(0x3 << (chan->channel * 2));
st->pwr_down_mode |= ((mode + 1) << (chan->channel * 2));
@@ -57,6 +61,8 @@ static ssize_t ad5686_read_dac_powerdown
{
struct ad5686_state *st = iio_priv(indio_dev);
+ guard(mutex)(&st->lock);
+
return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask &
(0x3 << (chan->channel * 2))));
}
@@ -77,6 +83,8 @@ static ssize_t ad5686_write_dac_powerdow
if (ret)
return ret;
+ guard(mutex)(&st->lock);
+
if (readin)
st->pwr_down_mask |= (0x3 << (chan->channel * 2));
else
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 177/315] usb: cdns3: gadget: fix request skipping after clearing halt
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 176/315] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 178/315] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
` (139 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Yongchao Wu
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongchao Wu <yongchao.wu@autochips.com>
commit c8778ff817a7047d6848fefba99dcb27b1bf01fe upstream.
According to the cdns3 datasheet, the EPRST (Endpoint Reset) command
causes the DMA engine to reposition its internal pointer to the next
Transfer Descriptor (TD) if it was already processing one.
This issue is consistently observed during the ADB identification
process on macOS hosts, where the host issues a Clear_Halt. Although
commit 4bf2dd65135a ("usb: cdns3: gadget: toggle cycle bit before reset
endpoint") attempted to avoid DMA advance by toggling the cycle bit,
trace logs show that on certain hosts like macOS, the DMA pointer
(EP_TRADDR) still shifts after EPRST:
cdns3_ctrl_req: Clear Endpoint Feature(Halt ep1out)
cdns3_doorbell_epx: ep1out, ep_trbaddr f9c04030 <-- Should be f9c04000
cdns3_gadget_giveback: ep1out: req: ... length: 16384/16384
As shown above, the DMA pointer jumped to the next TD, causing
the controller to skip the initial TRBs of the request. This leads to
data misalignment and ADB protocol hangs on macOS.
Fix this by manually restoring the EP_TRADDR register to the starting
physical address of the current request after the EPRST operation is
complete.
Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Cc: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Yongchao Wu <yongchao.wu@autochips.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260513160012.2547894-1-yongchao.wu@autochips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-gadget.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -2817,9 +2817,19 @@ int __cdns3_gadget_ep_clear_halt(struct
priv_ep->flags &= ~(EP_STALLED | EP_STALL_PENDING);
if (request) {
- if (trb)
+ if (trb) {
*trb = trb_tmp;
+ /*
+ * Per datasheet, EPRST causes DMA to reposition to the next TD.
+ * Manually reset EP_TRADDR to the current TRB to prevent
+ * the hardware from skipping the interrupted request.
+ */
+ writel(EP_TRADDR_TRADDR(priv_ep->trb_pool_dma +
+ priv_req->start_trb * TRB_SIZE),
+ &priv_dev->regs->ep_traddr);
+ }
+
cdns3_rearm_transfer(priv_ep, 1);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 167/307] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 166/307] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 168/307] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
` (141 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salah Triki, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit f9bbd943c34a9ad60e593a4b99ce2394e4e2381b upstream.
In mt6358_read_imp(), the variable val_v is passed to regmap_read()
but the return value is not checked. If the read fails, val_v remains
uninitialized and its random stack content is subsequently reported
as a measurement result.
Initialize val_v to zero to ensure a predictable value is reported
in case of bus failure and to prevent potential stack data leakage.
This also satisfies static analyzers that might otherwise flag the
variable as used uninitialized.
Fixes: 3587914bf61d ("iio: adc: Add support for MediaTek MT6357/8/9 Auxiliary ADC")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/mt6359-auxadc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/adc/mt6359-auxadc.c
+++ b/drivers/iio/adc/mt6359-auxadc.c
@@ -347,6 +347,7 @@ static int mt6358_read_imp(struct mt6359
return ret;
/* Read the params before stopping */
+ val_v = 0;
regmap_read(regmap, reg_adc0 + (cinfo->imp_adc_num << 1), &val_v);
mt6358_stop_imp_conv(adc_dev);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 178/315] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 177/315] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 179/315] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
` (138 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
commit e6970cda63fd4b4546aeed9d0e2f53a7c95cd09c upstream.
Move usb2_phy initialization after usb3_phy acquisition.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-2-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -126,15 +126,15 @@ static int cdns3_plat_probe(struct platf
return dev_err_probe(dev, PTR_ERR(cdns->usb2_phy),
"Failed to get cdn3,usb2-phy\n");
- ret = phy_init(cdns->usb2_phy);
- if (ret)
- return ret;
-
cdns->usb3_phy = devm_phy_optional_get(dev, "cdns3,usb3-phy");
if (IS_ERR(cdns->usb3_phy))
return dev_err_probe(dev, PTR_ERR(cdns->usb3_phy),
"Failed to get cdn3,usb3-phy\n");
+ ret = phy_init(cdns->usb2_phy);
+ if (ret)
+ return ret;
+
ret = phy_init(cdns->usb3_phy);
if (ret)
goto err_phy3_init;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 168/307] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 167/307] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 169/307] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
` (140 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Joshua Crofts,
Maxwell Doose, Nuno Sá, Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 422b5bbf333f75fb486855ad0eedc23cf21f3277 upstream.
The driver proceeds to the reception phase even if the preceding
transmission fails.
This uses a goto error label for an early bail out and ensures the mutex is
properly unlocked in case of failure.
Fixes: ffd8a6e7a778 ("iio: adc: Add viperboard adc driver")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/viperboard_adc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/viperboard_adc.c
+++ b/drivers/iio/adc/viperboard_adc.c
@@ -70,8 +70,10 @@ static int vprbrd_iio_read_raw(struct ii
VPRBRD_USB_TYPE_OUT, 0x0000, 0x0000, admsg,
sizeof(struct vprbrd_adc_msg), VPRBRD_USB_TIMEOUT_MS);
if (ret != sizeof(struct vprbrd_adc_msg)) {
- dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ mutex_unlock(&vb->lock);
error = -EREMOTEIO;
+ dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ goto error;
}
ret = usb_control_msg(vb->usb_dev,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 179/315] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 178/315] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 180/315] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
` (137 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
commit ae6f3b82324e4f39ad8443c9020787e6fc889637 upstream.
Call pm_runtime_allow(dev) conditionally at cdns3_plat_remove.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-3-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -186,6 +186,9 @@ static void cdns3_plat_remove(struct pla
struct device *dev = cdns->dev;
pm_runtime_get_sync(dev);
+ if (!(cdns->pdata && (cdns->pdata->quirks & CDNS3_DEFAULT_PM_RUNTIME_ALLOW)))
+ pm_runtime_allow(dev);
+
pm_runtime_disable(dev);
pm_runtime_put_noidle(dev);
cdns_remove(cdns);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 169/307] iio: gyro: itg3200: fix i2c read into the wrong stack location
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 168/307] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 170/307] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
` (139 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andy Shevchenko,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae upstream.
itg3200_read_all_channels() takes `__be16 *buf' as a parameter and
fills the i2c_msg destination as `(char *)&buf'. Since `buf' is the
parameter (a pointer), `&buf' is the address of the local pointer
slot on the stack of itg3200_read_all_channels(), not the address
of the caller's scan buffer. The (char *) cast hides the type
mismatch.
i2c_transfer() therefore writes ITG3200_SCAN_ELEMENTS * sizeof(s16)
= 8 bytes into the parameter's stack slot, which is discarded when
the function returns. The caller's scan buffer in
itg3200_trigger_handler() is never written to, so
iio_push_to_buffers_with_timestamp() pushes uninitialised stack
contents to userspace via /dev/iio:deviceX every scan -- both a
functional bug (no actual gyroscope or temperature data is
delivered through the triggered buffer) and an information leak.
The non-buffered read_raw() path is unaffected: it goes through
itg3200_read_reg_s16() which uses `&out' on a local s16 value,
where that is correct.
Drop the spurious `&' so the i2c read writes into the caller's
buffer.
Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/itg3200_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -34,7 +34,7 @@ static int itg3200_read_all_channels(str
.addr = i2c->addr,
.flags = i2c->flags | I2C_M_RD,
.len = ITG3200_SCAN_ELEMENTS * sizeof(s16),
- .buf = (char *)&buf,
+ .buf = (char *)buf,
},
};
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 180/315] usb: dwc2: Fix use after free in debug code
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 179/315] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 181/315] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
` (136 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 upstream.
We're not allowed to dereference "urb" after calling
usb_hcd_giveback_urb() so save the urb->status ahead of time.
Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/ag1NwBpqT4IEQcdJ@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/hcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -4804,6 +4804,7 @@ static int _dwc2_hcd_urb_dequeue(struct
struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd);
int rc;
unsigned long flags;
+ int urb_status;
dev_dbg(hsotg->dev, "DWC OTG HCD URB Dequeue\n");
dwc2_dump_urb_info(hcd, urb, "urb_dequeue");
@@ -4828,11 +4829,12 @@ static int _dwc2_hcd_urb_dequeue(struct
/* Higher layer software sets URB status */
spin_unlock(&hsotg->lock);
+ urb_status = urb->status;
usb_hcd_giveback_urb(hcd, urb, status);
spin_lock(&hsotg->lock);
dev_dbg(hsotg->dev, "Called usb_hcd_giveback_urb()\n");
- dev_dbg(hsotg->dev, " urb->status = %d\n", urb->status);
+ dev_dbg(hsotg->dev, " urb->status = %d\n", urb_status);
out:
spin_unlock_irqrestore(&hsotg->lock, flags);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 170/307] iio: gyro: adis16260: fix division by zero in write_raw
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 169/307] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 171/307] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
` (138 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Nuno Sá,
Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
commit 761e8b489e6cf166c574034b70637f8a7eadd0ee upstream.
Add a validation check for the sampling frequency value before using it
as a divisor. A user writing zero to the sampling_frequency sysfs
attribute triggers a division by zero in the kernel.
Fixes: 089a41985c6c ("staging: iio: adis16260 digital gyro driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/adis16260.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iio/gyro/adis16260.c
+++ b/drivers/iio/gyro/adis16260.c
@@ -287,6 +287,9 @@ static int adis16260_write_raw(struct ii
addr = adis16260_addresses[chan->scan_index][1];
return adis_write_reg_16(adis, addr, val);
case IIO_CHAN_INFO_SAMP_FREQ:
+ if (val <= 0)
+ return -EINVAL;
+
if (spi_get_device_id(adis->spi)->driver_data)
t = 256 / val;
else
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 181/315] Input: elan_i2c - validate firmware size before use
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 180/315] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 182/315] i2c: davinci: fix division by zero on missing clock-frequency Greg Kroah-Hartman
` (135 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 upstream.
Ensure that the firmware file is large enough to contain the expected
number of pages and the signature (which resides at the end of the
firmware blob) before accessing them to prevent potential out-of-bounds
reads.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/elan_i2c_core.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -645,6 +645,11 @@ static ssize_t elan_sysfs_update_fw(stru
return error;
}
+ if (fw->size < data->fw_signature_address + sizeof(signature)) {
+ dev_err(dev, "firmware file too small\n");
+ return -EBADF;
+ }
+
/* Firmware file must match signature data */
fw_signature = &fw->data[data->fw_signature_address];
if (memcmp(fw_signature, signature, sizeof(signature)) != 0) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 171/307] iio: ssp_sensors: cancel delayed work_refresh on remove
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 170/307] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 172/307] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
` (137 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjay Chitroda, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
commit eedf7602fbd929e97e0c480da501dc7a34beb2a8 upstream.
The work_refresh may still be pending or running when the device is
removed, cancel the delayed work_refresh in remove path.
Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/common/ssp_sensors/ssp_dev.c
+++ b/drivers/iio/common/ssp_sensors/ssp_dev.c
@@ -590,6 +590,7 @@ static void ssp_remove(struct spi_device
ssp_clean_pending_list(data);
free_irq(data->spi->irq, data);
+ cancel_delayed_work_sync(&data->work_refresh);
del_timer_sync(&data->wdt_timer);
cancel_work_sync(&data->work_wdt);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 182/315] i2c: davinci: fix division by zero on missing clock-frequency
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 181/315] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 183/315] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines Greg Kroah-Hartman
` (134 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sashiko, Chaitanya Sabnis,
Bartosz Golaszewski, Andi Shyti
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chaitanya Sabnis <chaitanya.msabnis@gmail.com>
commit 030675aa54cf757769b3db65642433d626b3ed7c upstream.
When the 'clock-frequency' property is missing from the device tree,
the driver falls back to DAVINCI_I2C_DEFAULT_BUS_FREQ. However, this
macro was defined in kHz (100), whereas the device tree property is
expected in Hz.
The probe function divided the fallback value by 1000, causing
integer truncation that resulted in dev->bus_freq = 0. This triggered
a deterministic division-by-zero kernel panic when calculating clock
dividers later in the probe sequence.
Fix this by redefining DAVINCI_I2C_DEFAULT_BUS_FREQ in Hz (100000)
to match the expected device tree property unit, allowing the existing
division logic to work correctly for both cases.
Fixes: b04ce6385979 ("i2c: davinci: kill platform data")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/all/20260514044726.57297C2BCB7@smtp.kernel.org/
Signed-off-by: Chaitanya Sabnis <chaitanya.msabnis@gmail.com>
Cc: <stable@vger.kernel.org> # v6.14+
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260526102240.4949-1-chaitanya.msabnis@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-davinci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-davinci.c
+++ b/drivers/i2c/busses/i2c-davinci.c
@@ -117,7 +117,7 @@
/* timeout for pm runtime autosuspend */
#define DAVINCI_I2C_PM_TIMEOUT 1000 /* ms */
-#define DAVINCI_I2C_DEFAULT_BUS_FREQ 100
+#define DAVINCI_I2C_DEFAULT_BUS_FREQ 100000
struct davinci_i2c_dev {
struct device *dev;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 172/307] iio: temperature: tsys01: fix broken PROM checksum validation
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 171/307] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 173/307] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
` (136 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salah Triki, Stable,
Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 upstream.
The current implementation of tsys01_crc_valid() incorrectly sums the
first word (n_prom[0]) repeatedly instead of iterating over the 8 words
retrieved from the PROM. This leads to a checksum mismatch and probe
failure on hardware.
According to the TSYS01 datasheet, the PROM consists of 8 words. A valid
check must iterate through all 8 words to verify the integrity of the
calibration data. The current driver only checks the first word 8 times.
Note: This fix was identified during a code audit and is based on
datasheet specifications. It has not been tested on real hardware.
Fixes: 43e53407f680 ("Add tsys01 meas-spec driver support")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/tsys01.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/temperature/tsys01.c
+++ b/drivers/iio/temperature/tsys01.c
@@ -119,7 +119,7 @@ static bool tsys01_crc_valid(u16 *n_prom
u8 sum = 0;
for (cnt = 0; cnt < TSYS01_PROM_WORDS_NB; cnt++)
- sum += ((n_prom[0] >> 8) + (n_prom[0] & 0xFF));
+ sum += ((n_prom[cnt] >> 8) + (n_prom[cnt] & 0xFF));
return (sum == 0);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 183/315] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 182/315] i2c: davinci: fix division by zero on missing clock-frequency Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 184/315] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
` (133 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexis Lothoré ,
Borislav Petkov (AMD), Peter Zijlstra (Intel), Steven Rostedt,
stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
commit a17dc12bfed8868e6a86f3b45c16065a70641acb upstream.
With CONFIG_CALL_DEPTH_TRACKING enabled on an x86 retbleed-affected platform
(eg: Skylake), with retbleed=stuff, registering a dynamic ftrace trampoline
crashes on the first call into the traced function:
BUG: unable to handle page fault for address: ffff88817ae18880
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 4b53067 P4D 4b53067 PUD 0
Oops: Oops: 0002 [#1] SMP PTI
CPU: 3 UID: 0 PID: 187 Comm: usleep Not tainted 7.0.10 #243 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014
Code: 24 78 00 00 00 00 48 89 ea 48 89 54 24 20 48 8b b4 24 b8 00 00 00 48 8b bc 24 b0 00 00 00 48 89 bc 24 80 00 00 00 48 83 ef 05 <65> 48 c1 3d 1f a8 b6 02 05 48 8b 15 f6 00 00 00 4c 89 3c 24 4c 89
Call Trace:
<TASK>
? find_held_lock
? exc_page_fault
? lock_release
? __x64_sys_clock_nanosleep
? lockdep_hardirqs_on_prepare
? trace_hardirqs_on
__x64_sys_clock_nanosleep
do_syscall_64
? exc_page_fault
? call_depth_return_thunk
entry_SYSCALL_64_after_hwframe
...
Kernel panic - not syncing: Fatal exception
This small reproducer allows to easily trigger the crash:
# echo 'p __x64_sys_clock_nanosleep' > /sys/kernel/tracing/kprobe_events
# echo 1 > /sys/kernel/tracing/events/kprobes/p___x64_sys_clock_nanosleep_0/enable
# usleep 1
Monitoring the crash under GDB points to the exact instruction in charge of
incrementing the call depth:
sarq $5, %gs:__x86_call_depth(%rip)
This instruction matches the one inserted by the ftrace_regs_caller from
ftrace_64.S. This emitted code was likely working fine until the introduction
of
59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()"):
it has made the call depth accounting addressing relative to $rip, instead of
being based on an absolute address.
As this code exact location depends on where the trampoline lives in memory,
the corresponding displacement needs to be adjusted at runtime to actually
correctly find the per-cpu __x86_call_depth value, otherwise the targeted
address is wrong, leading to the page fault seen above.
Fix the %rip-relative displacement of the copied CALL_DEPTH_ACCOUNT
instruction (from ftrace_regs_caller) by calling text_poke_apply_relocation(),
as it is done for example by the x86 BPF JIT compiler through
x86_call_depth_emit_accounting(). This corrects both CALL_DEPTH_ACCOUNT slots,
in ftrace_caller and ftrace_regs_caller.
[ bp: Massage. ]
Fixes: 59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()")
Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: <stable@kernel.org>
Link: https://patch.msgid.link/20260527-fix_call_depth_in_trampoline-v1-1-1c1abc8ae310@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/ftrace.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/kernel/ftrace.c
+++ b/arch/x86/kernel/ftrace.c
@@ -371,6 +371,13 @@ create_trampoline(struct ftrace_ops *ops
}
/*
+ * Generated trampoline may contain rIP-relative addressing which
+ * displacement needs to be fixed.
+ */
+ text_poke_apply_relocation(trampoline, trampoline, size,
+ (void *)start_offset, size);
+
+ /*
* The address of the ftrace_ops that is used for this trampoline
* is stored at the end of the trampoline. This will be used to
* load the third parameter for the callback. Basically, that
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 173/307] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 172/307] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 174/307] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
` (135 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Advait Dhamorikar, Andy Shevchenko,
Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Advait Dhamorikar <advaitd@mechasystems.com>
commit 49f79cd28f1e3333cbe0d616ce59ead0b24bf34e upstream.
The device tree binding for st,lis2mdl does not support
st,drdy-int-pin property. However, when no platform data is provided
and the property is absent, the driver falls back to default_magn_pdata
which hardcodes drdy_int_pin = 2. This causes
`st_sensors_set_drdy_int_pin` to fail with -EINVAL because the LIS2MDL
sensor settings have no INT2 DRDY mask defined.
Fix this by checking the sensor's INT2 DRDY mask availability at
probe time and selecting the appropriate default pin. Sensors that
do not support INT2 DRDY will default to INT1, while all others
retain the existing default of INT2.
Fixes: 38934daf7b5c ("iio: magnetometer: st_magn: Provide default platform data")
Signed-off-by: Advait Dhamorikar <advaitd@mechasystems.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/st_magn_core.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/iio/magnetometer/st_magn_core.c
+++ b/drivers/iio/magnetometer/st_magn_core.c
@@ -506,6 +506,11 @@ static const struct st_sensors_platform_
.drdy_int_pin = 2,
};
+/* LIS2MDL only supports DRDY on INT1 */
+static const struct st_sensors_platform_data alt_magn_pdata = {
+ .drdy_int_pin = 1,
+};
+
static int st_magn_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *ch, int *val,
int *val2, long mask)
@@ -628,8 +633,12 @@ int st_magn_common_probe(struct iio_dev
mdata->current_fullscale = &mdata->sensor_settings->fs.fs_avl[0];
mdata->odr = mdata->sensor_settings->odr.odr_avl[0].hz;
- if (!pdata)
- pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ if (!pdata) {
+ if (mdata->sensor_settings->drdy_irq.int2.mask)
+ pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ else
+ pdata = (struct st_sensors_platform_data *)&alt_magn_pdata;
+ }
err = st_sensors_init_sensor(indio_dev, pdata);
if (err < 0)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 184/315] wireguard: send: append trailer after expanding head
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 183/315] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 185/315] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
` (132 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason A. Donenfeld, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 upstream.
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that header space requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. Instead add the
padding at the end of the process rather than at the beginning.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireguard/send.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/net/wireguard/send.c
+++ b/drivers/net/wireguard/send.c
@@ -177,16 +177,6 @@ static bool encrypt_packet(struct sk_buf
trailer_len = padding_len + noise_encrypted_len(0);
plaintext_len = skb->len + padding_len;
- /* Expand data section to have room for padding and auth tag. */
- num_frags = skb_cow_data(skb, trailer_len, &trailer);
- if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
- return false;
-
- /* Set the padding to zeros, and make sure it and the auth tag are part
- * of the skb.
- */
- memset(skb_tail_pointer(trailer), 0, padding_len);
-
/* Expand head section to have room for our header and the network
* stack's headers.
*/
@@ -198,6 +188,16 @@ static bool encrypt_packet(struct sk_buf
skb_checksum_help(skb)))
return false;
+ /* Expand data section to have room for padding and auth tag. */
+ num_frags = skb_cow_data(skb, trailer_len, &trailer);
+ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
+ return false;
+
+ /* Set the padding to zeros, and make sure it and the auth tag are part
+ * of the skb.
+ */
+ memset(skb_tail_pointer(trailer), 0, padding_len);
+
/* Only after checksumming can we safely add on the padding at the end
* and the header.
*/
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 174/307] iio: light: cm3323: fix reg_conf not being initialized correctly
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 173/307] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 175/307] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
` (134 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aldo Conte, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aldo Conte <aldocontelk@gmail.com>
commit 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 upstream.
The code stores the return value of i2c_smbus_write_word_data()
in data->reg_conf; however, this value represents the result
of the write operation and not the value actually written to
the configuration register. This meant that the contents of
data->reg_conf did not truly reflect the contents
of the hardware register.
Instead, save the value of the register before the write
and use this value in the I2C write.
The bug was found by code inspection: i2c_smbus_write_word_data()
returns 0 on success, not the value written to the register.
Tested using i2c-stub on a Raspberry Pi 3B running a custom 6.19.10
kernel. Before loading the driver, the configuration register 0x00
CM3323_CMD_CONF was populated with 0x0030 using
`i2cset -y 11 0x10 0x00 0x0030 w`, encoding an integration time of 320ms
in bits[6:4].
Due to incorrect initialization of data->reg_conf in
cm3323_init(), the print of integration_time returns 0.040000
instead of the expected 0.320000. This happens because the read of the
integration_time depends on cm3323_get_it_bits() that is based on the
value of data->reg_conf, which is erroneously set to 0.
With this fix applied, data->reg_conf correctly saves 0x0030 after init
and the successive integration_time reports 0.320000 as expected.
Fixes: 8b0544263761 ("iio: light: Add support for Capella CM3323 color sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Aldo Conte <aldocontelk@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/cm3323.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/light/cm3323.c
+++ b/drivers/iio/light/cm3323.c
@@ -89,15 +89,14 @@ static int cm3323_init(struct iio_dev *i
/* enable sensor and set auto force mode */
ret &= ~(CM3323_CONF_SD_BIT | CM3323_CONF_AF_BIT);
+ data->reg_conf = ret;
- ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, ret);
+ ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, data->reg_conf);
if (ret < 0) {
dev_err(&data->client->dev, "Error writing reg_conf\n");
return ret;
}
- data->reg_conf = ret;
-
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 185/315] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 184/315] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 186/315] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
` (131 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit f72eed9b84fb771019a955908132410a9ba9ea3f upstream.
When bpf_msg_push_data() inserts data in the middle of a scatterlist
entry, it splits the original entry into a left fragment and a right
fragment.
The right fragment offset is page-local, but the code advances it with
`start`, which is the message-global insertion point. For inserts into a
non-first SG entry, this over-advances the offset and leaves the split
layout inconsistent.
Advance the right fragment offset by the fragment-local delta,
`start - offset`, which matches the length removed from the front of the
original entry.
Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2859,7 +2859,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
psge->length = start - offset;
rsge.length -= psge->length;
- rsge.offset += start;
+ rsge.offset += start - offset;
sk_msg_iter_var_next(i);
sg_unmark_end(psge);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 175/307] iio: buffer: hw-consumer: fix use-after-free in error path
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 174/307] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 176/307] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() Greg Kroah-Hartman
` (133 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sashiko, Felix Gu, Andy Shevchenko,
Nuno Sá, Maxwell Doose, Stable, Jonathan Cameron
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 upstream.
In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
was using list_for_each_entry() to iterate through buffers while calling
iio_buffer_put() which can free the current buffer if refcount drops to 0.
The list_for_each_entry() loop macro then evaluates buf->head.next to
continue iteration, accessing the freed buffer.
Fix this by using list_for_each_entry_safe().
Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
Reported-by: sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/buffer/industrialio-hw-consumer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/buffer/industrialio-hw-consumer.c
+++ b/drivers/iio/buffer/industrialio-hw-consumer.c
@@ -82,7 +82,7 @@ static struct hw_consumer_buffer *iio_hw
*/
struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev)
{
- struct hw_consumer_buffer *buf;
+ struct hw_consumer_buffer *buf, *tmp;
struct iio_hw_consumer *hwc;
struct iio_channel *chan;
int ret;
@@ -113,7 +113,7 @@ struct iio_hw_consumer *iio_hw_consumer_
return hwc;
err_put_buffers:
- list_for_each_entry(buf, &hwc->buffers, head)
+ list_for_each_entry_safe(buf, tmp, &hwc->buffers, head)
iio_buffer_put(&buf->buffer);
iio_channel_release_all(hwc->channels);
err_free_hwc:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 186/315] macsec: fix replay protection at XPN lower-PN wrap
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 185/315] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 187/315] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
` (130 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit e68842b3356471ba56c882209f324613dac47f64 upstream.
In macsec_post_decrypt(), when pn is U32_MAX, pn + 1 overflows u32 to 0
and the first branch never fires. If next_pn_halves.lower is also in the
upper half, pn_same_half(pn, lower) is true and the XPN else-if does not
fire either, leaving next_pn_halves unchanged. An attacker that captures
the legitimate frame carrying pn == 0xFFFFFFFF on an XPN association
can then replay it indefinitely, since lowest_pn never rises above
the captured pn and macsec_decrypt() reconstructs the same IV.
Extend the XPN else-if to also fire when pn + 1 wraps to 0, so receipt
of pn == U32_MAX advances next_pn_halves to (upper + 1, 0).
Fixes: a21ecf0e0338 ("macsec: Support XPN frame handling - IEEE 802.1AEbw")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78813FD49E58F253B989F197AF012@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/macsec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -804,7 +804,8 @@ static bool macsec_post_decrypt(struct s
if (pn + 1 > rx_sa->next_pn_halves.lower) {
rx_sa->next_pn_halves.lower = pn + 1;
} else if (secy->xpn &&
- !pn_same_half(pn, rx_sa->next_pn_halves.lower)) {
+ (pn + 1 == 0 ||
+ !pn_same_half(pn, rx_sa->next_pn_halves.lower))) {
rx_sa->next_pn_halves.upper++;
rx_sa->next_pn_halves.lower = pn + 1;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 176/307] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 175/307] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 177/307] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
` (132 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benoît Monin, Paul Cercueil,
Stable, Jonathan Cameron, James Nuss
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benoît Monin <benoit.monin@bootlin.com>
commit a093999355084bdbfe6e97f1dd232e58a1525f0b upstream.
iio_buffer_enqueue_dmabuf() allocates a struct iio_dma_fence (104 bytes,
kmalloc-128) via kmalloc_obj()+dma_fence_init(), which sets the initial
kref to 1. It then calls dma_resv_add_fence() which takes a second
reference (kref=2), and stores a raw pointer in block->fence.
On the success path the function returns without calling dma_fence_put()
to release the initial reference, so every buffer enqueue permanently
leaks one kmalloc-128 allocation.
The iio_buffer_cleanup() work item only releases the temporary reference
taken during completion signalling by iio_buffer_signal_dmabuf_done();
the initial reference from dma_fence_init() is never released.
With four iio_rwdev instances at 240kHz and 512 samples per buffer,
this produces ~1875 kmalloc-128 allocations per second matching the
observed slab growth exactly. A test with ftrace confirmed that the
dma_fence_destroy event was never triggered.
Fix by calling dma_fence_put() after dma_resv_add_fence(), transferring
ownership of the fence to the DMA reservation object. The DMA fence then
gets properly discarded after being signalled.
Fixes: 3e26d9f08fbe0 ("iio: core: Add new DMABUF interface infrastructure")
Originally-by: James Nuss <jamesnuss@nanometrics.ca>
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/industrialio-buffer.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1911,6 +1911,7 @@ static int iio_buffer_enqueue_dmabuf(str
dma_resv_add_fence(dmabuf->resv, &fence->base,
dma_to_ram ? DMA_RESV_USAGE_WRITE : DMA_RESV_USAGE_READ);
+ dma_fence_put(&fence->base);
dma_resv_unlock(dmabuf->resv);
cookie = dma_fence_begin_signalling();
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 187/315] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 186/315] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 188/315] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
` (129 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
commit d47548a36639095939f4747d4c43f2271366f565 upstream.
ipv6_hop_jumbo() calls pskb_trim_rcsum(), which can change skb pointers.
Let's recompute nh pointer to make sure any change won't mess things up.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260522112013.12342-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -184,6 +184,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_JUMBO:
if (!ipv6_hop_jumbo(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
case IPV6_TLV_CALIPSO:
if (!ipv6_hop_calipso(skb, off))
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 177/307] USB: serial: omninet: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 176/307] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 178/307] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
` (131 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 60df93d30f9bdd27db17c4d80ed80ef718d7226b upstream.
Make sure that the bulk-out buffers are at least as large as the
hardcoded transfer size to avoid user-controlled slab corruption should
a malicious device report a smaller endpoint max packet size than
expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/omninet.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -30,6 +30,10 @@
/* This one seems to be a re-branded ZyXEL device */
#define BT_IGNITIONPRO_ID 0x2000
+#define OMNINET_HEADERLEN 4
+#define OMNINET_BULKOUTSIZE 64
+#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
+
/* function prototypes */
static void omninet_process_read_urb(struct urb *urb);
static int omninet_prepare_write_buffer(struct usb_serial_port *port,
@@ -54,6 +58,7 @@ static struct usb_serial_driver zyxel_om
.description = "ZyXEL - omni.net usb",
.id_table = id_table,
.num_bulk_out = 2,
+ .bulk_out_size = OMNINET_BULKOUTSIZE,
.calc_num_ports = omninet_calc_num_ports,
.port_probe = omninet_port_probe,
.port_remove = omninet_port_remove,
@@ -130,10 +135,6 @@ static void omninet_port_remove(struct u
kfree(od);
}
-#define OMNINET_HEADERLEN 4
-#define OMNINET_BULKOUTSIZE 64
-#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
-
static void omninet_process_read_urb(struct urb *urb)
{
struct usb_serial_port *port = urb->context;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 188/315] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 187/315] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 189/315] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
` (128 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 upstream.
Fix error handling in q6asm_dai_compr_set_params() and q6asm_dai_prepare()
for both CMD_CLOSE and q6asm_unmap_memory_regions().
In both the functions, we are doing q6asm_audio_client_free in failure
cases, which means if prepare or set_params fail, we can never recover.
Now open and close are done in respective dai_open/close functions.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -235,9 +235,19 @@ static int q6asm_dai_prepare(struct snd_
/* rate and channels are sent to audio driver */
if (prtd->state == Q6ASM_STREAM_RUNNING) {
/* clear the previous setup if any */
- q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
- q6asm_unmap_memory_regions(substream->stream,
- prtd->audio_client);
+ ret = q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+ if (ret < 0) {
+ dev_err(dev, "Failed to close q6asm stream %d\n", prtd->stream_id);
+ return ret;
+ }
+
+ ret = q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
+ if (ret < 0) {
+ dev_err(dev, "Failed to unmap memory regions for q6asm stream %d\n",
+ prtd->stream_id);
+ return ret;
+ }
+
q6routing_stream_close(soc_prtd->dai_link->id,
substream->stream);
prtd->state = Q6ASM_STREAM_STOPPED;
@@ -305,8 +315,6 @@ routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
@@ -903,7 +911,7 @@ static int q6asm_dai_compr_set_params(st
prtd->session_id, dir);
if (ret) {
dev_err(dev, "Stream reg failed ret:%d\n", ret);
- goto q6_err;
+ goto routing_err;
}
ret = __q6asm_dai_compr_set_codec_params(component, stream,
@@ -929,11 +937,11 @@ static int q6asm_dai_compr_set_params(st
return 0;
q6_err:
+ q6routing_stream_close(rtd->dai_link->id, dir);
+routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 178/307] usb: cdns3: gadget: fix request skipping after clearing halt
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 177/307] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 179/307] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
` (130 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Yongchao Wu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongchao Wu <yongchao.wu@autochips.com>
commit c8778ff817a7047d6848fefba99dcb27b1bf01fe upstream.
According to the cdns3 datasheet, the EPRST (Endpoint Reset) command
causes the DMA engine to reposition its internal pointer to the next
Transfer Descriptor (TD) if it was already processing one.
This issue is consistently observed during the ADB identification
process on macOS hosts, where the host issues a Clear_Halt. Although
commit 4bf2dd65135a ("usb: cdns3: gadget: toggle cycle bit before reset
endpoint") attempted to avoid DMA advance by toggling the cycle bit,
trace logs show that on certain hosts like macOS, the DMA pointer
(EP_TRADDR) still shifts after EPRST:
cdns3_ctrl_req: Clear Endpoint Feature(Halt ep1out)
cdns3_doorbell_epx: ep1out, ep_trbaddr f9c04030 <-- Should be f9c04000
cdns3_gadget_giveback: ep1out: req: ... length: 16384/16384
As shown above, the DMA pointer jumped to the next TD, causing
the controller to skip the initial TRBs of the request. This leads to
data misalignment and ADB protocol hangs on macOS.
Fix this by manually restoring the EP_TRADDR register to the starting
physical address of the current request after the EPRST operation is
complete.
Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Cc: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Yongchao Wu <yongchao.wu@autochips.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260513160012.2547894-1-yongchao.wu@autochips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-gadget.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -2817,9 +2817,19 @@ int __cdns3_gadget_ep_clear_halt(struct
priv_ep->flags &= ~(EP_STALLED | EP_STALL_PENDING);
if (request) {
- if (trb)
+ if (trb) {
*trb = trb_tmp;
+ /*
+ * Per datasheet, EPRST causes DMA to reposition to the next TD.
+ * Manually reset EP_TRADDR to the current TRB to prevent
+ * the hardware from skipping the interrupted request.
+ */
+ writel(EP_TRADDR_TRADDR(priv_ep->trb_pool_dma +
+ priv_req->start_trb * TRB_SIZE),
+ &priv_dev->regs->ep_traddr);
+ }
+
cdns3_rearm_transfer(priv_ep, 1);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 179/307] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 178/307] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 180/307] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
` (129 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
commit e6970cda63fd4b4546aeed9d0e2f53a7c95cd09c upstream.
Move usb2_phy initialization after usb3_phy acquisition.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-2-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -126,15 +126,15 @@ static int cdns3_plat_probe(struct platf
return dev_err_probe(dev, PTR_ERR(cdns->usb2_phy),
"Failed to get cdn3,usb2-phy\n");
- ret = phy_init(cdns->usb2_phy);
- if (ret)
- return ret;
-
cdns->usb3_phy = devm_phy_optional_get(dev, "cdns3,usb3-phy");
if (IS_ERR(cdns->usb3_phy))
return dev_err_probe(dev, PTR_ERR(cdns->usb3_phy),
"Failed to get cdn3,usb3-phy\n");
+ ret = phy_init(cdns->usb2_phy);
+ if (ret)
+ return ret;
+
ret = phy_init(cdns->usb3_phy);
if (ret)
goto err_phy3_init;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 189/315] ipv6: exthdrs: refresh nh after handling HAO option
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 188/315] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 190/315] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
` (127 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Justin Iurman,
Ido Schimmel, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit f7b52afe3592eae66e160586b45a3f2242972c63 upstream.
ip6_parse_tlv() caches skb_network_header(skb) in nh while walking
IPv6 TLVs.
ipv6_dest_hao() may call pskb_expand_head() for a cloned skb, which can
move the skb head and invalidate the cached network header pointer.
Refresh nh after ipv6_dest_hao() returns so any trailing padding or TLVs
are parsed from the current skb head.
This matches the existing pattern used in ip6_parse_tlv() after helpers
that can modify skb header storage.
Fixes: a831f5bbc89a ("[IPV6] MIP6: Add inbound interface of home address option.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/7aba1debc2196189172499e5769802b026f8caf8.1779247873.git.zcliangcn@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -203,6 +203,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_HAO:
if (!ipv6_dest_hao(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
#endif
default:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 190/315] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 189/315] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 191/315] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
` (126 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Xiao Liang,
Maoyi Xie, Paolo Abeni
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 8b484efd5cb4eeef9021a661e198edc5349dacf6 upstream.
After patch 1/2 in this series, vti6_update() unlinks and relinks
the tunnel through t->net. vti6_siocdevprivate() still uses
dev_net(dev) for the collision lookup. For a tunnel moved through
IFLA_NET_NS_FD, dev_net(dev) is the new netns, not t->net.
SIOCCHGTUNNEL on a migrated tunnel then runs:
net = dev_net(dev) /* migrated netns */
t = vti6_locate(net, &p1, false) /* misses target in t->net */
...
t = netdev_priv(dev)
vti6_update(t, &p1, false) /* mutates t->net's hash */
A caller in the migrated netns picks params that match a tunnel
in the creation netns. The lookup in dev_net(dev) finds nothing.
vti6_update() prepends the migrated tunnel at the head of the
creation netns hash bucket for those params. Later lookups in
the creation netns resolve to the migrated device. xfrm receive
delivers the matched packets through a device the caller controls.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Switch the SIOCCHGTUNNEL path on a non fallback device to use
t->net for the lookup. The lookup now matches the netns
vti6_update() operates on.
Also add ns_capable(self->net->user_ns, CAP_NET_ADMIN) before
the lookup. The check at the top of the case is against
dev_net(dev)->user_ns, which after migration is the attacker's
netns. A caller there can pick params absent from self->net,
the lookup returns NULL, t becomes self, and vti6_update()
inserts the device into the creation netns hash. The new check
requires CAP_NET_ADMIN in the creation netns user_ns too.
SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device keep
dev_net(dev), which equals init_net there.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Suggested-by: Xiao Liang <shaw.leon@gmail.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/20260521130555.3421684-3-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -834,17 +834,24 @@ vti6_siocdevprivate(struct net_device *d
if (p.proto != IPPROTO_IPV6 && p.proto != 0)
break;
vti6_parm_from_user(&p1, &p);
- t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) {
+ struct ip6_tnl *self = netdev_priv(dev);
+
+ err = -EPERM;
+ if (!ns_capable(self->net->user_ns, CAP_NET_ADMIN))
+ break;
+ t = vti6_locate(self->net, &p1, false);
if (t) {
if (t->dev != dev) {
err = -EEXIST;
break;
}
} else
- t = netdev_priv(dev);
+ t = self;
err = vti6_update(t, &p1, false);
+ } else {
+ t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
}
if (t) {
err = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 180/307] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 179/307] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 181/307] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
` (128 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
commit ae6f3b82324e4f39ad8443c9020787e6fc889637 upstream.
Call pm_runtime_allow(dev) conditionally at cdns3_plat_remove.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-3-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -188,6 +188,9 @@ static void cdns3_plat_remove(struct pla
struct device *dev = cdns->dev;
pm_runtime_get_sync(dev);
+ if (!(cdns->pdata && (cdns->pdata->quirks & CDNS3_DEFAULT_PM_RUNTIME_ALLOW)))
+ pm_runtime_allow(dev);
+
pm_runtime_disable(dev);
pm_runtime_put_noidle(dev);
cdns_remove(cdns);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 191/315] ipv6: validate extension header length before copying to cmsg
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 190/315] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 192/315] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
` (125 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qi Tang, Willem de Bruijn,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Tang <tpluszz77@gmail.com>
commit dd433671fef381fdaf7b530c631e6b782d66e224 upstream.
ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}
cmsgs (and their IPV6_2292* legacy counterparts) by trusting the
on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.
The length was validated only at parse time (ipv6_parse_hopopts(),
etc.). An nftables payload-write expression can rewrite hdrlen after
parsing and before the skb reaches recvmsg; the write itself is
in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040
bytes from an 8-byte header. nftables is reachable from an
unprivileged user namespace, so this is an unprivileged
slab-out-of-bounds read:
BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540
put_cmsg+0x3ac/0x540
udpv6_recvmsg+0xca0/0x1250
sock_recvmsg+0xdf/0x190
____sys_recvmsg+0x1b1/0x620
Add ipv6_get_exthdr_len() which validates that at least two bytes
are accessible before reading the hdrlen field, then checks the
computed length against skb_tail_pointer(skb), returning 0 on
failure. Extension headers are kept in the linear skb area by
pskb_may_pull() during input, so skb_tail_pointer() is the correct
bound.
Use ipv6_get_exthdr_len() at all non-AH call sites: the five
standalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR)
and the three standard cases in the extension-header walk loop
(DSTOPTS, ROUTING, default). AH retains an inline bounds check
because its length formula differs ((ptr[1]+2)<<2).
The walk loop also gets a pre-read bounds check at the top to
validate ptr before any case accesses ptr[0] or ptr[1].
When the walk loop detects a corrupted header, return from the
function instead of continuing to process later socket options.
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260523143245.2281415-1-tpluszz77@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/datagram.c | 54 ++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 46 insertions(+), 8 deletions(-)
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -617,6 +617,18 @@ void ip6_datagram_recv_common_ctl(struct
}
}
+static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
+{
+ u16 len;
+
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return 0;
+
+ len = (ptr[1] + 1) << 3;
+
+ return (len <= skb_tail_pointer(skb) - ptr) ? len : 0;
+}
+
void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
struct sk_buff *skb)
{
@@ -643,7 +655,10 @@ void ip6_datagram_recv_specific_ctl(stru
/* HbH is allowed only once */
if (np->rxopt.bits.hopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, len, ptr);
}
if (opt->lastopt &&
@@ -664,26 +679,37 @@ void ip6_datagram_recv_specific_ctl(stru
unsigned int len;
u8 *ptr = nh + off;
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return;
+
switch (nexthdr) {
case IPPROTO_DSTOPTS:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.dstopts)
put_cmsg(msg, SOL_IPV6, IPV6_DSTOPTS, len, ptr);
break;
case IPPROTO_ROUTING:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.srcrt)
put_cmsg(msg, SOL_IPV6, IPV6_RTHDR, len, ptr);
break;
case IPPROTO_AH:
nexthdr = ptr[0];
len = (ptr[1] + 2) << 2;
+ if (ptr + len > skb_tail_pointer(skb))
+ return;
break;
default:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
break;
}
@@ -705,19 +731,31 @@ void ip6_datagram_recv_specific_ctl(stru
}
if (np->rxopt.bits.ohopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, len, ptr);
}
if (np->rxopt.bits.odstopts && opt->dst0) {
u8 *ptr = nh + opt->dst0;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.osrcrt && opt->srcrt) {
struct ipv6_rt_hdr *rthdr = (struct ipv6_rt_hdr *)(nh + opt->srcrt);
- put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, (rthdr->hdrlen+1) << 3, rthdr);
+ u16 len = ipv6_get_exthdr_len(skb, (u8 *)rthdr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, len, rthdr);
}
if (np->rxopt.bits.odstopts && opt->dst1) {
u8 *ptr = nh + opt->dst1;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.rxorigdstaddr) {
struct sockaddr_in6 sin6;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 181/307] usb: dwc2: Fix use after free in debug code
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 180/307] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 182/307] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
` (127 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 upstream.
We're not allowed to dereference "urb" after calling
usb_hcd_giveback_urb() so save the urb->status ahead of time.
Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/ag1NwBpqT4IEQcdJ@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/hcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -4804,6 +4804,7 @@ static int _dwc2_hcd_urb_dequeue(struct
struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd);
int rc;
unsigned long flags;
+ int urb_status;
dev_dbg(hsotg->dev, "DWC OTG HCD URB Dequeue\n");
dwc2_dump_urb_info(hcd, urb, "urb_dequeue");
@@ -4828,11 +4829,12 @@ static int _dwc2_hcd_urb_dequeue(struct
/* Higher layer software sets URB status */
spin_unlock(&hsotg->lock);
+ urb_status = urb->status;
usb_hcd_giveback_urb(hcd, urb, status);
spin_lock(&hsotg->lock);
dev_dbg(hsotg->dev, "Called usb_hcd_giveback_urb()\n");
- dev_dbg(hsotg->dev, " urb->status = %d\n", urb->status);
+ dev_dbg(hsotg->dev, " urb->status = %d\n", urb_status);
out:
spin_unlock_irqrestore(&hsotg->lock, flags);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 192/315] xfrm: input: hold netns during deferred transport reinjection
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 191/315] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 193/315] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname Greg Kroah-Hartman
` (124 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit c16f74dc1d75d0e2e7670076d5375deda110ebeb upstream.
Transport-mode reinjection stores a struct net pointer in skb->cb and
uses it later from xfrm_trans_reinject(). That pointer must stay valid
until the deferred callback runs.
Take a netns reference when queueing deferred reinjection work and drop
it after the callback completes. Use maybe_get_net() so the queueing
path does not revive a namespace that is already being torn down.
This keeps the existing workqueue design and fixes the netns lifetime
handling in one place for all users of xfrm_trans_queue_net().
Fixes: 7b3801927e52 ("xfrm: introduce xfrm_trans_queue_net")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_input.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -794,9 +794,12 @@ static void xfrm_trans_reinject(struct w
spin_unlock_bh(&trans->queue_lock);
local_bh_disable();
- while ((skb = __skb_dequeue(&queue)))
- XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
- NULL, skb);
+ while ((skb = __skb_dequeue(&queue))) {
+ struct net *net = XFRM_TRANS_SKB_CB(skb)->net;
+
+ XFRM_TRANS_SKB_CB(skb)->finish(net, NULL, skb);
+ put_net(net);
+ }
local_bh_enable();
}
@@ -805,6 +808,7 @@ int xfrm_trans_queue_net(struct net *net
struct sk_buff *))
{
struct xfrm_trans_tasklet *trans;
+ struct net *hold_net;
trans = this_cpu_ptr(&xfrm_trans_tasklet);
@@ -813,8 +817,12 @@ int xfrm_trans_queue_net(struct net *net
BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
+ hold_net = maybe_get_net(net);
+ if (!hold_net)
+ return -ENODEV;
+
XFRM_TRANS_SKB_CB(skb)->finish = finish;
- XFRM_TRANS_SKB_CB(skb)->net = net;
+ XFRM_TRANS_SKB_CB(skb)->net = hold_net;
spin_lock_bh(&trans->queue_lock);
__skb_queue_tail(&trans->queue, skb);
spin_unlock_bh(&trans->queue_lock);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 182/307] Input: elan_i2c - validate firmware size before use
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 181/307] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 183/307] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
` (126 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 upstream.
Ensure that the firmware file is large enough to contain the expected
number of pages and the signature (which resides at the end of the
firmware blob) before accessing them to prevent potential out-of-bounds
reads.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/elan_i2c_core.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -645,6 +645,11 @@ static ssize_t elan_sysfs_update_fw(stru
return error;
}
+ if (fw->size < data->fw_signature_address + sizeof(signature)) {
+ dev_err(dev, "firmware file too small\n");
+ return -EBADF;
+ }
+
/* Firmware file must match signature data */
fw_signature = &fw->data[data->fw_signature_address];
if (memcmp(fw_signature, signature, sizeof(signature)) != 0) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 193/315] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 192/315] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 194/315] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
` (123 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, James Chapman,
Simon Horman, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 05f95729ca844704d15e49ce14868af4b403b32b upstream.
A reader in l2tp_session_get_by_ifname() can return a pointer to a
session whose refcount has reached zero. The getter takes its
reference with plain refcount_inc(), but every other session getter
in the same file (l2tp_v2_session_get, l2tp_v3_session_get, and the
corresponding _get_next variants) uses refcount_inc_not_zero()
because the IDR/RCU lookup can race with refcount_dec_and_test() ->
l2tp_session_free() -> kfree_rcu(). The ifname getter is the only
outlier; the inconsistency was raised on-list after 979c017803c4
("l2tp: use list_del_rcu in l2tp_session_unhash").
A reader inside rcu_read_lock_bh() that matches session->ifname can
be preempted between the strcmp() and the refcount_inc(). If the
last reference drops on another CPU in that window, the reader's
refcount_inc() runs on a counter that has reached zero. refcount_t
catches the addition-on-zero, prints "refcount_t: addition on 0;
use-after-free", saturates the counter, and returns the saturated
pointer to the caller. Session memory is held live by the in-flight
RCU read section, but the kfree_rcu() callback queued from
l2tp_session_free() will free it once the grace period closes; a
caller that dereferences the returned session past that point hits
a slab-use-after-free. On PREEMPT_RT local_bh_disable() is a per-CPU
sleeping lock and the preemption window is real; on stock PREEMPT
kernels local_bh_disable() is a preempt_count increment that closes
the cross-CPU race in practice (see below).
Use refcount_inc_not_zero() and continue the list walk on failure,
matching the other session getters in the file. The ifname getter
is the only session getter in net/l2tp/ that still uses the bare
refcount_inc() pattern; this change restores file-internal
consistency. The success path is unchanged.
Fixes: abe7a1a7d0b6 ("l2tp: improve tunnel/session refcount helpers")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: James Chapman <jchapman@katalix.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260523023423.2568972-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_core.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -441,12 +441,13 @@ struct l2tp_session *l2tp_session_get_by
idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
if (tunnel) {
list_for_each_entry_rcu(session, &tunnel->session_list, list) {
- if (!strcmp(session->ifname, ifname)) {
- refcount_inc(&session->ref_count);
- rcu_read_unlock_bh();
+ if (strcmp(session->ifname, ifname))
+ continue;
+ if (!refcount_inc_not_zero(&session->ref_count))
+ continue;
+ rcu_read_unlock_bh();
- return session;
- }
+ return session;
}
}
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 183/307] wireguard: send: append trailer after expanding head
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 182/307] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 184/307] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
` (125 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason A. Donenfeld, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 upstream.
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that header space requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. Instead add the
padding at the end of the process rather than at the beginning.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireguard/send.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/net/wireguard/send.c
+++ b/drivers/net/wireguard/send.c
@@ -177,16 +177,6 @@ static bool encrypt_packet(struct sk_buf
trailer_len = padding_len + noise_encrypted_len(0);
plaintext_len = skb->len + padding_len;
- /* Expand data section to have room for padding and auth tag. */
- num_frags = skb_cow_data(skb, trailer_len, &trailer);
- if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
- return false;
-
- /* Set the padding to zeros, and make sure it and the auth tag are part
- * of the skb.
- */
- memset(skb_tail_pointer(trailer), 0, padding_len);
-
/* Expand head section to have room for our header and the network
* stack's headers.
*/
@@ -198,6 +188,16 @@ static bool encrypt_packet(struct sk_buf
skb_checksum_help(skb)))
return false;
+ /* Expand data section to have room for padding and auth tag. */
+ num_frags = skb_cow_data(skb, trailer_len, &trailer);
+ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
+ return false;
+
+ /* Set the padding to zeros, and make sure it and the auth tag are part
+ * of the skb.
+ */
+ memset(skb_tail_pointer(trailer), 0, padding_len);
+
/* Only after checksumming can we safely add on the padding at the end
* and the header.
*/
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 194/315] ip6: vti: Use ip6_tnl.net in vti6_changelink().
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 193/315] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 195/315] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
` (122 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Eric Dumazet,
Kuniyuki Iwashima, Paolo Abeni
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe upstream.
ip netns add ns1
ip netns add ns2
ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7
ip -n ns1 link set vti6_test netns ns2
ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9
ip netns del ns2
ip netns del ns1
[ 132.495484] ------------[ cut here ]------------
[ 132.497609] kernel BUG at net/core/dev.c:12376!
Commit 61220ab34948 ("vti6: Enable namespace changing") dropped
NETIF_F_NETNS_LOCAL from vti6 devices. A vti6 tunnel can then
move through IFLA_NET_NS_FD. After the move dev_net(dev) points
at the new netns while t->net stays at the creation netns.
vti6_changelink() and vti6_update() still use dev_net(dev) and
dev_net(t->dev). They unlink from one per netns hash and relink
into another. The creation netns is left with a stale entry.
cleanup_net() of that netns later walks freed memory.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Reported-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260521130555.3421684-2-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -722,10 +722,11 @@ vti6_tnl_change(struct ip6_tnl *t, const
static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p,
bool keep_mtu)
{
- struct net *net = dev_net(t->dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct net *net = t->net;
+ struct vti6_net *ip6n;
int err;
+ ip6n = net_generic(net, vti6_net_id);
vti6_tnl_unlink(ip6n, t);
synchronize_net();
err = vti6_tnl_change(t, p, keep_mtu);
@@ -1038,11 +1039,12 @@ static int vti6_changelink(struct net_de
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct ip6_tnl *t;
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct net *net = t->net;
struct __ip6_tnl_parm p;
- struct net *net = dev_net(dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct vti6_net *ip6n;
+ ip6n = net_generic(net, vti6_net_id);
if (dev == ip6n->fb_tnl_dev)
return -EINVAL;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 184/307] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 183/307] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 185/307] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
` (124 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit f72eed9b84fb771019a955908132410a9ba9ea3f upstream.
When bpf_msg_push_data() inserts data in the middle of a scatterlist
entry, it splits the original entry into a left fragment and a right
fragment.
The right fragment offset is page-local, but the code advances it with
`start`, which is the message-global insertion point. For inserts into a
non-first SG entry, this over-advances the offset and leaves the split
layout inconsistent.
Advance the right fragment offset by the fragment-local delta,
`start - offset`, which matches the length removed from the front of the
original entry.
Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2867,7 +2867,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
psge->length = start - offset;
rsge.length -= psge->length;
- rsge.offset += start;
+ rsge.offset += start - offset;
sk_msg_iter_var_next(i);
sg_unmark_end(psge);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 195/315] net: skbuff: fix missing zerocopy reference in pskb_carve helpers
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 194/315] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 196/315] spi: spi-mem: avoid mutating op template in spi_mem_supports_op() Greg Kroah-Hartman
` (121 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Willem de Bruijn,
Paolo Abeni
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minh Nguyen <minhnguyen.080505@gmail.com>
commit 98d0912e9f841e5529a5b89a972805f34cb1c69d upstream.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.
KASAN reports use-after-free on a freed ubuf_info_msgzc:
BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810
Read of size 8 at addr ffff88801574d3e8 by task poc/220
Call Trace:
skb_release_data+0x77b/0x810
kfree_skb_list_reason+0x13e/0x610
skb_release_data+0x4cd/0x810
sk_skb_reason_drop+0xf3/0x340
skb_queue_purge_reason+0x282/0x440
rds_tcp_inc_free+0x1e/0x30
rds_recvmsg+0x354/0x1780
__sys_recvmsg+0xdf/0x180
Allocated by task 219:
msg_zerocopy_realloc+0x157/0x7b0
tcp_sendmsg_locked+0x2892/0x3ba0
Freed by task 219:
ip_recv_error+0x74a/0xb10
tcp_recvmsg+0x475/0x530
The skb consuming the late access still referenced the same uarg via
shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without
a refcount bump. This has been verified to be reliably exploitable: a
working proof-of-concept achieves full root privilege escalation from
an unprivileged local user on a default kernel configuration.
The fix follows the pattern of pskb_expand_head() which has the same
memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()
is placed after skb_orphan_frags() succeeds, so the orphan error path
needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is
placed after all failure points and just before skb_release_data(), so
no error path needs cleanup at all -- matching pskb_expand_head() more
closely and avoiding the need for a balancing net_zcopy_put().
Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260526041240.329462-1-minhnguyen.080505@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6787,6 +6787,8 @@ static int pskb_carve_inside_header(stru
skb_kfree_head(data, size);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
skb_frag_ref(skb, i);
if (skb_has_frag_list(skb))
@@ -6935,6 +6937,8 @@ static int pskb_carve_inside_nonlinear(s
skb_kfree_head(data, size);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
skb_release_data(skb, SKB_CONSUMED);
skb->head = data;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 185/307] macsec: fix replay protection at XPN lower-PN wrap
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 184/307] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 186/307] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
` (123 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit e68842b3356471ba56c882209f324613dac47f64 upstream.
In macsec_post_decrypt(), when pn is U32_MAX, pn + 1 overflows u32 to 0
and the first branch never fires. If next_pn_halves.lower is also in the
upper half, pn_same_half(pn, lower) is true and the XPN else-if does not
fire either, leaving next_pn_halves unchanged. An attacker that captures
the legitimate frame carrying pn == 0xFFFFFFFF on an XPN association
can then replay it indefinitely, since lowest_pn never rises above
the captured pn and macsec_decrypt() reconstructs the same IV.
Extend the XPN else-if to also fire when pn + 1 wraps to 0, so receipt
of pn == U32_MAX advances next_pn_halves to (upper + 1, 0).
Fixes: a21ecf0e0338 ("macsec: Support XPN frame handling - IEEE 802.1AEbw")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78813FD49E58F253B989F197AF012@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/macsec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -803,7 +803,8 @@ static bool macsec_post_decrypt(struct s
if (pn + 1 > rx_sa->next_pn_halves.lower) {
rx_sa->next_pn_halves.lower = pn + 1;
} else if (secy->xpn &&
- !pn_same_half(pn, rx_sa->next_pn_halves.lower)) {
+ (pn + 1 == 0 ||
+ !pn_same_half(pn, rx_sa->next_pn_halves.lower))) {
rx_sa->next_pn_halves.upper++;
rx_sa->next_pn_halves.lower = pn + 1;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 196/315] spi: spi-mem: avoid mutating op template in spi_mem_supports_op()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 195/315] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 197/315] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
` (120 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianyu Xu, Santhosh Kumar K,
Miquel Raynal, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Santhosh Kumar K <s-k6@ti.com>
commit 79378db6a86c7014cce40b65252e6c18f5b8bcc2 upstream.
spi_mem_supports_op() accepts a const struct spi_mem_op pointer but
casts away const internally to call spi_mem_adjust_op_freq(). This
mutates the caller's op template, which causes stale max_freq values
when callers reuse persistent templates - subsequent calls won't
re-apply the device frequency cap since spi_mem_adjust_op_freq()
skips non-zero values.
Fix by operating on a stack-local copy instead.
Fixes: a4f8e70d75dd ("spi: spi-mem: add spi_mem_adjust_op_freq() in spi_mem_supports_op()")
Cc: Tianyu Xu <xtydtc@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260527173736.2243004-1-s-k6@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-mem.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-mem.c
+++ b/drivers/spi/spi-mem.c
@@ -276,13 +276,20 @@ static bool spi_mem_internal_supports_op
*/
bool spi_mem_supports_op(struct spi_mem *mem, const struct spi_mem_op *op)
{
- /* Make sure the operation frequency is correct before going futher */
- spi_mem_adjust_op_freq(mem, (struct spi_mem_op *)op);
+ struct spi_mem_op eval_op = *op;
- if (spi_mem_check_op(op))
+ /*
+ * Work on a local copy; this is a pure capability check and must
+ * not modify the caller's op. Stored templates with max_freq == 0
+ * must remain unset so their frequency is always re-capped to the
+ * current device maximum at execution time.
+ */
+ spi_mem_adjust_op_freq(mem, &eval_op);
+
+ if (spi_mem_check_op(&eval_op))
return false;
- return spi_mem_internal_supports_op(mem, op);
+ return spi_mem_internal_supports_op(mem, &eval_op);
}
EXPORT_SYMBOL_GPL(spi_mem_supports_op);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 186/307] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 185/307] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 187/307] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
` (122 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
commit d47548a36639095939f4747d4c43f2271366f565 upstream.
ipv6_hop_jumbo() calls pskb_trim_rcsum(), which can change skb pointers.
Let's recompute nh pointer to make sure any change won't mess things up.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260522112013.12342-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -184,6 +184,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_JUMBO:
if (!ipv6_hop_jumbo(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
case IPV6_TLV_CALIPSO:
if (!ipv6_hop_calipso(skb, off))
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 197/315] HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 196/315] spi: spi-mem: avoid mutating op template in spi_mem_supports_op() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 198/315] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
` (119 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping Cheng, Lee Jones,
Benjamin Tissoires
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
commit c0a8899e02ddebd51e2589835182c239c2e224ae upstream.
wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE
usage is always located in the first field (field[0]) of the feature report.
However, a device can specify HID_DG_INPUTMODE in a different field.
If HID_DG_INPUTMODE is in a field other than the first one and the first
field has a report_count smaller than the usage_index of HID_DG_INPUTMODE,
this leads to an out-of-bounds write to r->field[0]->value.
Fix this by storing the field index of HID_DG_INPUTMODE in 'struct
hid_data' during feature mapping. In wacom_hid_set_device_mode(), use
this stored field index to access the correct field and add bounds
checks to ensure both the field index and the value index are within
valid ranges before writing.
Cc: stable@vger.kernel.org
Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling")
Tested-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 13 ++++++++++---
drivers/hid/wacom_wac.h | 1 +
2 files changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -356,6 +356,7 @@ static void wacom_feature_mapping(struct
hid_data->inputmode = field->report->id;
hid_data->inputmode_index = usage->usage_index;
+ hid_data->inputmode_field_index = field->index;
break;
case HID_UP_DIGITIZER:
@@ -571,9 +572,14 @@ static int wacom_hid_set_device_mode(str
re = &(hdev->report_enum[HID_FEATURE_REPORT]);
r = re->report_id_hash[hid_data->inputmode];
- if (r) {
- r->field[0]->value[hid_data->inputmode_index] = 2;
- hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ if (r && hid_data->inputmode_field_index >= 0 &&
+ hid_data->inputmode_field_index < r->maxfield) {
+ struct hid_field *field = r->field[hid_data->inputmode_field_index];
+
+ if (field && hid_data->inputmode_index < field->report_count) {
+ field->value[hid_data->inputmode_index] = 2;
+ hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ }
}
return 0;
}
@@ -2846,6 +2852,7 @@ static int wacom_probe(struct hid_device
return -ENODEV;
wacom_wac->hid_data.inputmode = -1;
+ wacom_wac->hid_data.inputmode_field_index = -1;
wacom_wac->mode_report = -1;
if (hid_is_usb(hdev)) {
--- a/drivers/hid/wacom_wac.h
+++ b/drivers/hid/wacom_wac.h
@@ -295,6 +295,7 @@ struct wacom_shared {
struct hid_data {
__s16 inputmode; /* InputMode HID feature, -1 if non-existent */
__s16 inputmode_index; /* InputMode HID feature index in the report */
+ __s16 inputmode_field_index; /* InputMode HID feature field index in the report */
bool sense_state;
bool inrange_state;
bool eraser;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 187/307] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 186/307] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 188/307] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
` (121 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 upstream.
Fix error handling in q6asm_dai_compr_set_params() and q6asm_dai_prepare()
for both CMD_CLOSE and q6asm_unmap_memory_regions().
In both the functions, we are doing q6asm_audio_client_free in failure
cases, which means if prepare or set_params fail, we can never recover.
Now open and close are done in respective dai_open/close functions.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -234,9 +234,19 @@ static int q6asm_dai_prepare(struct snd_
/* rate and channels are sent to audio driver */
if (prtd->state == Q6ASM_STREAM_RUNNING) {
/* clear the previous setup if any */
- q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
- q6asm_unmap_memory_regions(substream->stream,
- prtd->audio_client);
+ ret = q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+ if (ret < 0) {
+ dev_err(dev, "Failed to close q6asm stream %d\n", prtd->stream_id);
+ return ret;
+ }
+
+ ret = q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
+ if (ret < 0) {
+ dev_err(dev, "Failed to unmap memory regions for q6asm stream %d\n",
+ prtd->stream_id);
+ return ret;
+ }
+
q6routing_stream_close(soc_prtd->dai_link->id,
substream->stream);
prtd->state = Q6ASM_STREAM_STOPPED;
@@ -304,8 +314,6 @@ routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
@@ -902,7 +910,7 @@ static int q6asm_dai_compr_set_params(st
prtd->session_id, dir);
if (ret) {
dev_err(dev, "Stream reg failed ret:%d\n", ret);
- goto q6_err;
+ goto routing_err;
}
ret = __q6asm_dai_compr_set_codec_params(component, stream,
@@ -928,11 +936,11 @@ static int q6asm_dai_compr_set_params(st
return 0;
q6_err:
+ q6routing_stream_close(rtd->dai_link->id, dir);
+routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 198/315] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 197/315] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 199/315] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
` (118 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Thomas Gleixner,
Andrew Morton, Miguel Ojeda, linux-kbuild, Arnd Bergmann,
Joerg Roedel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 4c9ad387aa2d6785299722e54224d34764edaeb3 upstream.
gcc-16 has gained some more advanced inter-procedual optimization
techniques that enable it to inline the dummy_tlb_add_page() and
dummy_tlb_flush() function pointers into a specialized version of
__arm_v7s_unmap:
WARNING: modpost: vmlinux: section mismatch in reference: __arm_v7s_unmap+0x2cc (section: .text) -> dummy_tlb_add_page (section: .init.text)
ERROR: modpost: Section mismatches detected.
>From what I can tell, the transformation is correct, as this is only
called when __arm_v7s_unmap() is called from arm_v7s_do_selftests(),
which is also __init. Since __arm_v7s_unmap() however is not __init,
gcc cannot inline the inner function calls directly.
In debug_objects_selftest(), the same thing happens. Both the
caller and the leaf function are __init, but the IPA pulls
it into a non-init one:
WARNING: modpost: vmlinux: section mismatch in reference: lookup_object_or_alloc+0x7c (section: .text.lookup_object_or_alloc) -> is_static_object (section: .init.text)
Marking the affected functions as not "__init" would reliably avoid this
issue but is not a good solution because it removes an otherwise correct
annotation. I tried marking the functions as 'noinline', but that ended
up not covering all the affected configurations.
With some more experimenting, I found that marking these functions as
__attribute__((noipa)) is both logical and reliable.
In order to keep the syntax readable, add a custom macro for this in
include/linux/compiler_attributes.h next to other related macros and
use it to annotate both files.
Link: https://lore.kernel.org/all/abRB6g-48ZX6Yl2r@willie-the-truck/
Cc: Will Deacon <will@kernel.org>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: linux-kbuild@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/io-pgtable-arm-v7s.c | 18 ++++++++++++------
include/linux/compiler_attributes.h | 11 +++++++++++
lib/debugobjects.c | 2 +-
3 files changed, 24 insertions(+), 7 deletions(-)
--- a/drivers/iommu/io-pgtable-arm-v7s.c
+++ b/drivers/iommu/io-pgtable-arm-v7s.c
@@ -777,21 +777,27 @@ struct io_pgtable_init_fns io_pgtable_ar
static struct io_pgtable_cfg *cfg_cookie __initdata;
-static void __init dummy_tlb_flush_all(void *cookie)
+/*
+ * __noipa prevents gcc from turning indirect iommu_flush_ops calls
+ * into direct calls from a specialized __arm_v7s_unmap() that triggers
+ * a build time section mismatch assertion.
+ */
+static __noipa void __init dummy_tlb_flush_all(void *cookie)
{
WARN_ON(cookie != cfg_cookie);
}
-static void __init dummy_tlb_flush(unsigned long iova, size_t size,
- size_t granule, void *cookie)
+static __noipa void __init dummy_tlb_flush(unsigned long iova, size_t size,
+ size_t granule, void *cookie)
{
WARN_ON(cookie != cfg_cookie);
WARN_ON(!(size & cfg_cookie->pgsize_bitmap));
}
-static void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
- unsigned long iova, size_t granule,
- void *cookie)
+static __noipa void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
+ unsigned long iova,
+ size_t granule,
+ void *cookie)
{
dummy_tlb_flush(iova, granule, granule, cookie);
}
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -397,6 +397,17 @@
#endif
/*
+ * Optional: not supported by clang
+ *
+ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-noipa
+ */
+#if __has_attribute(noipa)
+# define __noipa __attribute__((noipa))
+#else
+# define __noipa
+#endif
+
+/*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute
*/
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -1212,7 +1212,7 @@ struct self_test {
static __initconst const struct debug_obj_descr descr_type_test;
-static bool __init is_static_object(void *addr)
+static __noipa bool __init is_static_object(void *addr)
{
struct self_test *obj = addr;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 188/307] ipv6: exthdrs: refresh nh after handling HAO option
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 187/307] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 189/307] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
` (120 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Justin Iurman,
Ido Schimmel, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit f7b52afe3592eae66e160586b45a3f2242972c63 upstream.
ip6_parse_tlv() caches skb_network_header(skb) in nh while walking
IPv6 TLVs.
ipv6_dest_hao() may call pskb_expand_head() for a cloned skb, which can
move the skb head and invalidate the cached network header pointer.
Refresh nh after ipv6_dest_hao() returns so any trailing padding or TLVs
are parsed from the current skb head.
This matches the existing pattern used in ip6_parse_tlv() after helpers
that can modify skb header storage.
Fixes: a831f5bbc89a ("[IPV6] MIP6: Add inbound interface of home address option.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/7aba1debc2196189172499e5769802b026f8caf8.1779247873.git.zcliangcn@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -203,6 +203,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_HAO:
if (!ipv6_dest_hao(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
#endif
default:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 199/315] nfc: hci: fix out-of-bounds read in HCP header parsing
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 198/315] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 200/315] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
` (117 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Ashutosh Desai,
David Heidelberg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit f040e590c035bfd9553fe79ee9585caf1b14d67b upstream.
Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
packet->header from skb->data at function entry without first checking
that the buffer holds at least one byte. A malicious NFC peer can send
a 0-byte HCP frame that passes through the SHDLC layer and reaches
these functions, causing an out-of-bounds heap read of packet->header.
The same 0-byte frame, if queued as a non-final fragment, also causes
the reassembly loop to underflow msg_len to UINT_MAX, triggering
skb_over_panic() when the reassembled skb is written.
Fix this by adding a pskb_may_pull() check at the entry of each
function before packet->header is first accessed. The existing
pskb_may_pull() checks before the reassembled hcp_skb is cast to
struct hcp_packet remain in place to guard the 2-byte HCP message
header.
Fixes: 8b8d2e08bf0d ("NFC: HCI support")
Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/hci/core.c | 10 ++++++++++
net/nfc/nci/hci.c | 10 ++++++++++
2 files changed, 20 insertions(+)
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct
struct sk_buff *frag_skb;
int msg_len;
+ if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct hcp_packet *)skb->data;
if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) {
skb_queue_tail(&hdev->rx_hcp_frags, skb);
@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct hcp_packet *)hcp_skb->data;
type = HCP_MSG_GET_TYPE(packet->message.header);
if (type == NFC_HCI_HCP_RESPONSE) {
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -439,6 +439,11 @@ void nci_hci_data_received_cb(void *cont
return;
}
+ if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)skb->data;
if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) {
skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
@@ -482,6 +487,11 @@ void nci_hci_data_received_cb(void *cont
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)hcp_skb->data;
type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
if (type == NCI_HCI_HCP_RESPONSE) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 189/307] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 188/307] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 190/307] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
` (119 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Xiao Liang,
Maoyi Xie, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 8b484efd5cb4eeef9021a661e198edc5349dacf6 upstream.
After patch 1/2 in this series, vti6_update() unlinks and relinks
the tunnel through t->net. vti6_siocdevprivate() still uses
dev_net(dev) for the collision lookup. For a tunnel moved through
IFLA_NET_NS_FD, dev_net(dev) is the new netns, not t->net.
SIOCCHGTUNNEL on a migrated tunnel then runs:
net = dev_net(dev) /* migrated netns */
t = vti6_locate(net, &p1, false) /* misses target in t->net */
...
t = netdev_priv(dev)
vti6_update(t, &p1, false) /* mutates t->net's hash */
A caller in the migrated netns picks params that match a tunnel
in the creation netns. The lookup in dev_net(dev) finds nothing.
vti6_update() prepends the migrated tunnel at the head of the
creation netns hash bucket for those params. Later lookups in
the creation netns resolve to the migrated device. xfrm receive
delivers the matched packets through a device the caller controls.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Switch the SIOCCHGTUNNEL path on a non fallback device to use
t->net for the lookup. The lookup now matches the netns
vti6_update() operates on.
Also add ns_capable(self->net->user_ns, CAP_NET_ADMIN) before
the lookup. The check at the top of the case is against
dev_net(dev)->user_ns, which after migration is the attacker's
netns. A caller there can pick params absent from self->net,
the lookup returns NULL, t becomes self, and vti6_update()
inserts the device into the creation netns hash. The new check
requires CAP_NET_ADMIN in the creation netns user_ns too.
SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device keep
dev_net(dev), which equals init_net there.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Suggested-by: Xiao Liang <shaw.leon@gmail.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/20260521130555.3421684-3-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -834,17 +834,24 @@ vti6_siocdevprivate(struct net_device *d
if (p.proto != IPPROTO_IPV6 && p.proto != 0)
break;
vti6_parm_from_user(&p1, &p);
- t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) {
+ struct ip6_tnl *self = netdev_priv(dev);
+
+ err = -EPERM;
+ if (!ns_capable(self->net->user_ns, CAP_NET_ADMIN))
+ break;
+ t = vti6_locate(self->net, &p1, false);
if (t) {
if (t->dev != dev) {
err = -EEXIST;
break;
}
} else
- t = netdev_priv(dev);
+ t = self;
err = vti6_update(t, &p1, false);
+ } else {
+ t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
}
if (t) {
err = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 200/315] xfrm: route MIGRATE notifications to callers netns
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 199/315] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 201/315] xfrm: ipcomp: Free destination pages on acomp errors Greg Kroah-Hartman
` (116 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 upstream.
xfrm_send_migrate() in net/xfrm/xfrm_user.c and pfkey_send_migrate()
in net/key/af_key.c both hardcode &init_net for the multicast that
announces a successful XFRM_MSG_MIGRATE / SADB_X_MIGRATE.
XFRM_MSG_MIGRATE arrives on a per-netns NETLINK_XFRM socket, and the
rest of the xfrm/af_key netlink path was made netns-aware in 2008.
The other 14 multicast paths in xfrm_user.c route their event using
xs_net(x), xp_net(xp) or sock_net(skb->sk); only the migrate path
was missed.
Two consequences of the init_net hardcoding:
1. The notification (selector, old/new endpoint addresses, and the
km_address) is delivered to listeners on init_net's
XFRMNLGRP_MIGRATE / pfkey BROADCAST_ALL groups rather than on
the issuing netns. An IKE daemon running in init_net therefore
receives migration notifications originating from any other
netns on the host.
2. An IKE daemon running inside a non-init netns and subscribed
to its own XFRMNLGRP_MIGRATE / pfkey groups never receives the
notification of its own migration. IKEv2 MOBIKE / address-update
handling inside a netns is silently broken.
Thread struct net through km_migrate() and the xfrm_mgr.migrate
function pointer, drop the &init_net override in xfrm_send_migrate()
and pfkey_send_migrate(), and pass the caller's net (already in
scope in xfrm_migrate() via sock_net(skb->sk)) all the way down.
struct xfrm_mgr is in-tree only and not exported as a stable API,
so the function-pointer signature change is internal.
pfkey_broadcast() is already netns-aware via net_generic(net,
pfkey_net_id) since the pernet conversion. The five other
pfkey_broadcast() callers in af_key.c already pass xs_net(x),
sock_net(sk) or a per-netns net, so this only removes the
&init_net outlier.
Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/xfrm.h | 3 ++-
net/key/af_key.c | 6 +++---
net/xfrm/xfrm_policy.c | 2 +-
net/xfrm/xfrm_state.c | 4 ++--
net/xfrm/xfrm_user.c | 5 ++---
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -715,6 +715,7 @@ struct xfrm_mgr {
const struct xfrm_migrate *m,
int num_bundles,
const struct xfrm_kmaddress *k,
+ struct net *net,
const struct xfrm_encap_tmpl *encap);
bool (*is_alive)(const struct km_event *c);
};
@@ -1891,7 +1892,7 @@ int xfrm_sk_policy_insert(struct sock *s
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap);
struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
u32 if_id);
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3564,7 +3564,7 @@ static int set_ipsecrequest(struct sk_bu
#ifdef CONFIG_NET_KEY_MIGRATE
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int i;
@@ -3669,7 +3669,7 @@ static int pfkey_send_migrate(const stru
}
/* broadcast migrate message to sockets */
- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
+ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, net);
return 0;
@@ -3680,7 +3680,7 @@ err:
#else
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4704,7 +4704,7 @@ int xfrm_migrate(const struct xfrm_selec
}
/* Stage 5 - announce */
- km_migrate(sel, dir, type, m, num_migrate, k, encap);
+ km_migrate(sel, dir, type, m, num_migrate, k, net, encap);
xfrm_pol_put(pol);
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2836,7 +2836,7 @@ EXPORT_SYMBOL(km_policy_expired);
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int err = -EINVAL;
@@ -2847,7 +2847,7 @@ int km_migrate(const struct xfrm_selecto
list_for_each_entry_rcu(km, &xfrm_km_list, list) {
if (km->migrate) {
ret = km->migrate(sel, dir, type, m, num_migrate, k,
- encap);
+ net, encap);
if (!ret)
err = ret;
}
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3262,10 +3262,9 @@ out_cancel:
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
- struct net *net = &init_net;
struct sk_buff *skb;
int err;
@@ -3283,7 +3282,7 @@ static int xfrm_send_migrate(const struc
#else
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 190/307] ipv6: validate extension header length before copying to cmsg
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 189/307] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 191/307] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
` (118 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qi Tang, Willem de Bruijn,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Tang <tpluszz77@gmail.com>
commit dd433671fef381fdaf7b530c631e6b782d66e224 upstream.
ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}
cmsgs (and their IPV6_2292* legacy counterparts) by trusting the
on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.
The length was validated only at parse time (ipv6_parse_hopopts(),
etc.). An nftables payload-write expression can rewrite hdrlen after
parsing and before the skb reaches recvmsg; the write itself is
in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040
bytes from an 8-byte header. nftables is reachable from an
unprivileged user namespace, so this is an unprivileged
slab-out-of-bounds read:
BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540
put_cmsg+0x3ac/0x540
udpv6_recvmsg+0xca0/0x1250
sock_recvmsg+0xdf/0x190
____sys_recvmsg+0x1b1/0x620
Add ipv6_get_exthdr_len() which validates that at least two bytes
are accessible before reading the hdrlen field, then checks the
computed length against skb_tail_pointer(skb), returning 0 on
failure. Extension headers are kept in the linear skb area by
pskb_may_pull() during input, so skb_tail_pointer() is the correct
bound.
Use ipv6_get_exthdr_len() at all non-AH call sites: the five
standalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR)
and the three standard cases in the extension-header walk loop
(DSTOPTS, ROUTING, default). AH retains an inline bounds check
because its length formula differs ((ptr[1]+2)<<2).
The walk loop also gets a pre-read bounds check at the top to
validate ptr before any case accesses ptr[0] or ptr[1].
When the walk loop detects a corrupted header, return from the
function instead of continuing to process later socket options.
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260523143245.2281415-1-tpluszz77@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/datagram.c | 54 ++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 46 insertions(+), 8 deletions(-)
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -617,6 +617,18 @@ void ip6_datagram_recv_common_ctl(struct
}
}
+static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
+{
+ u16 len;
+
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return 0;
+
+ len = (ptr[1] + 1) << 3;
+
+ return (len <= skb_tail_pointer(skb) - ptr) ? len : 0;
+}
+
void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
struct sk_buff *skb)
{
@@ -643,7 +655,10 @@ void ip6_datagram_recv_specific_ctl(stru
/* HbH is allowed only once */
if (np->rxopt.bits.hopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, len, ptr);
}
if (opt->lastopt &&
@@ -664,26 +679,37 @@ void ip6_datagram_recv_specific_ctl(stru
unsigned int len;
u8 *ptr = nh + off;
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return;
+
switch (nexthdr) {
case IPPROTO_DSTOPTS:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.dstopts)
put_cmsg(msg, SOL_IPV6, IPV6_DSTOPTS, len, ptr);
break;
case IPPROTO_ROUTING:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.srcrt)
put_cmsg(msg, SOL_IPV6, IPV6_RTHDR, len, ptr);
break;
case IPPROTO_AH:
nexthdr = ptr[0];
len = (ptr[1] + 2) << 2;
+ if (ptr + len > skb_tail_pointer(skb))
+ return;
break;
default:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
break;
}
@@ -705,19 +731,31 @@ void ip6_datagram_recv_specific_ctl(stru
}
if (np->rxopt.bits.ohopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, len, ptr);
}
if (np->rxopt.bits.odstopts && opt->dst0) {
u8 *ptr = nh + opt->dst0;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.osrcrt && opt->srcrt) {
struct ipv6_rt_hdr *rthdr = (struct ipv6_rt_hdr *)(nh + opt->srcrt);
- put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, (rthdr->hdrlen+1) << 3, rthdr);
+ u16 len = ipv6_get_exthdr_len(skb, (u8 *)rthdr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, len, rthdr);
}
if (np->rxopt.bits.odstopts && opt->dst1) {
u8 *ptr = nh + opt->dst1;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.rxorigdstaddr) {
struct sockaddr_in6 sin6;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 201/315] xfrm: ipcomp: Free destination pages on acomp errors
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 200/315] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 202/315] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
` (115 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Yilin Zhu, Herbert Xu, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 7dbac7680eb629b3b4dc7e98c34f943b8814c0c8 upstream.
Move the out_free_req label up by a couple of lines so that the
allocated dst SG list gets freed on error as well as success.
Fixes: eb2953d26971 ("xfrm: ipcomp: Use crypto_acomp interface")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reported-by: Yilin Zhu <zylzyl2333@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_ipcomp.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -51,11 +51,15 @@ static int ipcomp_post_acomp(struct sk_b
struct scatterlist *dsg;
int len, dlen;
- if (unlikely(err))
- goto out_free_req;
+ if (unlikely(!req))
+ return err;
extra = acomp_request_extra(req);
dsg = extra->sg;
+
+ if (unlikely(err))
+ goto out_free_req;
+
dlen = req->dlen;
pskb_trim_unique(skb, 0);
@@ -84,10 +88,10 @@ static int ipcomp_post_acomp(struct sk_b
skb_shinfo(skb)->nr_frags++;
} while ((dlen -= len));
- for (; dsg; dsg = sg_next(dsg))
+out_free_req:
+ for (; dsg && sg_page(dsg); dsg = sg_next(dsg))
__free_page(sg_page(dsg));
-out_free_req:
acomp_request_free(req);
return err;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 191/307] xfrm: input: hold netns during deferred transport reinjection
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 190/307] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 192/307] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname Greg Kroah-Hartman
` (117 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Steffen Klassert
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit c16f74dc1d75d0e2e7670076d5375deda110ebeb upstream.
Transport-mode reinjection stores a struct net pointer in skb->cb and
uses it later from xfrm_trans_reinject(). That pointer must stay valid
until the deferred callback runs.
Take a netns reference when queueing deferred reinjection work and drop
it after the callback completes. Use maybe_get_net() so the queueing
path does not revive a namespace that is already being torn down.
This keeps the existing workqueue design and fixes the netns lifetime
handling in one place for all users of xfrm_trans_queue_net().
Fixes: 7b3801927e52 ("xfrm: introduce xfrm_trans_queue_net")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_input.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -769,9 +769,12 @@ static void xfrm_trans_reinject(struct w
spin_unlock_bh(&trans->queue_lock);
local_bh_disable();
- while ((skb = __skb_dequeue(&queue)))
- XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
- NULL, skb);
+ while ((skb = __skb_dequeue(&queue))) {
+ struct net *net = XFRM_TRANS_SKB_CB(skb)->net;
+
+ XFRM_TRANS_SKB_CB(skb)->finish(net, NULL, skb);
+ put_net(net);
+ }
local_bh_enable();
}
@@ -780,6 +783,7 @@ int xfrm_trans_queue_net(struct net *net
struct sk_buff *))
{
struct xfrm_trans_tasklet *trans;
+ struct net *hold_net;
trans = this_cpu_ptr(&xfrm_trans_tasklet);
@@ -788,8 +792,12 @@ int xfrm_trans_queue_net(struct net *net
BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
+ hold_net = maybe_get_net(net);
+ if (!hold_net)
+ return -ENODEV;
+
XFRM_TRANS_SKB_CB(skb)->finish = finish;
- XFRM_TRANS_SKB_CB(skb)->net = net;
+ XFRM_TRANS_SKB_CB(skb)->net = hold_net;
spin_lock_bh(&trans->queue_lock);
__skb_queue_tail(&trans->queue, skb);
spin_unlock_bh(&trans->queue_lock);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 202/315] xfrm: ah: use skb_to_full_sk in async output callbacks
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 201/315] xfrm: ipcomp: Free destination pages on acomp errors Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 203/315] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 Greg Kroah-Hartman
` (114 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 79d8be262377f7112cfa3088dfc4142d5a2533f3 upstream.
When AH output is offloaded to an asynchronous crypto provider
(hardware accelerators such as AMD CCP, or a forced-async software
shim used for testing), the digest completion fires
ah_output_done() / ah6_output_done() on a workqueue. The egress
skb at that point may have been originated by a TCP listener
sending a SYN-ACK, which sets skb->sk to a request_sock via
skb_set_owner_edemux(); it may also have been originated by an
inet_timewait_sock retransmit. Neither is a full struct sock, and
passing the raw skb->sk to xfrm_output_resume() then forwards a
non-full socket through the rest of the xfrm output chain.
xfrm_output_resume() and its downstream consumers expect a full
sk where they dereference at all. The natural egress path
through ah_output_done() does not crash today because the
consumers that read past sock_common are either gated by
sk_fullsock() or short-circuit on flags that are clear on a fresh
request_sock; an exhaustive walk of the 50 most plausible
consumers under sch_fq, dev_queue_xmit, netfilter, tc-egress and
cgroup-egress BPF found no current unguarded deref. The bug is
still a real type confusion that future consumer changes could
turn into a memory-corruption primitive.
This is the same bug class fixed for ESP in commit 1620c88887b1
("xfrm: Fix the usage of skb->sk"). Apply the analogous fix to
AH: convert skb->sk to a full socket pointer (or NULL) via
skb_to_full_sk() before handing it to xfrm_output_resume().
The same async AH callbacks were touched recently for an
independent ESN-related ICV layout bug in commit ec54093e6a8f
("xfrm: ah: account for ESN high bits in async callbacks"); the
sk type-confusion addressed here is orthogonal. This patch is
part of an ongoing audit of the AH callback paths; an ah_output
ihl-validation hardening series is also currently under review on
netdev.
Reproduced under UML + KASAN + lockdep with a forced-async
hmac(sha1) shim that registers at priority 9999 and wraps the
sync in-tree hmac-sha1-lib. With the shim loaded, ah_output_done
runs on every SYN-ACK egress through a transport-mode AH SA and
skb->sk arrives as a request_sock (TCP_NEW_SYN_RECV); after this
patch, xfrm_output_resume() receives the listener (the result of
sk_to_full_sk()) and consumer derefs land on full-sock fields as
intended.
Fixes: 9ab1265d5231 ("xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 2 +-
net/ipv6/ah6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -143,7 +143,7 @@ static void ah_output_done(void *data, i
}
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -337,7 +337,7 @@ static void ah6_output_done(void *data,
ah6_restore_hdrs(top_iph, iph_ext, extlen);
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 192/307] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 191/307] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 193/307] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
` (116 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, James Chapman,
Simon Horman, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 05f95729ca844704d15e49ce14868af4b403b32b upstream.
A reader in l2tp_session_get_by_ifname() can return a pointer to a
session whose refcount has reached zero. The getter takes its
reference with plain refcount_inc(), but every other session getter
in the same file (l2tp_v2_session_get, l2tp_v3_session_get, and the
corresponding _get_next variants) uses refcount_inc_not_zero()
because the IDR/RCU lookup can race with refcount_dec_and_test() ->
l2tp_session_free() -> kfree_rcu(). The ifname getter is the only
outlier; the inconsistency was raised on-list after 979c017803c4
("l2tp: use list_del_rcu in l2tp_session_unhash").
A reader inside rcu_read_lock_bh() that matches session->ifname can
be preempted between the strcmp() and the refcount_inc(). If the
last reference drops on another CPU in that window, the reader's
refcount_inc() runs on a counter that has reached zero. refcount_t
catches the addition-on-zero, prints "refcount_t: addition on 0;
use-after-free", saturates the counter, and returns the saturated
pointer to the caller. Session memory is held live by the in-flight
RCU read section, but the kfree_rcu() callback queued from
l2tp_session_free() will free it once the grace period closes; a
caller that dereferences the returned session past that point hits
a slab-use-after-free. On PREEMPT_RT local_bh_disable() is a per-CPU
sleeping lock and the preemption window is real; on stock PREEMPT
kernels local_bh_disable() is a preempt_count increment that closes
the cross-CPU race in practice (see below).
Use refcount_inc_not_zero() and continue the list walk on failure,
matching the other session getters in the file. The ifname getter
is the only session getter in net/l2tp/ that still uses the bare
refcount_inc() pattern; this change restores file-internal
consistency. The success path is unchanged.
Fixes: abe7a1a7d0b6 ("l2tp: improve tunnel/session refcount helpers")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: James Chapman <jchapman@katalix.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260523023423.2568972-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/l2tp/l2tp_core.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -441,12 +441,13 @@ struct l2tp_session *l2tp_session_get_by
idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
if (tunnel) {
list_for_each_entry_rcu(session, &tunnel->session_list, list) {
- if (!strcmp(session->ifname, ifname)) {
- refcount_inc(&session->ref_count);
- rcu_read_unlock_bh();
+ if (strcmp(session->ifname, ifname))
+ continue;
+ if (!refcount_inc_not_zero(&session->ref_count))
+ continue;
+ rcu_read_unlock_bh();
- return session;
- }
+ return session;
}
}
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 203/315] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 202/315] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 204/315] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
` (113 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
commit db37cf47b67e38ade40de5cd74a4d4d772ff1416 upstream.
Firmware 2417 for the Scarlett 4th Gen 2i2 moved the direct monitor
gain parameter by 4 bytes, from offset 0x2a0 to 0x2a4, breaking the
"Direct Monitor X Mix Y" controls.
Special-case the offset in the get/set config helpers when the
running firmware is 2417 or later.
Fixes: 4e809a299677 ("ALSA: scarlett2: Add support for Solo, 2i2, and 4i4 Gen 4")
Cc: <stable@vger.kernel.org>
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Link: https://patch.msgid.link/ahIWTueUlWA5xiV+@m.b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -2504,6 +2504,27 @@ static int scarlett2_has_config_item(
return !!private->config_set->items[config_item_num].offset;
}
+/* Return the configuration item's offset, applying any per-firmware
+ * overrides.
+ *
+ * Firmware 2417 for the 2i2 Gen 4 moved DIRECT_MONITOR_GAIN by 4
+ * bytes. Apply that shift here so that the rest of the driver can
+ * keep using the single config set. This override can be removed
+ * once the multi-config-set framework lands.
+ */
+static int scarlett2_config_item_offset(
+ struct scarlett2_data *private, int config_item_num)
+{
+ int offset = private->config_set->items[config_item_num].offset;
+
+ if (config_item_num == SCARLETT2_CONFIG_DIRECT_MONITOR_GAIN &&
+ private->info == &s2i2_gen4_info &&
+ private->firmware_version >= 2417)
+ offset = 0x2a4;
+
+ return offset;
+}
+
/* Send a USB message to get configuration parameters; result placed in *buf */
static int scarlett2_usb_get_config(
struct usb_mixer_interface *mixer,
@@ -2513,6 +2534,7 @@ static int scarlett2_usb_get_config(
const struct scarlett2_config *config_item =
&private->config_set->items[config_item_num];
int size, err, i;
+ int item_offset;
u8 *buf_8;
u8 value;
@@ -2522,13 +2544,15 @@ static int scarlett2_usb_get_config(
if (!config_item->offset)
return -EFAULT;
+ item_offset = scarlett2_config_item_offset(private, config_item_num);
+
/* Writes to the parameter buffer are always 1 byte */
size = config_item->size ? config_item->size : 8;
/* For byte-sized parameters, retrieve directly into buf */
if (size >= 8) {
size = size / 8 * count;
- err = scarlett2_usb_get(mixer, config_item->offset, buf, size);
+ err = scarlett2_usb_get(mixer, item_offset, buf, size);
if (err < 0)
return err;
if (config_item->size == 16) {
@@ -2546,7 +2570,7 @@ static int scarlett2_usb_get_config(
}
/* For bit-sized parameters, retrieve into value */
- err = scarlett2_usb_get(mixer, config_item->offset, &value, 1);
+ err = scarlett2_usb_get(mixer, item_offset, &value, 1);
if (err < 0)
return err;
@@ -2696,7 +2720,8 @@ static int scarlett2_usb_set_config(
*/
if (config_item->size >= 8) {
size = config_item->size / 8;
- offset = config_item->offset + index * size;
+ offset = scarlett2_config_item_offset(private, config_item_num) +
+ index * size;
/* If updating a bit, retrieve the old value, set/clear the
* bit as needed, and update value
@@ -2705,7 +2730,7 @@ static int scarlett2_usb_set_config(
u8 tmp;
size = 1;
- offset = config_item->offset;
+ offset = scarlett2_config_item_offset(private, config_item_num);
err = scarlett2_usb_get(mixer, offset, &tmp, 1);
if (err < 0)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 193/307] ip6: vti: Use ip6_tnl.net in vti6_changelink().
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 192/307] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 194/307] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
` (115 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Eric Dumazet,
Kuniyuki Iwashima, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe upstream.
ip netns add ns1
ip netns add ns2
ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7
ip -n ns1 link set vti6_test netns ns2
ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9
ip netns del ns2
ip netns del ns1
[ 132.495484] ------------[ cut here ]------------
[ 132.497609] kernel BUG at net/core/dev.c:12376!
Commit 61220ab34948 ("vti6: Enable namespace changing") dropped
NETIF_F_NETNS_LOCAL from vti6 devices. A vti6 tunnel can then
move through IFLA_NET_NS_FD. After the move dev_net(dev) points
at the new netns while t->net stays at the creation netns.
vti6_changelink() and vti6_update() still use dev_net(dev) and
dev_net(t->dev). They unlink from one per netns hash and relink
into another. The creation netns is left with a stale entry.
cleanup_net() of that netns later walks freed memory.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Reported-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260521130555.3421684-2-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -722,10 +722,11 @@ vti6_tnl_change(struct ip6_tnl *t, const
static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p,
bool keep_mtu)
{
- struct net *net = dev_net(t->dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct net *net = t->net;
+ struct vti6_net *ip6n;
int err;
+ ip6n = net_generic(net, vti6_net_id);
vti6_tnl_unlink(ip6n, t);
synchronize_net();
err = vti6_tnl_change(t, p, keep_mtu);
@@ -1036,11 +1037,12 @@ static int vti6_changelink(struct net_de
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct ip6_tnl *t;
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct net *net = t->net;
struct __ip6_tnl_parm p;
- struct net *net = dev_net(dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct vti6_net *ip6n;
+ ip6n = net_generic(net, vti6_net_id);
if (dev == ip6n->fb_tnl_dev)
return -EINVAL;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 204/315] ALSA: firewire-motu: Protect register DSP event queue positions
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 203/315] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 205/315] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
` (112 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel,
Takashi Sakamoto, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
commit 98fb1c1bb11e29eb609b7200a25e136e05aa4498 upstream.
The register DSP event queue is updated under parser->lock, but
snd_motu_register_dsp_message_parser_count_event() reads pull_pos and
push_pos without the lock.
snd_motu_register_dsp_message_parser_copy_event() also reads both queue
positions before taking the lock.
Protect these accesses with parser->lock as well. This keeps the hwdep
poll/read path consistent with the producer side and with the cached
meter/parameter accessors.
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260521-alsa-firewire-motu-event-locking-v1-1-708e1c2b5e56@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/motu/motu-register-dsp-message-parser.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/sound/firewire/motu/motu-register-dsp-message-parser.c
+++ b/sound/firewire/motu/motu-register-dsp-message-parser.c
@@ -386,6 +386,8 @@ unsigned int snd_motu_register_dsp_messa
{
struct msg_parser *parser = motu->message_parser;
+ guard(spinlock_irqsave)(&parser->lock);
+
if (parser->pull_pos > parser->push_pos)
return EVENT_QUEUE_SIZE - parser->pull_pos + parser->push_pos;
else
@@ -395,13 +397,14 @@ unsigned int snd_motu_register_dsp_messa
bool snd_motu_register_dsp_message_parser_copy_event(struct snd_motu *motu, u32 *event)
{
struct msg_parser *parser = motu->message_parser;
- unsigned int pos = parser->pull_pos;
-
- if (pos == parser->push_pos)
- return false;
+ unsigned int pos;
guard(spinlock_irqsave)(&parser->lock);
+ if (parser->pull_pos == parser->push_pos)
+ return false;
+
+ pos = parser->pull_pos;
*event = parser->event_queue[pos];
++pos;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 194/307] net: skbuff: fix missing zerocopy reference in pskb_carve helpers
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 193/307] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 195/307] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
` (114 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Willem de Bruijn,
Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minh Nguyen <minhnguyen.080505@gmail.com>
commit 98d0912e9f841e5529a5b89a972805f34cb1c69d upstream.
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.
KASAN reports use-after-free on a freed ubuf_info_msgzc:
BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810
Read of size 8 at addr ffff88801574d3e8 by task poc/220
Call Trace:
skb_release_data+0x77b/0x810
kfree_skb_list_reason+0x13e/0x610
skb_release_data+0x4cd/0x810
sk_skb_reason_drop+0xf3/0x340
skb_queue_purge_reason+0x282/0x440
rds_tcp_inc_free+0x1e/0x30
rds_recvmsg+0x354/0x1780
__sys_recvmsg+0xdf/0x180
Allocated by task 219:
msg_zerocopy_realloc+0x157/0x7b0
tcp_sendmsg_locked+0x2892/0x3ba0
Freed by task 219:
ip_recv_error+0x74a/0xb10
tcp_recvmsg+0x475/0x530
The skb consuming the late access still referenced the same uarg via
shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without
a refcount bump. This has been verified to be reliably exploitable: a
working proof-of-concept achieves full root privilege escalation from
an unprivileged local user on a default kernel configuration.
The fix follows the pattern of pskb_expand_head() which has the same
memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()
is placed after skb_orphan_frags() succeeds, so the orphan error path
needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is
placed after all failure points and just before skb_release_data(), so
no error path needs cleanup at all -- matching pskb_expand_head() more
closely and avoiding the need for a balancing net_zcopy_put().
Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260526041240.329462-1-minhnguyen.080505@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6704,6 +6704,8 @@ static int pskb_carve_inside_header(stru
skb_kfree_head(data, size);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
skb_frag_ref(skb, i);
if (skb_has_frag_list(skb))
@@ -6853,6 +6855,8 @@ static int pskb_carve_inside_nonlinear(s
skb_kfree_head(data, size);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
skb_release_data(skb, SKB_CONSUMED);
skb->head = data;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 205/315] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 204/315] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 206/315] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
` (111 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hamza Mahfooz, Florian Westphal
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
commit bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a upstream.
An unintended behavior in the TCP conntrack state machine allows a
connection to be forced into the CLOSE state using an RST packet with an
invalid sequence number.
Specifically, after a SYN packet is observed, an RST with an invalid SEQ
can transition the conntrack entry to TCP_CONNTRACK_CLOSE, regardless of
whether the RST corresponds to the expected reply direction. The relevant
code path assumes the RST is a response to an outgoing SYN, but does not
validate packet direction or ensure that a matching SYN was actually sent
in the opposite direction.
As a result, a crafted packet sequence consisting of a SYN followed by an
invalid-sequence RST can prematurely terminate an active NAT entry. This
makes connection teardown easier than intended.
So, tighten the state transition logic to ensure that RST-triggered
CLOSE transitions only occur when the RST is a valid response to a
previously observed SYN in the correct direction.
Cc: stable@vger.kernel.org
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1221,7 +1221,8 @@ int nf_conntrack_tcp_packet(struct nf_co
new_state = old_state;
}
if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
- && ct->proto.tcp.last_index == TCP_SYN_SET)
+ && ct->proto.tcp.last_index == TCP_SYN_SET
+ && ct->proto.tcp.last_dir != dir)
|| (!test_bit(IPS_ASSURED_BIT, &ct->status)
&& ct->proto.tcp.last_index == TCP_ACK_SET))
&& ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 195/307] HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 194/307] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 196/307] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
` (113 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping Cheng, Lee Jones,
Benjamin Tissoires
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
commit c0a8899e02ddebd51e2589835182c239c2e224ae upstream.
wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE
usage is always located in the first field (field[0]) of the feature report.
However, a device can specify HID_DG_INPUTMODE in a different field.
If HID_DG_INPUTMODE is in a field other than the first one and the first
field has a report_count smaller than the usage_index of HID_DG_INPUTMODE,
this leads to an out-of-bounds write to r->field[0]->value.
Fix this by storing the field index of HID_DG_INPUTMODE in 'struct
hid_data' during feature mapping. In wacom_hid_set_device_mode(), use
this stored field index to access the correct field and add bounds
checks to ensure both the field index and the value index are within
valid ranges before writing.
Cc: stable@vger.kernel.org
Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling")
Tested-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 13 ++++++++++---
drivers/hid/wacom_wac.h | 1 +
2 files changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -341,6 +341,7 @@ static void wacom_feature_mapping(struct
hid_data->inputmode = field->report->id;
hid_data->inputmode_index = usage->usage_index;
+ hid_data->inputmode_field_index = field->index;
break;
case HID_UP_DIGITIZER:
@@ -556,9 +557,14 @@ static int wacom_hid_set_device_mode(str
re = &(hdev->report_enum[HID_FEATURE_REPORT]);
r = re->report_id_hash[hid_data->inputmode];
- if (r) {
- r->field[0]->value[hid_data->inputmode_index] = 2;
- hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ if (r && hid_data->inputmode_field_index >= 0 &&
+ hid_data->inputmode_field_index < r->maxfield) {
+ struct hid_field *field = r->field[hid_data->inputmode_field_index];
+
+ if (field && hid_data->inputmode_index < field->report_count) {
+ field->value[hid_data->inputmode_index] = 2;
+ hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ }
}
return 0;
}
@@ -2819,6 +2825,7 @@ static int wacom_probe(struct hid_device
return error;
wacom_wac->hid_data.inputmode = -1;
+ wacom_wac->hid_data.inputmode_field_index = -1;
wacom_wac->mode_report = -1;
if (hid_is_usb(hdev)) {
--- a/drivers/hid/wacom_wac.h
+++ b/drivers/hid/wacom_wac.h
@@ -298,6 +298,7 @@ struct wacom_shared {
struct hid_data {
__s16 inputmode; /* InputMode HID feature, -1 if non-existent */
__s16 inputmode_index; /* InputMode HID feature index in the report */
+ __s16 inputmode_field_index; /* InputMode HID feature field index in the report */
bool sense_state;
bool inrange_state;
bool invert_state;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 206/315] ASoC: qcom: q6asm-dai: close stream only when running
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 205/315] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 207/315] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
` (110 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 048c540ee76ded666bda74f9dae1ca3254e0633c upstream.
q6asm_dai_close() and q6asm_dai_compr_free() currently issue CMD_CLOSE
whenever prtd->state is non-zero.
After prepare() closes an existing stream, the state is updated to
Q6ASM_STREAM_STOPPED. Since this state is also non-zero, the close and
free paths can send CMD_CLOSE again for a stream that has already been
closed.
Restrict CMD_CLOSE to the Q6ASM_STREAM_RUNNING state so the command is
sent only when the ASM stream is still active.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -447,12 +447,12 @@ static int q6asm_dai_close(struct snd_so
struct q6asm_dai_rtd *prtd = runtime->private_data;
if (prtd->audio_client) {
- if (prtd->state)
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
-
- q6asm_unmap_memory_regions(substream->stream,
+ q6asm_unmap_memory_regions(substream->stream,
prtd->audio_client);
+ }
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
@@ -669,7 +669,7 @@ static int q6asm_dai_compr_free(struct s
struct snd_soc_pcm_runtime *rtd = stream->private_data;
if (prtd->audio_client) {
- if (prtd->state) {
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
if (prtd->next_track_stream_id) {
@@ -677,11 +677,11 @@ static int q6asm_dai_compr_free(struct s
prtd->next_track_stream_id,
CMD_CLOSE);
}
- }
- snd_dma_free_pages(&prtd->dma_buffer);
- q6asm_unmap_memory_regions(stream->direction,
+ q6asm_unmap_memory_regions(stream->direction,
prtd->audio_client);
+ }
+ snd_dma_free_pages(&prtd->dma_buffer);
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 196/307] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 195/307] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 197/307] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
` (112 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Thomas Gleixner,
Andrew Morton, Miguel Ojeda, linux-kbuild, Arnd Bergmann,
Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 4c9ad387aa2d6785299722e54224d34764edaeb3 upstream.
gcc-16 has gained some more advanced inter-procedual optimization
techniques that enable it to inline the dummy_tlb_add_page() and
dummy_tlb_flush() function pointers into a specialized version of
__arm_v7s_unmap:
WARNING: modpost: vmlinux: section mismatch in reference: __arm_v7s_unmap+0x2cc (section: .text) -> dummy_tlb_add_page (section: .init.text)
ERROR: modpost: Section mismatches detected.
>From what I can tell, the transformation is correct, as this is only
called when __arm_v7s_unmap() is called from arm_v7s_do_selftests(),
which is also __init. Since __arm_v7s_unmap() however is not __init,
gcc cannot inline the inner function calls directly.
In debug_objects_selftest(), the same thing happens. Both the
caller and the leaf function are __init, but the IPA pulls
it into a non-init one:
WARNING: modpost: vmlinux: section mismatch in reference: lookup_object_or_alloc+0x7c (section: .text.lookup_object_or_alloc) -> is_static_object (section: .init.text)
Marking the affected functions as not "__init" would reliably avoid this
issue but is not a good solution because it removes an otherwise correct
annotation. I tried marking the functions as 'noinline', but that ended
up not covering all the affected configurations.
With some more experimenting, I found that marking these functions as
__attribute__((noipa)) is both logical and reliable.
In order to keep the syntax readable, add a custom macro for this in
include/linux/compiler_attributes.h next to other related macros and
use it to annotate both files.
Link: https://lore.kernel.org/all/abRB6g-48ZX6Yl2r@willie-the-truck/
Cc: Will Deacon <will@kernel.org>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: linux-kbuild@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/io-pgtable-arm-v7s.c | 18 ++++++++++++------
include/linux/compiler_attributes.h | 11 +++++++++++
lib/debugobjects.c | 2 +-
3 files changed, 24 insertions(+), 7 deletions(-)
--- a/drivers/iommu/io-pgtable-arm-v7s.c
+++ b/drivers/iommu/io-pgtable-arm-v7s.c
@@ -894,21 +894,27 @@ struct io_pgtable_init_fns io_pgtable_ar
static struct io_pgtable_cfg *cfg_cookie __initdata;
-static void __init dummy_tlb_flush_all(void *cookie)
+/*
+ * __noipa prevents gcc from turning indirect iommu_flush_ops calls
+ * into direct calls from a specialized __arm_v7s_unmap() that triggers
+ * a build time section mismatch assertion.
+ */
+static __noipa void __init dummy_tlb_flush_all(void *cookie)
{
WARN_ON(cookie != cfg_cookie);
}
-static void __init dummy_tlb_flush(unsigned long iova, size_t size,
- size_t granule, void *cookie)
+static __noipa void __init dummy_tlb_flush(unsigned long iova, size_t size,
+ size_t granule, void *cookie)
{
WARN_ON(cookie != cfg_cookie);
WARN_ON(!(size & cfg_cookie->pgsize_bitmap));
}
-static void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
- unsigned long iova, size_t granule,
- void *cookie)
+static __noipa void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
+ unsigned long iova,
+ size_t granule,
+ void *cookie)
{
dummy_tlb_flush(iova, granule, granule, cookie);
}
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -397,6 +397,17 @@
#endif
/*
+ * Optional: not supported by clang
+ *
+ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-noipa
+ */
+#if __has_attribute(noipa)
+# define __noipa __attribute__((noipa))
+#else
+# define __noipa
+#endif
+
+/*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute
*/
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -1075,7 +1075,7 @@ struct self_test {
static __initconst const struct debug_obj_descr descr_type_test;
-static bool __init is_static_object(void *addr)
+static __noipa bool __init is_static_object(void *addr)
{
struct self_test *obj = addr;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 207/315] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 206/315] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 208/315] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
` (109 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cee3e63e7106c3c81b2053371fdf14240bfba2fc upstream.
The q6asm-dai stream state is used by prepare() to decide whether an
existing stream setup needs to be closed before opening/configuring a new
one. Updating the state from trigger or asynchronous DSP callbacks can make
that state stale or incorrect relative to the actual setup lifetime.
In particular, setting Q6ASM_STREAM_STOPPED on STOP or EOS completion can
make prepare() believe there is no active setup to close, which can result
in opening/configuring the same stream more than once.
Keep stream state updates tied to prepare(), where the stream is actually
closed and reopened, and stop changing it from trigger and EOS callbacks.
Fixes: bfbb12dfa144 ("ASoC: qcom: q6asm-dai: perform correct state check before closing")
Cc: Stable@vger.kernel.org
Closes: https://lore.kernel.org/all/afS7rTHdc9TyIeLx@rdacayan/
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 5 -----
1 file changed, 5 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -187,7 +187,6 @@ static void event_handler(uint32_t opcod
prtd->pcm_count, 0, 0, 0);
break;
case ASM_CLIENT_EVENT_CMD_EOS_DONE:
- prtd->state = Q6ASM_STREAM_STOPPED;
break;
case ASM_CLIENT_EVENT_DATA_WRITE_DONE: {
prtd->pcm_irq_pos += prtd->pcm_count;
@@ -334,7 +333,6 @@ static int q6asm_dai_trigger(struct snd_
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
@@ -545,8 +543,6 @@ static void compress_event_handler(uint3
snd_compr_drain_notify(prtd->cstream);
prtd->notify_on_drain = false;
- } else {
- prtd->state = Q6ASM_STREAM_STOPPED;
}
spin_unlock_irqrestore(&prtd->lock, flags);
break;
@@ -1009,7 +1005,6 @@ static int q6asm_dai_compr_trigger(struc
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 197/307] nfc: hci: fix out-of-bounds read in HCP header parsing
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 196/307] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 198/307] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
` (111 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Ashutosh Desai,
David Heidelberg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit f040e590c035bfd9553fe79ee9585caf1b14d67b upstream.
Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
packet->header from skb->data at function entry without first checking
that the buffer holds at least one byte. A malicious NFC peer can send
a 0-byte HCP frame that passes through the SHDLC layer and reaches
these functions, causing an out-of-bounds heap read of packet->header.
The same 0-byte frame, if queued as a non-final fragment, also causes
the reassembly loop to underflow msg_len to UINT_MAX, triggering
skb_over_panic() when the reassembled skb is written.
Fix this by adding a pskb_may_pull() check at the entry of each
function before packet->header is first accessed. The existing
pskb_may_pull() checks before the reassembled hcp_skb is cast to
struct hcp_packet remain in place to guard the 2-byte HCP message
header.
Fixes: 8b8d2e08bf0d ("NFC: HCI support")
Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/hci/core.c | 10 ++++++++++
net/nfc/nci/hci.c | 10 ++++++++++
2 files changed, 20 insertions(+)
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct
struct sk_buff *frag_skb;
int msg_len;
+ if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct hcp_packet *)skb->data;
if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) {
skb_queue_tail(&hdev->rx_hcp_frags, skb);
@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct hcp_packet *)hcp_skb->data;
type = HCP_MSG_GET_TYPE(packet->message.header);
if (type == NFC_HCI_HCP_RESPONSE) {
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -439,6 +439,11 @@ void nci_hci_data_received_cb(void *cont
return;
}
+ if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)skb->data;
if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) {
skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
@@ -482,6 +487,11 @@ void nci_hci_data_received_cb(void *cont
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)hcp_skb->data;
type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
if (type == NCI_HCI_HCP_RESPONSE) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 208/315] xfrm: esp: restore combined single-frag length gate
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 207/315] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 209/315] ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP Greg Kroah-Hartman
` (108 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Chenyuan Mi, Jingguo Tan,
Sabrina Dubroca, Steffen Klassert
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingguo Tan <tanjingguo@huawei.com>
commit dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 upstream.
The ESP out-of-place fast path appends the trailer in esp_output_head()
before esp_output_tail() allocates the destination page frag. The
head-side gate currently checks skb->data_len and tailen separately, but
the tail code allocates a single destination frag from the combined
post-trailer skb->data_len.
Reject the page-frag fast path when the combined aligned length exceeds a
page. Otherwise skb_page_frag_refill() may fall back to a single page while
the destination sg still spans the combined skb->data_len.
Restore this combined-length page gate for both IPv4 and IPv6.
Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page")
Cc: stable@vger.kernel.org
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/esp4.c | 4 ++--
net/ipv6/esp6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -419,8 +419,8 @@ int esp_output_head(struct xfrm_state *x
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -448,8 +448,8 @@ int esp6_output_head(struct xfrm_state *
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 198/307] xfrm: route MIGRATE notifications to callers netns
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 197/307] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 199/307] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
` (110 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Steffen Klassert
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 upstream.
xfrm_send_migrate() in net/xfrm/xfrm_user.c and pfkey_send_migrate()
in net/key/af_key.c both hardcode &init_net for the multicast that
announces a successful XFRM_MSG_MIGRATE / SADB_X_MIGRATE.
XFRM_MSG_MIGRATE arrives on a per-netns NETLINK_XFRM socket, and the
rest of the xfrm/af_key netlink path was made netns-aware in 2008.
The other 14 multicast paths in xfrm_user.c route their event using
xs_net(x), xp_net(xp) or sock_net(skb->sk); only the migrate path
was missed.
Two consequences of the init_net hardcoding:
1. The notification (selector, old/new endpoint addresses, and the
km_address) is delivered to listeners on init_net's
XFRMNLGRP_MIGRATE / pfkey BROADCAST_ALL groups rather than on
the issuing netns. An IKE daemon running in init_net therefore
receives migration notifications originating from any other
netns on the host.
2. An IKE daemon running inside a non-init netns and subscribed
to its own XFRMNLGRP_MIGRATE / pfkey groups never receives the
notification of its own migration. IKEv2 MOBIKE / address-update
handling inside a netns is silently broken.
Thread struct net through km_migrate() and the xfrm_mgr.migrate
function pointer, drop the &init_net override in xfrm_send_migrate()
and pfkey_send_migrate(), and pass the caller's net (already in
scope in xfrm_migrate() via sock_net(skb->sk)) all the way down.
struct xfrm_mgr is in-tree only and not exported as a stable API,
so the function-pointer signature change is internal.
pfkey_broadcast() is already netns-aware via net_generic(net,
pfkey_net_id) since the pernet conversion. The five other
pfkey_broadcast() callers in af_key.c already pass xs_net(x),
sock_net(sk) or a per-netns net, so this only removes the
&init_net outlier.
Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/xfrm.h | 3 ++-
net/key/af_key.c | 6 +++---
net/xfrm/xfrm_policy.c | 2 +-
net/xfrm/xfrm_state.c | 4 ++--
net/xfrm/xfrm_user.c | 5 ++---
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -650,6 +650,7 @@ struct xfrm_mgr {
const struct xfrm_migrate *m,
int num_bundles,
const struct xfrm_kmaddress *k,
+ struct net *net,
const struct xfrm_encap_tmpl *encap);
bool (*is_alive)(const struct km_event *c);
};
@@ -1818,7 +1819,7 @@ int xfrm_sk_policy_insert(struct sock *s
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap);
struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
u32 if_id);
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3564,7 +3564,7 @@ static int set_ipsecrequest(struct sk_bu
#ifdef CONFIG_NET_KEY_MIGRATE
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int i;
@@ -3669,7 +3669,7 @@ static int pfkey_send_migrate(const stru
}
/* broadcast migrate message to sockets */
- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
+ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, net);
return 0;
@@ -3680,7 +3680,7 @@ err:
#else
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4690,7 +4690,7 @@ int xfrm_migrate(const struct xfrm_selec
}
/* Stage 5 - announce */
- km_migrate(sel, dir, type, m, num_migrate, k, encap);
+ km_migrate(sel, dir, type, m, num_migrate, k, net, encap);
xfrm_pol_put(pol);
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2745,7 +2745,7 @@ EXPORT_SYMBOL(km_policy_expired);
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int err = -EINVAL;
@@ -2756,7 +2756,7 @@ int km_migrate(const struct xfrm_selecto
list_for_each_entry_rcu(km, &xfrm_km_list, list) {
if (km->migrate) {
ret = km->migrate(sel, dir, type, m, num_migrate, k,
- encap);
+ net, encap);
if (!ret)
err = ret;
}
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -3183,10 +3183,9 @@ out_cancel:
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
- struct net *net = &init_net;
struct sk_buff *skb;
int err;
@@ -3204,7 +3203,7 @@ static int xfrm_send_migrate(const struc
#else
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 209/315] ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 208/315] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 210/315] Input: xpad - add "Nova 2 Lite" from GameSir Greg Kroah-Hartman
` (107 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
commit 20587302f8d700f26ee2c8a60ffb0a69ae0edf16 upstream.
Add quirk for ALC294 codec on ASUS ROG Strix G615LP
(SSID 1043:1214) using ALC287_FIXUP_TXNW2781_I2C_ASUS to
fix speaker output.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=221173
Cc: <stable@vger.kernel.org>
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260526013611.1954949-1-zhangheng@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -7053,6 +7053,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
HDA_CODEC_QUIRK(0x1043, 0x1204, "ASUS Strix G16 G615JMR", ALC287_FIXUP_TXNW2781_I2C_ASUS),
SND_PCI_QUIRK(0x1043, 0x1204, "ASUS Strix G615JHR_JMR_JPR", ALC287_FIXUP_TAS2781_I2C),
+ HDA_CODEC_QUIRK(0x1043, 0x1214, "ASUS ROG Strix G615LP", ALC287_FIXUP_TXNW2781_I2C_ASUS),
SND_PCI_QUIRK(0x1043, 0x1214, "ASUS Strix G615LH_LM_LP", ALC287_FIXUP_TAS2781_I2C),
SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1043, 0x1271, "ASUS X430UN", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 199/307] xfrm: ah: use skb_to_full_sk in async output callbacks
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 198/307] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 200/307] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 Greg Kroah-Hartman
` (109 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 79d8be262377f7112cfa3088dfc4142d5a2533f3 upstream.
When AH output is offloaded to an asynchronous crypto provider
(hardware accelerators such as AMD CCP, or a forced-async software
shim used for testing), the digest completion fires
ah_output_done() / ah6_output_done() on a workqueue. The egress
skb at that point may have been originated by a TCP listener
sending a SYN-ACK, which sets skb->sk to a request_sock via
skb_set_owner_edemux(); it may also have been originated by an
inet_timewait_sock retransmit. Neither is a full struct sock, and
passing the raw skb->sk to xfrm_output_resume() then forwards a
non-full socket through the rest of the xfrm output chain.
xfrm_output_resume() and its downstream consumers expect a full
sk where they dereference at all. The natural egress path
through ah_output_done() does not crash today because the
consumers that read past sock_common are either gated by
sk_fullsock() or short-circuit on flags that are clear on a fresh
request_sock; an exhaustive walk of the 50 most plausible
consumers under sch_fq, dev_queue_xmit, netfilter, tc-egress and
cgroup-egress BPF found no current unguarded deref. The bug is
still a real type confusion that future consumer changes could
turn into a memory-corruption primitive.
This is the same bug class fixed for ESP in commit 1620c88887b1
("xfrm: Fix the usage of skb->sk"). Apply the analogous fix to
AH: convert skb->sk to a full socket pointer (or NULL) via
skb_to_full_sk() before handing it to xfrm_output_resume().
The same async AH callbacks were touched recently for an
independent ESN-related ICV layout bug in commit ec54093e6a8f
("xfrm: ah: account for ESN high bits in async callbacks"); the
sk type-confusion addressed here is orthogonal. This patch is
part of an ongoing audit of the AH callback paths; an ah_output
ihl-validation hardening series is also currently under review on
netdev.
Reproduced under UML + KASAN + lockdep with a forced-async
hmac(sha1) shim that registers at priority 9999 and wraps the
sync in-tree hmac-sha1-lib. With the shim loaded, ah_output_done
runs on every SYN-ACK egress through a transport-mode AH SA and
skb->sk arrives as a request_sock (TCP_NEW_SYN_RECV); after this
patch, xfrm_output_resume() receives the listener (the result of
sk_to_full_sk()) and consumer derefs land on full-sock fields as
intended.
Fixes: 9ab1265d5231 ("xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 2 +-
net/ipv6/ah6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -143,7 +143,7 @@ static void ah_output_done(void *data, i
}
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -337,7 +337,7 @@ static void ah6_output_done(void *data,
ah6_restore_hdrs(top_iph, iph_ext, extlen);
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 210/315] Input: xpad - add "Nova 2 Lite" from GameSir
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 209/315] ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 211/315] Input: xpad - add support for ASUS ROG RAIKIRI II Greg Kroah-Hartman
` (106 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qbeliw Tanaka, Dmitry Torokhov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qbeliw Tanaka <q.tanaka@gmx.com>
commit 1f6ac0f8441c48c4cc250141e1da8486c13512ba upstream.
Add support for the gamepad "Nova 2 Lite" from GameSir, compatible with
the Xbox 360 gamepad.
Signed-off-by: Qbeliw Tanaka <q.tanaka@gmx.com>
Link: https://patch.msgid.link/20260429.162040.930225048583399359.q.tanaka@gmx.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -425,6 +425,7 @@ static const struct xpad_device {
{ 0x3285, 0x0662, "Nacon Revolution5 Pro", 0, XTYPE_XBOX360 },
{ 0x3285, 0x0663, "Nacon Evol-X", 0, XTYPE_XBOXONE },
{ 0x3537, 0x1004, "GameSir T4 Kaleid", 0, XTYPE_XBOX360 },
+ { 0x3537, 0x100f, "GameSir Nova 2 Lite", 0, XTYPE_XBOX360 },
{ 0x3537, 0x1010, "GameSir G7 SE", 0, XTYPE_XBOXONE },
{ 0x3651, 0x1000, "CRKD SG", 0, XTYPE_XBOX360 },
{ 0x366c, 0x0005, "ByoWave Proteus Controller", MAP_SHARE_BUTTON, XTYPE_XBOXONE, FLAG_DELAY_INIT },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 200/307] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 199/307] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 201/307] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
` (108 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geoffrey D. Bennett <g@b4.vu>
commit db37cf47b67e38ade40de5cd74a4d4d772ff1416 upstream.
Firmware 2417 for the Scarlett 4th Gen 2i2 moved the direct monitor
gain parameter by 4 bytes, from offset 0x2a0 to 0x2a4, breaking the
"Direct Monitor X Mix Y" controls.
Special-case the offset in the get/set config helpers when the
running firmware is 2417 or later.
Fixes: 4e809a299677 ("ALSA: scarlett2: Add support for Solo, 2i2, and 4i4 Gen 4")
Cc: <stable@vger.kernel.org>
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Link: https://patch.msgid.link/ahIWTueUlWA5xiV+@m.b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -2467,6 +2467,27 @@ static int scarlett2_has_config_item(
return !!private->config_set->items[config_item_num].offset;
}
+/* Return the configuration item's offset, applying any per-firmware
+ * overrides.
+ *
+ * Firmware 2417 for the 2i2 Gen 4 moved DIRECT_MONITOR_GAIN by 4
+ * bytes. Apply that shift here so that the rest of the driver can
+ * keep using the single config set. This override can be removed
+ * once the multi-config-set framework lands.
+ */
+static int scarlett2_config_item_offset(
+ struct scarlett2_data *private, int config_item_num)
+{
+ int offset = private->config_set->items[config_item_num].offset;
+
+ if (config_item_num == SCARLETT2_CONFIG_DIRECT_MONITOR_GAIN &&
+ private->info == &s2i2_gen4_info &&
+ private->firmware_version >= 2417)
+ offset = 0x2a4;
+
+ return offset;
+}
+
/* Send a USB message to get configuration parameters; result placed in *buf */
static int scarlett2_usb_get_config(
struct usb_mixer_interface *mixer,
@@ -2476,6 +2497,7 @@ static int scarlett2_usb_get_config(
const struct scarlett2_config *config_item =
&private->config_set->items[config_item_num];
int size, err, i;
+ int item_offset;
u8 *buf_8;
u8 value;
@@ -2485,13 +2507,15 @@ static int scarlett2_usb_get_config(
if (!config_item->offset)
return -EFAULT;
+ item_offset = scarlett2_config_item_offset(private, config_item_num);
+
/* Writes to the parameter buffer are always 1 byte */
size = config_item->size ? config_item->size : 8;
/* For byte-sized parameters, retrieve directly into buf */
if (size >= 8) {
size = size / 8 * count;
- err = scarlett2_usb_get(mixer, config_item->offset, buf, size);
+ err = scarlett2_usb_get(mixer, item_offset, buf, size);
if (err < 0)
return err;
if (config_item->size == 16) {
@@ -2509,7 +2533,7 @@ static int scarlett2_usb_get_config(
}
/* For bit-sized parameters, retrieve into value */
- err = scarlett2_usb_get(mixer, config_item->offset, &value, 1);
+ err = scarlett2_usb_get(mixer, item_offset, &value, 1);
if (err < 0)
return err;
@@ -2659,7 +2683,8 @@ static int scarlett2_usb_set_config(
*/
if (config_item->size >= 8) {
size = config_item->size / 8;
- offset = config_item->offset + index * size;
+ offset = scarlett2_config_item_offset(private, config_item_num) +
+ index * size;
/* If updating a bit, retrieve the old value, set/clear the
* bit as needed, and update value
@@ -2668,7 +2693,7 @@ static int scarlett2_usb_set_config(
u8 tmp;
size = 1;
- offset = config_item->offset;
+ offset = scarlett2_config_item_offset(private, config_item_num);
err = scarlett2_usb_get(mixer, offset, &tmp, 1);
if (err < 0)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 211/315] Input: xpad - add support for ASUS ROG RAIKIRI II
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 210/315] Input: xpad - add "Nova 2 Lite" from GameSir Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 212/315] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops Greg Kroah-Hartman
` (105 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitriy Zharov, Dmitry Torokhov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitriy Zharov <contact@zharov.dev>
commit c897cf120696b94f56ed0f3197ba9a77071a59ec upstream.
Add the VID/PIDs for the ASUS ROG RAIKIRI II controller to xpad_device
and the VID to xpad_table. The controller has a physical PC/XBOX toggle
which switches between XBOX360 and XBOXONE protocols.
Signed-off-by: Dmitriy Zharov <contact@zharov.dev>
Link: https://patch.msgid.link/20260430183522.122151-1-contact@zharov.dev
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -220,6 +220,10 @@ static const struct xpad_device {
{ 0x07ff, 0xffff, "Mad Catz GamePad", 0, XTYPE_XBOX360 },
{ 0x0b05, 0x1a38, "ASUS ROG RAIKIRI", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
{ 0x0b05, 0x1abb, "ASUS ROG RAIKIRI PRO", 0, XTYPE_XBOXONE },
+ { 0x0b05, 0x1c91, "ASUS ROG RAIKIRI II", 0, XTYPE_XBOX360 },
+ { 0x0b05, 0x1c92, "ASUS ROG RAIKIRI II WIRELESS", 0, XTYPE_XBOX360 },
+ { 0x0b05, 0x1c96, "ASUS ROG RAIKIRI II XBOX", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
+ { 0x0b05, 0x1d04, "ASUS ROG RAIKIRI II XBOX WIRELESS", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
{ 0x0c12, 0x0005, "Intec wireless", 0, XTYPE_XBOX },
{ 0x0c12, 0x8801, "Nyko Xbox Controller", 0, XTYPE_XBOX },
{ 0x0c12, 0x8802, "Zeroplus Xbox Controller", 0, XTYPE_XBOX },
@@ -542,6 +546,7 @@ static const struct usb_device_id xpad_t
{ USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */
XPAD_XBOXONE_VENDOR(0x0738), /* Mad Catz FightStick TE 2 */
XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz Gamepad */
+ XPAD_XBOX360_VENDOR(0x0b05), /* ASUS controllers */
XPAD_XBOXONE_VENDOR(0x0b05), /* ASUS controllers */
XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */
XPAD_XBOX360_VENDOR(0x0db0), /* Micro Star International X-Box 360 controllers */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 201/307] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 200/307] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 202/307] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
` (107 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hamza Mahfooz, Florian Westphal
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
commit bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a upstream.
An unintended behavior in the TCP conntrack state machine allows a
connection to be forced into the CLOSE state using an RST packet with an
invalid sequence number.
Specifically, after a SYN packet is observed, an RST with an invalid SEQ
can transition the conntrack entry to TCP_CONNTRACK_CLOSE, regardless of
whether the RST corresponds to the expected reply direction. The relevant
code path assumes the RST is a response to an outgoing SYN, but does not
validate packet direction or ensure that a matching SYN was actually sent
in the opposite direction.
As a result, a crafted packet sequence consisting of a SYN followed by an
invalid-sequence RST can prematurely terminate an active NAT entry. This
makes connection teardown easier than intended.
So, tighten the state transition logic to ensure that RST-triggered
CLOSE transitions only occur when the RST is a valid response to a
previously observed SYN in the correct direction.
Cc: stable@vger.kernel.org
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1221,7 +1221,8 @@ int nf_conntrack_tcp_packet(struct nf_co
new_state = old_state;
}
if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
- && ct->proto.tcp.last_index == TCP_SYN_SET)
+ && ct->proto.tcp.last_index == TCP_SYN_SET
+ && ct->proto.tcp.last_dir != dir)
|| (!test_bit(IPS_ASSURED_BIT, &ct->status)
&& ct->proto.tcp.last_index == TCP_ACK_SET))
&& ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 212/315] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 211/315] Input: xpad - add support for ASUS ROG RAIKIRI II Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 213/315] misc: rp1: Send IACK on IRQ activate to fix kdump/kexec Greg Kroah-Hartman
` (104 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ali Ganiyev, Namjae Jeon,
Steve French
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ali Ganiyev <ali.qaniyev@gmail.com>
commit 0e60dafe97eca61721f3db456f97d97a80c6c8ae upstream.
Commit d07b26f39246 ("ksmbd: require minimum ACE size in
smb_check_perm_dacl()") introduced a transposed bounds check:
if (offsetof(struct smb_ace, sid) + aces_size < CIFS_SID_BASE_SIZE)
Since offsetof(..sid) is 8 and CIFS_SID_BASE_SIZE is 8, this evaluates
to `aces_size < 0`. Because `aces_size` is always non-negative, this
check becomes dead code and never breaks the loop.
Worse, that commit removed the old 4-byte guard, meaning the loop now
reads `ace->size` (offset 2) even when `aces_size` is 0-3 bytes. This
re-opens a 2-byte heap out-of-bounds (OOB) read past the pntsd allocation
during subsequent SMB2_CREATE operations.
Fix this by properly transposing the comparison to require at least
16 bytes (8-byte offset + 8-byte SID base), matching the correct form
used in smb_inherit_dacl().
Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Cc: stable@vger.kernel.org
Signed-off-by: Ali Ganiyev <ali.qaniyev@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1446,8 +1446,8 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, sid) +
- aces_size < CIFS_SID_BASE_SIZE)
+ if (aces_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size ||
@@ -1470,8 +1470,8 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, sid) +
- aces_size < CIFS_SID_BASE_SIZE)
+ if (aces_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size ||
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 202/307] ASoC: qcom: q6asm-dai: close stream only when running
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 201/307] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
@ 2026-06-07 9:59 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 203/307] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
` (106 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 9:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 048c540ee76ded666bda74f9dae1ca3254e0633c upstream.
q6asm_dai_close() and q6asm_dai_compr_free() currently issue CMD_CLOSE
whenever prtd->state is non-zero.
After prepare() closes an existing stream, the state is updated to
Q6ASM_STREAM_STOPPED. Since this state is also non-zero, the close and
free paths can send CMD_CLOSE again for a stream that has already been
closed.
Restrict CMD_CLOSE to the Q6ASM_STREAM_RUNNING state so the command is
sent only when the ASM stream is still active.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -446,12 +446,12 @@ static int q6asm_dai_close(struct snd_so
struct q6asm_dai_rtd *prtd = runtime->private_data;
if (prtd->audio_client) {
- if (prtd->state)
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
-
- q6asm_unmap_memory_regions(substream->stream,
+ q6asm_unmap_memory_regions(substream->stream,
prtd->audio_client);
+ }
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
@@ -668,7 +668,7 @@ static int q6asm_dai_compr_free(struct s
struct snd_soc_pcm_runtime *rtd = stream->private_data;
if (prtd->audio_client) {
- if (prtd->state) {
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
if (prtd->next_track_stream_id) {
@@ -676,11 +676,11 @@ static int q6asm_dai_compr_free(struct s
prtd->next_track_stream_id,
CMD_CLOSE);
}
- }
- snd_dma_free_pages(&prtd->dma_buffer);
- q6asm_unmap_memory_regions(stream->direction,
+ q6asm_unmap_memory_regions(stream->direction,
prtd->audio_client);
+ }
+ snd_dma_free_pages(&prtd->dma_buffer);
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 203/307] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.12 202/307] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 204/307] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
` (105 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cee3e63e7106c3c81b2053371fdf14240bfba2fc upstream.
The q6asm-dai stream state is used by prepare() to decide whether an
existing stream setup needs to be closed before opening/configuring a new
one. Updating the state from trigger or asynchronous DSP callbacks can make
that state stale or incorrect relative to the actual setup lifetime.
In particular, setting Q6ASM_STREAM_STOPPED on STOP or EOS completion can
make prepare() believe there is no active setup to close, which can result
in opening/configuring the same stream more than once.
Keep stream state updates tied to prepare(), where the stream is actually
closed and reopened, and stop changing it from trigger and EOS callbacks.
Fixes: bfbb12dfa144 ("ASoC: qcom: q6asm-dai: perform correct state check before closing")
Cc: Stable@vger.kernel.org
Closes: https://lore.kernel.org/all/afS7rTHdc9TyIeLx@rdacayan/
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 5 -----
1 file changed, 5 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -186,7 +186,6 @@ static void event_handler(uint32_t opcod
prtd->pcm_count, 0, 0, 0);
break;
case ASM_CLIENT_EVENT_CMD_EOS_DONE:
- prtd->state = Q6ASM_STREAM_STOPPED;
break;
case ASM_CLIENT_EVENT_DATA_WRITE_DONE: {
prtd->pcm_irq_pos += prtd->pcm_count;
@@ -333,7 +332,6 @@ static int q6asm_dai_trigger(struct snd_
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
@@ -544,8 +542,6 @@ static void compress_event_handler(uint3
snd_compr_drain_notify(prtd->cstream);
prtd->notify_on_drain = false;
- } else {
- prtd->state = Q6ASM_STREAM_STOPPED;
}
spin_unlock_irqrestore(&prtd->lock, flags);
break;
@@ -1008,7 +1004,6 @@ static int q6asm_dai_compr_trigger(struc
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 213/315] misc: rp1: Send IACK on IRQ activate to fix kdump/kexec
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-06-07 9:59 ` [PATCH 6.18 212/315] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 214/315] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
` (103 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xiaolei Wang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit 36770417153644bc88281c7284730ef1d14d8d3c upstream.
After a kexec/kdump reboot, the macb Ethernet controller fails to
receive any packets, causing DHCP to hang indefinitely and the network
interface to be unusable despite link being up.
The root cause is that RP1's level-triggered MSI-X interrupt sources
(such as macb on hwirq 6) may have their internal state machines stuck
in the "waiting for IACK" state. This happens because the previous
kernel crashed before sending the acknowledgment for a pending level
interrupt.
In this stuck state, RP1 will not generate new MSI-X writes even though
the interrupt source remains asserted. Since no new MSI-X is sent, the
GIC never sees a new edge, the chained IRQ handler is never invoked,
and the interrupt is permanently lost.
Fix this by sending MSIX_CFG_IACK in rp1_irq_activate(). This
unconditionally resets the MSI-X state machine back to idle when a
child device requests its interrupt. If the interrupt source is still
asserted, RP1 will immediately issue a new MSI-X with the freshly
configured msg_addr/msg_data, and normal interrupt delivery resumes.
Writing IACK when the state machine is already idle (i.e., on a normal
cold boot) is harmless — it has no effect.
Fixes: 49d63971f963 ("misc: rp1: RaspberryPi RP1 misc driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Link: https://patch.msgid.link/20260518073405.2115003-1-xiaolei.wang@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/rp1/rp1_pci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/misc/rp1/rp1_pci.c
+++ b/drivers/misc/rp1/rp1_pci.c
@@ -148,6 +148,7 @@ static int rp1_irq_activate(struct irq_d
struct rp1_dev *rp1 = d->host_data;
msix_cfg_set(rp1, (unsigned int)irqd->hwirq, MSIX_CFG_ENABLE);
+ msix_cfg_set(rp1, (unsigned int)irqd->hwirq, MSIX_CFG_IACK);
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 214/315] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 213/315] misc: rp1: Send IACK on IRQ activate to fix kdump/kexec Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 215/315] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
` (102 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Dmitry Torokhov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit baa0210fb6a9dc3882509a9411b6d284d88fe30e upstream.
When a configuration file provides an object size that is larger than the
driver's known mxt_obj_size(object), the driver intends to discard the
extra bytes.
The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
condition to skip processing extra bytes is:
if (i > mxt_obj_size(object))
continue;
Since i is a 0-based index, the valid indices for the object are 0 through
mxt_obj_size(object) - 1.
When i == mxt_obj_size(object), the condition evaluates to false, and the
code processes the byte instead of discarding it.
This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
and writes the byte there, overwriting exactly one byte of the adjacent
instance or object.
Update the boundary check to skip extra bytes correctly by using >=.
Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -1477,7 +1477,7 @@ static int mxt_prepare_cfg_mem(struct mx
}
cfg->raw_pos += offset;
- if (i > mxt_obj_size(object))
+ if (i >= mxt_obj_size(object))
continue;
byte_offset = reg + i - cfg->start_ofs;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 204/307] xfrm: esp: restore combined single-frag length gate
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 203/307] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 205/307] Input: xpad - add "Nova 2 Lite" from GameSir Greg Kroah-Hartman
` (104 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Chenyuan Mi, Jingguo Tan,
Sabrina Dubroca, Steffen Klassert
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingguo Tan <tanjingguo@huawei.com>
commit dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 upstream.
The ESP out-of-place fast path appends the trailer in esp_output_head()
before esp_output_tail() allocates the destination page frag. The
head-side gate currently checks skb->data_len and tailen separately, but
the tail code allocates a single destination frag from the combined
post-trailer skb->data_len.
Reject the page-frag fast path when the combined aligned length exceeds a
page. Otherwise skb_page_frag_refill() may fall back to a single page while
the destination sg still spans the combined skb->data_len.
Restore this combined-length page gate for both IPv4 and IPv6.
Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page")
Cc: stable@vger.kernel.org
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/esp4.c | 4 ++--
net/ipv6/esp6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -419,8 +419,8 @@ int esp_output_head(struct xfrm_state *x
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -448,8 +448,8 @@ int esp6_output_head(struct xfrm_state *
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 215/315] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 214/315] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 216/315] gpib: cb7210: Fix region leak when request_irq fails Greg Kroah-Hartman
` (101 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolás Bazaes, Dmitry Torokhov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolás Bazaes <contacto@bazaes.cl>
commit 16ca52bc209fa4bf9239cd9e5643e95533476b58 upstream.
The Lenovo ThinkPad E490 (PNP ID: LEN2058) has a Synaptics TM3471-020
touchpad that supports SMBus/RMI4 mode but is not listed in
smbus_pnp_ids[]. Without this entry, RMI4 over SMBus is not enabled
by default, and the touchpad falls back to PS/2 mode.
Adding LEN2058 to the passlist enables automatic RMI4 detection without
requiring the psmouse.synaptics_intertouch parameter, and matches
the behavior of similar ThinkPad models already in the list
(E480/LEN2054, E580/LEN2055).
Tested on ThinkPad E490 with kernel 7.0.5-zen1 and Arch Linux.
RMI4 over SMBus is confirmed working without any kernel parameters.
Signed-off-by: Nicolás Bazaes <contacto@bazaes.cl>
Assisted-by: Claude:claude-sonnet-4-6
Link: https://patch.msgid.link/20260514013552.14234-1-contacto@bazaes.cl
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/synaptics.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -190,6 +190,7 @@ static const char * const smbus_pnp_ids[
"LEN2044", /* L470 */
"LEN2054", /* E480 */
"LEN2055", /* E580 */
+ "LEN2058", /* E490 */
"LEN2068", /* T14 Gen 1 */
"SYN1221", /* TUXEDO InfinityBook Pro 14 v5 */
"SYN3003", /* HP EliteBook 850 G1 */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 205/307] Input: xpad - add "Nova 2 Lite" from GameSir
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 204/307] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 206/307] Input: xpad - add support for ASUS ROG RAIKIRI II Greg Kroah-Hartman
` (103 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qbeliw Tanaka, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qbeliw Tanaka <q.tanaka@gmx.com>
commit 1f6ac0f8441c48c4cc250141e1da8486c13512ba upstream.
Add support for the gamepad "Nova 2 Lite" from GameSir, compatible with
the Xbox 360 gamepad.
Signed-off-by: Qbeliw Tanaka <q.tanaka@gmx.com>
Link: https://patch.msgid.link/20260429.162040.930225048583399359.q.tanaka@gmx.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -415,6 +415,7 @@ static const struct xpad_device {
{ 0x3285, 0x0662, "Nacon Revolution5 Pro", 0, XTYPE_XBOX360 },
{ 0x3285, 0x0663, "Nacon Evol-X", 0, XTYPE_XBOXONE },
{ 0x3537, 0x1004, "GameSir T4 Kaleid", 0, XTYPE_XBOX360 },
+ { 0x3537, 0x100f, "GameSir Nova 2 Lite", 0, XTYPE_XBOX360 },
{ 0x3537, 0x1010, "GameSir G7 SE", 0, XTYPE_XBOXONE },
{ 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX },
{ 0x413d, 0x2104, "Black Shark Green Ghost Gamepad", 0, XTYPE_XBOX360 },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 216/315] gpib: cb7210: Fix region leak when request_irq fails
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 215/315] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 217/315] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
` (100 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongling Zeng, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 2eae90a457baa0048a96ed38ad93090ee38c8b2f upstream.
When request_irq() fails, the region allocated by request_region()
is not released. Fix this by adding an error handling path with
proper goto labels to release the region.
Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver")
Closes: https://lore.kernel.org/oe-kbuild-all/202605160620.ReBOadPX-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260518022939.16881-1-zenghongling@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/gpib/cb7210/cb7210.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/staging/gpib/cb7210/cb7210.c
+++ b/drivers/staging/gpib/cb7210/cb7210.c
@@ -1048,7 +1048,8 @@ static int cb_isa_attach(struct gpib_boa
if (!request_region(config->ibbase, cb7210_iosize, DRV_NAME)) {
dev_err(board->gpib_dev, "ioports starting at 0x%x are already in use\n",
config->ibbase);
- return -EBUSY;
+ retval = -EBUSY;
+ goto err_release_region;
}
nec_priv->iobase = config->ibbase;
cb_priv->fifo_iobase = nec7210_iobase(cb_priv);
@@ -1061,11 +1062,16 @@ static int cb_isa_attach(struct gpib_boa
// install interrupt handler
if (request_irq(config->ibirq, cb7210_interrupt, isr_flags, DRV_NAME, board)) {
dev_err(board->gpib_dev, "failed to obtain IRQ %d\n", config->ibirq);
- return -EBUSY;
+ retval = -EBUSY;
+ goto err_release_region;
}
cb_priv->irq = config->ibirq;
return cb7210_init(cb_priv, board);
+
+err_release_region:
+ release_region(nec7210_iobase(cb_priv), cb7210_iosize);
+ return retval;
}
static void cb_isa_detach(struct gpib_board *board)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 206/307] Input: xpad - add support for ASUS ROG RAIKIRI II
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 205/307] Input: xpad - add "Nova 2 Lite" from GameSir Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 207/307] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops Greg Kroah-Hartman
` (102 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitriy Zharov, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitriy Zharov <contact@zharov.dev>
commit c897cf120696b94f56ed0f3197ba9a77071a59ec upstream.
Add the VID/PIDs for the ASUS ROG RAIKIRI II controller to xpad_device
and the VID to xpad_table. The controller has a physical PC/XBOX toggle
which switches between XBOX360 and XBOXONE protocols.
Signed-off-by: Dmitriy Zharov <contact@zharov.dev>
Link: https://patch.msgid.link/20260430183522.122151-1-contact@zharov.dev
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -215,6 +215,10 @@ static const struct xpad_device {
{ 0x07ff, 0xffff, "Mad Catz GamePad", 0, XTYPE_XBOX360 },
{ 0x0b05, 0x1a38, "ASUS ROG RAIKIRI", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
{ 0x0b05, 0x1abb, "ASUS ROG RAIKIRI PRO", 0, XTYPE_XBOXONE },
+ { 0x0b05, 0x1c91, "ASUS ROG RAIKIRI II", 0, XTYPE_XBOX360 },
+ { 0x0b05, 0x1c92, "ASUS ROG RAIKIRI II WIRELESS", 0, XTYPE_XBOX360 },
+ { 0x0b05, 0x1c96, "ASUS ROG RAIKIRI II XBOX", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
+ { 0x0b05, 0x1d04, "ASUS ROG RAIKIRI II XBOX WIRELESS", MAP_SHARE_BUTTON, XTYPE_XBOXONE },
{ 0x0c12, 0x0005, "Intec wireless", 0, XTYPE_XBOX },
{ 0x0c12, 0x8801, "Nyko Xbox Controller", 0, XTYPE_XBOX },
{ 0x0c12, 0x8802, "Zeroplus Xbox Controller", 0, XTYPE_XBOX },
@@ -528,6 +532,7 @@ static const struct usb_device_id xpad_t
{ USB_DEVICE(0x0738, 0x4540) }, /* Mad Catz Beat Pad */
XPAD_XBOXONE_VENDOR(0x0738), /* Mad Catz FightStick TE 2 */
XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz Gamepad */
+ XPAD_XBOX360_VENDOR(0x0b05), /* ASUS controllers */
XPAD_XBOXONE_VENDOR(0x0b05), /* ASUS controllers */
XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */
XPAD_XBOX360_VENDOR(0x0db0), /* Micro Star International X-Box 360 controllers */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 217/315] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 216/315] gpib: cb7210: Fix region leak when request_irq fails Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 214/307] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
` (99 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 542f5248cb481073203e0dadab5bcbd28aeae308 upstream.
Commit 783ddaebd397 ("staging: comedi: comedi_test: support
scan_begin_src == TRIG_FOLLOW") neglected to add a test that
`scan_begin_src` has only one bit set. The allowed values are
`TRIG_FOLLOW` and `TRIG_TIMER`, but the code incorrectly also allows
`TRIG_FOLLOW | TRIG_TIMER`. Add a call to
`comedi_check_trigger_is_unique()` to check that only one trigger source
bit is set.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422162138.36003-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -274,6 +274,7 @@ static int waveform_ai_cmdtest(struct co
/* Step 2a : make sure trigger sources are unique */
err |= comedi_check_trigger_is_unique(cmd->convert_src);
+ err |= comedi_check_trigger_is_unique(cmd->scan_begin_src);
err |= comedi_check_trigger_is_unique(cmd->stop_src);
/* Step 2b : and mutually compatible */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 207/307] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 206/307] Input: xpad - add support for ASUS ROG RAIKIRI II Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 208/307] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
` (101 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ali Ganiyev, Namjae Jeon,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ali Ganiyev <ali.qaniyev@gmail.com>
commit 0e60dafe97eca61721f3db456f97d97a80c6c8ae upstream.
Commit d07b26f39246 ("ksmbd: require minimum ACE size in
smb_check_perm_dacl()") introduced a transposed bounds check:
if (offsetof(struct smb_ace, sid) + aces_size < CIFS_SID_BASE_SIZE)
Since offsetof(..sid) is 8 and CIFS_SID_BASE_SIZE is 8, this evaluates
to `aces_size < 0`. Because `aces_size` is always non-negative, this
check becomes dead code and never breaks the loop.
Worse, that commit removed the old 4-byte guard, meaning the loop now
reads `ace->size` (offset 2) even when `aces_size` is 0-3 bytes. This
re-opens a 2-byte heap out-of-bounds (OOB) read past the pntsd allocation
during subsequent SMB2_CREATE operations.
Fix this by properly transposing the comparison to require at least
16 bytes (8-byte offset + 8-byte SID base), matching the correct form
used in smb_inherit_dacl().
Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Cc: stable@vger.kernel.org
Signed-off-by: Ali Ganiyev <ali.qaniyev@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1446,8 +1446,8 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, sid) +
- aces_size < CIFS_SID_BASE_SIZE)
+ if (aces_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size ||
@@ -1470,8 +1470,8 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le16_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, sid) +
- aces_size < CIFS_SID_BASE_SIZE)
+ if (aces_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size ||
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 218/315] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
0 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 8a3bee801d420be8a7a0bae4a26547b353b8fe22 upstream.
The function checks and possibly modifies the description of an
asynchronous command to be run on the analog input subdevice of a comedi
device attached to the "comedi_test" driver, returning 0 if no
modifications were required, or a positive value that indicates which
step of the checking process it failed on. Step 4 fixes up various
argument values for various trigger sources.
There are two bugs in the fixing up of the `convert_arg` value to keep
the `scan_begin_arg` value within the range of `unsigned int` when
`scan_begin_src` and `convert_src` both have the value `TRIG_TIMER`,
which indicates that the corresponding `_arg` values hold a time period
in nanoseconds. The code also uses `scan_end_arg` which hold the number
of "conversions" within each "scan". The goal is to end up with the
scan period being less than or equal to the convert period multiplied by
the number of conversions per scan. It intends to do that by clamping
the `convert_arg` value to a maximum value of `UINT_MAX / scan_end_arg`
rounded down to a multiple of 1000 (`NSEC_PER_USEC`).
(The rounding from nanoseconds to microseconds is because the driver is
modelling a device that uses a 1 MHz clock for timing. This is partly
because that is a more typical timing base for real hardware devices
driven by comedi, and partly because the driver used to use `struct
timeval` internally.)
The first bug is that the code checks if `scan_begin_arg == TRIG_TIMER`
when it should be checking if `scan_begin_src == TRIG_TIMER`. The
bugged check will always fail because if `scan_begin_src == TRIG_TIMER`,
then `scan_begin_arg` will be at least 1000 (`NSEC_PER_USEC`), otherwise
`scan_begin_src == TRIG_FOLLOW` and `scan_begin_arg` will be 0. (N.B
`TRIG_TIMER` is defined as `0x10`.) The second bug is that is rounding
the maximum value down to a multiple of 1000000000 (`NSEC_PER_SEC`)
instead of 1000 (`NSEC_PER_USEC`), however this bug is not reached due
to the first bug. This patch fixes both bugs.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Fixes: 5afdcad2f818 ("staging: comedi: comedi_test: limit maximum convert_arg")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422144637.27692-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -325,10 +325,10 @@ static int waveform_ai_cmdtest(struct co
arg = min(arg,
rounddown(UINT_MAX, (unsigned int)NSEC_PER_USEC));
arg = NSEC_PER_USEC * DIV_ROUND_CLOSEST(arg, NSEC_PER_USEC);
- if (cmd->scan_begin_arg == TRIG_TIMER) {
+ if (cmd->scan_begin_src == TRIG_TIMER) {
/* limit convert_arg to keep scan_begin_arg in range */
limit = UINT_MAX / cmd->scan_end_arg;
- limit = rounddown(limit, (unsigned int)NSEC_PER_SEC);
+ limit = rounddown(limit, (unsigned int)NSEC_PER_USEC);
arg = min(arg, limit);
}
err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 208/307] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 207/307] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 209/307] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
` (100 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit baa0210fb6a9dc3882509a9411b6d284d88fe30e upstream.
When a configuration file provides an object size that is larger than the
driver's known mxt_obj_size(object), the driver intends to discard the
extra bytes.
The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
condition to skip processing extra bytes is:
if (i > mxt_obj_size(object))
continue;
Since i is a 0-based index, the valid indices for the object are 0 through
mxt_obj_size(object) - 1.
When i == mxt_obj_size(object), the condition evaluates to false, and the
code processes the byte instead of discarding it.
This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
and writes the byte there, overwriting exactly one byte of the adjacent
instance or object.
Update the boundary check to skip extra bytes correctly by using >=.
Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -1476,7 +1476,7 @@ static int mxt_prepare_cfg_mem(struct mx
}
cfg->raw_pos += offset;
- if (i > mxt_obj_size(object))
+ if (i >= mxt_obj_size(object))
continue;
byte_offset = reg + i - cfg->start_ofs;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 219/315] counter: Fix refcount leak in counter_alloc() error path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 214/307] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 220/315] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
` (97 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, William Breathitt Gray
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit d9eeb0ea0d2de658663bfaa9c26eccdd8fd64440 upstream.
After device_initialize(), the lifetime of the embedded struct device
is expected to be managed through the device core reference counting.
In counter_alloc(), if dev_set_name() fails after device_initialize(),
the error path removes the chrdev, frees the ID, and frees the backing
allocation directly instead of releasing the device reference with
put_device(). This bypasses the normal device lifetime rules and may
leave the reference count of the embedded struct device unbalanced,
resulting in a refcount leak.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fix this by using put_device() in the dev_set_name() failure path and
let counter_device_release() handle the final cleanup.
Fixes: 4da08477ea1f ("counter: Set counter device name")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://lore.kernel.org/r/20260413134604.2861772-1-lgs201920130244@gmail.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/counter-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/counter/counter-core.c
+++ b/drivers/counter/counter-core.c
@@ -124,7 +124,8 @@ struct counter_device *counter_alloc(siz
err_dev_set_name:
- counter_chrdev_remove(counter);
+ put_device(dev);
+ return NULL;
err_chrdev_add:
ida_free(&counter_ida, dev->id);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 209/307] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 208/307] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 210/307] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
` (99 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolás Bazaes, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolás Bazaes <contacto@bazaes.cl>
commit 16ca52bc209fa4bf9239cd9e5643e95533476b58 upstream.
The Lenovo ThinkPad E490 (PNP ID: LEN2058) has a Synaptics TM3471-020
touchpad that supports SMBus/RMI4 mode but is not listed in
smbus_pnp_ids[]. Without this entry, RMI4 over SMBus is not enabled
by default, and the touchpad falls back to PS/2 mode.
Adding LEN2058 to the passlist enables automatic RMI4 detection without
requiring the psmouse.synaptics_intertouch parameter, and matches
the behavior of similar ThinkPad models already in the list
(E480/LEN2054, E580/LEN2055).
Tested on ThinkPad E490 with kernel 7.0.5-zen1 and Arch Linux.
RMI4 over SMBus is confirmed working without any kernel parameters.
Signed-off-by: Nicolás Bazaes <contacto@bazaes.cl>
Assisted-by: Claude:claude-sonnet-4-6
Link: https://patch.msgid.link/20260514013552.14234-1-contacto@bazaes.cl
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/synaptics.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -189,6 +189,7 @@ static const char * const smbus_pnp_ids[
"LEN2044", /* L470 */
"LEN2054", /* E480 */
"LEN2055", /* E580 */
+ "LEN2058", /* E490 */
"LEN2068", /* T14 Gen 1 */
"SYN1221", /* TUXEDO InfinityBook Pro 14 v5 */
"SYN3003", /* HP EliteBook 850 G1 */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 220/315] tty: serial: pch_uart: add check for dma_alloc_coherent()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 219/315] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 221/315] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
` (96 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zhaoyang Yu, Andy Shevchenko
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhaoyang Yu <2426767509@qq.com>
commit 6fe472c1bbbe238e91141f7cabc1226e96a60d43 upstream.
Add a check for dma_alloc_coherent() failure to prevent a potential
NULL pointer dereference in dma_handle_rx(). Properly release DMA
channels and the PCI device reference using a goto ladder if the
allocation fails.
Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Zhaoyang Yu <2426767509@qq.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/tencent_E328416B7CFD436F6029F2DF02AD7ED89C08@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/pch_uart.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -689,8 +689,7 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
__func__);
- pci_dev_put(dma_dev);
- return;
+ goto err_pci_get;
}
priv->chan_tx = chan;
@@ -704,18 +703,26 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Rx)\n",
__func__);
- dma_release_channel(priv->chan_tx);
- priv->chan_tx = NULL;
- pci_dev_put(dma_dev);
- return;
+ goto err_req_tx;
}
/* Get Consistent memory for DMA */
priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
&priv->rx_buf_dma, GFP_KERNEL);
+ if (!priv->rx_buf_virt)
+ goto err_req_rx;
priv->chan_rx = chan;
pci_dev_put(dma_dev);
+ return;
+
+err_req_rx:
+ dma_release_channel(chan);
+err_req_tx:
+ dma_release_channel(priv->chan_tx);
+ priv->chan_tx = NULL;
+err_pci_get:
+ pci_dev_put(dma_dev);
}
static void pch_dma_rx_complete(void *arg)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 210/307] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 209/307] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 211/307] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
` (98 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 542f5248cb481073203e0dadab5bcbd28aeae308 upstream.
Commit 783ddaebd397 ("staging: comedi: comedi_test: support
scan_begin_src == TRIG_FOLLOW") neglected to add a test that
`scan_begin_src` has only one bit set. The allowed values are
`TRIG_FOLLOW` and `TRIG_TIMER`, but the code incorrectly also allows
`TRIG_FOLLOW | TRIG_TIMER`. Add a call to
`comedi_check_trigger_is_unique()` to check that only one trigger source
bit is set.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422162138.36003-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -273,6 +273,7 @@ static int waveform_ai_cmdtest(struct co
/* Step 2a : make sure trigger sources are unique */
err |= comedi_check_trigger_is_unique(cmd->convert_src);
+ err |= comedi_check_trigger_is_unique(cmd->scan_begin_src);
err |= comedi_check_trigger_is_unique(cmd->stop_src);
/* Step 2b : and mutually compatible */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 221/315] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 220/315] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 222/315] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
` (95 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, John Ogness, Tudor Ambarus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit a3bb136bff5e6a5e48cdd813246c9c4686feaaa9 upstream.
Sashiko identified a deadlock when the console flow is engaged [1].
When console flow control is enabled (UPF_CONS_FLOW),
s3c24xx_serial_stop_tx() calls s3c24xx_serial_rx_enable() and
s3c24xx_serial_start_tx() calls s3c24xx_serial_rx_disable().
The serial core framework invokes the .stop_tx() and .start_tx()
callbacks with the port->lock spinlock already held. Furthermore, all
internal driver paths that invoke stop_tx (such as the DMA TX
completion handler s3c24xx_serial_tx_dma_complete() or the PIO TX IRQ
handler s3c24xx_serial_tx_irq()) also acquire port->lock prior to
calling it. (Note that s3c24xx_serial_start_tx() is only invoked by the
serial core).
However, s3c24xx_serial_rx_enable() and s3c24xx_serial_rx_disable()
unconditionally attempt to acquire port->lock again using
uart_port_lock_irqsave(). Since spinlocks are not recursive, this
causes a deadlock on the same CPU when console flow control is engaged.
Remove the redundant lock acquisition from both rx helper functions.
Cc: stable <stable@kernel.org>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Reported-by: John Ogness <john.ogness@linutronix.de>
Closes: https://sashiko.dev/#/patchset/20260506121606.5805-1-john.ogness%40linutronix.de [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://patch.msgid.link/20260515-samsung-tty-flow-control-deadlock-v1-1-93255edbc9bc@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 8 --------
1 file changed, 8 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -245,12 +245,9 @@ static bool s3c24xx_serial_txempty_nofif
static void s3c24xx_serial_rx_enable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
int count = 10000;
u32 ucon, ufcon;
- uart_port_lock_irqsave(port, &flags);
-
while (--count && !s3c24xx_serial_txempty_nofifo(port))
udelay(100);
@@ -263,23 +260,18 @@ static void s3c24xx_serial_rx_enable(str
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 1;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_rx_disable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
u32 ucon;
- uart_port_lock_irqsave(port, &flags);
-
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~S3C2410_UCON_RXIRQMODE;
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 0;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_stop_tx(struct uart_port *port)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 211/307] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 210/307] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 212/307] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
` (97 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 8a3bee801d420be8a7a0bae4a26547b353b8fe22 upstream.
The function checks and possibly modifies the description of an
asynchronous command to be run on the analog input subdevice of a comedi
device attached to the "comedi_test" driver, returning 0 if no
modifications were required, or a positive value that indicates which
step of the checking process it failed on. Step 4 fixes up various
argument values for various trigger sources.
There are two bugs in the fixing up of the `convert_arg` value to keep
the `scan_begin_arg` value within the range of `unsigned int` when
`scan_begin_src` and `convert_src` both have the value `TRIG_TIMER`,
which indicates that the corresponding `_arg` values hold a time period
in nanoseconds. The code also uses `scan_end_arg` which hold the number
of "conversions" within each "scan". The goal is to end up with the
scan period being less than or equal to the convert period multiplied by
the number of conversions per scan. It intends to do that by clamping
the `convert_arg` value to a maximum value of `UINT_MAX / scan_end_arg`
rounded down to a multiple of 1000 (`NSEC_PER_USEC`).
(The rounding from nanoseconds to microseconds is because the driver is
modelling a device that uses a 1 MHz clock for timing. This is partly
because that is a more typical timing base for real hardware devices
driven by comedi, and partly because the driver used to use `struct
timeval` internally.)
The first bug is that the code checks if `scan_begin_arg == TRIG_TIMER`
when it should be checking if `scan_begin_src == TRIG_TIMER`. The
bugged check will always fail because if `scan_begin_src == TRIG_TIMER`,
then `scan_begin_arg` will be at least 1000 (`NSEC_PER_USEC`), otherwise
`scan_begin_src == TRIG_FOLLOW` and `scan_begin_arg` will be 0. (N.B
`TRIG_TIMER` is defined as `0x10`.) The second bug is that is rounding
the maximum value down to a multiple of 1000000000 (`NSEC_PER_SEC`)
instead of 1000 (`NSEC_PER_USEC`), however this bug is not reached due
to the first bug. This patch fixes both bugs.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Fixes: 5afdcad2f818 ("staging: comedi: comedi_test: limit maximum convert_arg")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422144637.27692-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -324,10 +324,10 @@ static int waveform_ai_cmdtest(struct co
arg = min(arg,
rounddown(UINT_MAX, (unsigned int)NSEC_PER_USEC));
arg = NSEC_PER_USEC * DIV_ROUND_CLOSEST(arg, NSEC_PER_USEC);
- if (cmd->scan_begin_arg == TRIG_TIMER) {
+ if (cmd->scan_begin_src == TRIG_TIMER) {
/* limit convert_arg to keep scan_begin_arg in range */
limit = UINT_MAX / cmd->scan_end_arg;
- limit = rounddown(limit, (unsigned int)NSEC_PER_SEC);
+ limit = rounddown(limit, (unsigned int)NSEC_PER_USEC);
arg = min(arg, limit);
}
err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 222/315] usb: chipidea: core: convert ci_role_switch to local variable
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 221/315] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 223/315] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
` (94 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Frank Li,
Xu Yang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8f6aa392653e52a45858cff5c063df550028836b upstream.
When a system contains multiple USB controllers, the global ci_role_switch
variable may be overwritten by subsequent driver initialization code.
This can cause issues in the following cases:
- The 2nd ci_hdrc_probe() sees ci_role_switch.fwnode as non-NULL even
though the "usb-role-switch" property is not present for the controller.
- When the ci_hdrc device is unbound and bound again, ci_role_switch
fwnode will not be reassigned, and the old value will be used instead.
Convert ci_role_switch to a local variable to fix these issues.
Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support")
Cc: stable <stable@kernel.org>
Acked-by: Peter Chen <peter.chen@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260427075755.3611217-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/core.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -669,12 +669,6 @@ static enum ci_role ci_get_role(struct c
return role;
}
-static struct usb_role_switch_desc ci_role_switch = {
- .set = ci_usb_role_switch_set,
- .get = ci_usb_role_switch_get,
- .allow_userspace_control = true,
-};
-
static int ci_get_platdata(struct device *dev,
struct ci_hdrc_platform_data *platdata)
{
@@ -801,9 +795,6 @@ static int ci_get_platdata(struct device
cable->connected = false;
}
- if (device_property_read_bool(dev, "usb-role-switch"))
- ci_role_switch.fwnode = dev->fwnode;
-
platdata->pctl = devm_pinctrl_get(dev);
if (!IS_ERR(platdata->pctl)) {
struct pinctrl_state *p;
@@ -1045,6 +1036,7 @@ ATTRIBUTE_GROUPS(ci);
static int ci_hdrc_probe(struct platform_device *pdev)
{
+ struct usb_role_switch_desc ci_role_switch = {};
struct device *dev = &pdev->dev;
struct ci_hdrc *ci;
struct resource *res;
@@ -1191,7 +1183,11 @@ static int ci_hdrc_probe(struct platform
}
}
- if (ci_role_switch.fwnode) {
+ if (device_property_read_bool(dev, "usb-role-switch")) {
+ ci_role_switch.set = ci_usb_role_switch_set;
+ ci_role_switch.get = ci_usb_role_switch_get;
+ ci_role_switch.allow_userspace_control = true;
+ ci_role_switch.fwnode = dev_fwnode(dev);
ci_role_switch.driver_data = ci;
ci->role_switch = usb_role_switch_register(dev,
&ci_role_switch);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 212/307] counter: Fix refcount leak in counter_alloc() error path
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 211/307] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 213/307] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
` (96 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, William Breathitt Gray
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit d9eeb0ea0d2de658663bfaa9c26eccdd8fd64440 upstream.
After device_initialize(), the lifetime of the embedded struct device
is expected to be managed through the device core reference counting.
In counter_alloc(), if dev_set_name() fails after device_initialize(),
the error path removes the chrdev, frees the ID, and frees the backing
allocation directly instead of releasing the device reference with
put_device(). This bypasses the normal device lifetime rules and may
leave the reference count of the embedded struct device unbalanced,
resulting in a refcount leak.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Fix this by using put_device() in the dev_set_name() failure path and
let counter_device_release() handle the final cleanup.
Fixes: 4da08477ea1f ("counter: Set counter device name")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Link: https://lore.kernel.org/r/20260413134604.2861772-1-lgs201920130244@gmail.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/counter-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/counter/counter-core.c
+++ b/drivers/counter/counter-core.c
@@ -124,7 +124,8 @@ struct counter_device *counter_alloc(siz
err_dev_set_name:
- counter_chrdev_remove(counter);
+ put_device(dev);
+ return NULL;
err_chrdev_add:
ida_free(&counter_ida, dev->id);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 223/315] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 222/315] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 224/315] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
` (93 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Pecio, Tao Xue
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit 727d045d064b7c9a24db3bce9c0485a382cb768b upstream.
Tao Xue found that some common devices violate USB 3.x section 9.6.7
by reporting wBytesPerInterval lower than the size of packets they
actually send. I confirmed that AX88179 may set it to 0 and RTL8153
CDC configuration sets it to 8 but sends both 8 and 16 byte packets:
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 8 = a1000000 01000000
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 16 = a12a0000 01000800 00000000 00000000
Most xHCI host controllers neglect interrupt bandwidth reservations
and let such devices exceed theirs, some fail the URB with EOVERFLOW.
Assume that wBytesPerInterval lower than wMaxPacketSize is bogus and
increase it to the worst case maximum on interrupt IN endpoints. This
solves xHCI problems and appears to have no other effect. Interrupt
transfers are not limited to one interval and drivers submit URBs of
class defined size without looking at wBytesPerInterval. Any multi-
interval transfer is considered terminated by a packet shorter than
wMaxPacketSize regardless of wBytesPerInterval - see USB3 8.10.3.
Stay in spec on OUT endpoints and isochronous. No buggy devices are
known and we don't want to risk sending more data than the device
is prepared to handle or confusing isoc drivers regarding altsetting
capacities guaranteed by the device itself. And don't complain when
wMaxPacketSize <= wBytesPerInterval < wMaxPacketSize * (bMaxBurst+1)
because enabling this seems to be the exact goal of the spec.
Reported-and-tested-by: Tao Xue <xuetao09@huawei.com>
Closes: https://lore.kernel.org/linux-usb/20260402021400.28853-1-xuetao09@huawei.com/
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Link: https://patch.msgid.link/20260518073207.5b7d26e7.michal.pecio@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -191,7 +191,14 @@ static void usb_parse_ss_endpoint_compan
(desc->bMaxBurst + 1);
else
max_tx = 999999;
- if (le16_to_cpu(desc->wBytesPerInterval) > max_tx) {
+ /*
+ * wBytesPerInterval > max_tx is bogus, but USB3 spec doesn't forbid the opposite.
+ * Experience shows that wBytesPerInterval < wMaxPacketSize on common interrupt IN
+ * endpoints is usually bogus too, and recent HCs enforce interrupt BW limits.
+ */
+ if (le16_to_cpu(desc->wBytesPerInterval) > max_tx ||
+ (le16_to_cpu(desc->wBytesPerInterval) < usb_endpoint_maxp(&ep->desc) &&
+ usb_endpoint_is_int_in(&ep->desc))) {
dev_notice(ddev, "%s endpoint with wBytesPerInterval of %d in "
"config %d interface %d altsetting %d ep %d: "
"setting to %d\n",
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 213/307] tty: serial: pch_uart: add check for dma_alloc_coherent()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 212/307] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 215/307] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
` (95 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zhaoyang Yu, Andy Shevchenko
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhaoyang Yu <2426767509@qq.com>
commit 6fe472c1bbbe238e91141f7cabc1226e96a60d43 upstream.
Add a check for dma_alloc_coherent() failure to prevent a potential
NULL pointer dereference in dma_handle_rx(). Properly release DMA
channels and the PCI device reference using a goto ladder if the
allocation fails.
Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Zhaoyang Yu <2426767509@qq.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/tencent_E328416B7CFD436F6029F2DF02AD7ED89C08@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/pch_uart.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -689,8 +689,7 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
__func__);
- pci_dev_put(dma_dev);
- return;
+ goto err_pci_get;
}
priv->chan_tx = chan;
@@ -704,18 +703,26 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Rx)\n",
__func__);
- dma_release_channel(priv->chan_tx);
- priv->chan_tx = NULL;
- pci_dev_put(dma_dev);
- return;
+ goto err_req_tx;
}
/* Get Consistent memory for DMA */
priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
&priv->rx_buf_dma, GFP_KERNEL);
+ if (!priv->rx_buf_virt)
+ goto err_req_rx;
priv->chan_rx = chan;
pci_dev_put(dma_dev);
+ return;
+
+err_req_rx:
+ dma_release_channel(chan);
+err_req_tx:
+ dma_release_channel(priv->chan_tx);
+ priv->chan_tx = NULL;
+err_pci_get:
+ pci_dev_put(dma_dev);
}
static void pch_dma_rx_complete(void *arg)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 224/315] usb: musb: omap2430: Fix use-after-free in omap2430_probe()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 223/315] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 225/315] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
` (92 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wentao Liang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit e194ce048f5a6c549b3a23a8c568c6470f40f772 upstream.
In omap2430_probe(), of_node_put(np) is called prematurely before the
last access to np, leading to a use-after-free if the node's reference
count drops to zero. Move the of_node_put() calls after the last use of
np in both the success and error paths.
Fixes: ffbe2feac59b ("usb: musb: omap2430: Fix probe regression for missing resources")
Cc: stable <stable@kernel.org>
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409101104.480623-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/omap2430.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/musb/omap2430.c
+++ b/drivers/usb/musb/omap2430.c
@@ -338,7 +338,6 @@ static int omap2430_probe(struct platfor
} else {
device_set_of_node_from_dev(&musb->dev, &pdev->dev);
}
- of_node_put(np);
glue->dev = &pdev->dev;
glue->musb = musb;
@@ -456,6 +455,7 @@ static int omap2430_probe(struct platfor
dev_err(&pdev->dev, "failed to register musb device\n");
goto err_disable_rpm;
}
+ of_node_put(np);
return 0;
@@ -465,6 +465,7 @@ err_put_control_otghs:
if (!IS_ERR(glue->control_otghs))
put_device(glue->control_otghs);
err_put_musb:
+ of_node_put(np);
platform_device_put(musb);
return ret;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 214/307] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
0 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, John Ogness, Tudor Ambarus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit a3bb136bff5e6a5e48cdd813246c9c4686feaaa9 upstream.
Sashiko identified a deadlock when the console flow is engaged [1].
When console flow control is enabled (UPF_CONS_FLOW),
s3c24xx_serial_stop_tx() calls s3c24xx_serial_rx_enable() and
s3c24xx_serial_start_tx() calls s3c24xx_serial_rx_disable().
The serial core framework invokes the .stop_tx() and .start_tx()
callbacks with the port->lock spinlock already held. Furthermore, all
internal driver paths that invoke stop_tx (such as the DMA TX
completion handler s3c24xx_serial_tx_dma_complete() or the PIO TX IRQ
handler s3c24xx_serial_tx_irq()) also acquire port->lock prior to
calling it. (Note that s3c24xx_serial_start_tx() is only invoked by the
serial core).
However, s3c24xx_serial_rx_enable() and s3c24xx_serial_rx_disable()
unconditionally attempt to acquire port->lock again using
uart_port_lock_irqsave(). Since spinlocks are not recursive, this
causes a deadlock on the same CPU when console flow control is engaged.
Remove the redundant lock acquisition from both rx helper functions.
Cc: stable <stable@kernel.org>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Reported-by: John Ogness <john.ogness@linutronix.de>
Closes: https://sashiko.dev/#/patchset/20260506121606.5805-1-john.ogness%40linutronix.de [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://patch.msgid.link/20260515-samsung-tty-flow-control-deadlock-v1-1-93255edbc9bc@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 8 --------
1 file changed, 8 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -243,12 +243,9 @@ static bool s3c24xx_serial_txempty_nofif
static void s3c24xx_serial_rx_enable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
int count = 10000;
u32 ucon, ufcon;
- uart_port_lock_irqsave(port, &flags);
-
while (--count && !s3c24xx_serial_txempty_nofifo(port))
udelay(100);
@@ -261,23 +258,18 @@ static void s3c24xx_serial_rx_enable(str
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 1;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_rx_disable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
u32 ucon;
- uart_port_lock_irqsave(port, &flags);
-
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~S3C2410_UCON_RXIRQMODE;
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 0;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_stop_tx(struct uart_port *port)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 225/315] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 224/315] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 226/315] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
` (91 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen J. Fuhry, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen J. Fuhry <fuhrysteve@gmail.com>
commit 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 upstream.
The Lenovo ThinkPad USB-C Dock Gen2 (17ef:a391, 17ef:a392) hub
controllers exhibit link instability when USB Link Power Management
is enabled, similar to the dock's Ethernet adapter (17ef:a387) which
already carries USB_QUIRK_NO_LPM.
When the dock reconnects after a transient disconnect, the hub
controllers enter LPM states between re-enumeration retries, causing
repeated disconnect/reconnect cycles lasting up to two minutes.
Disabling LPM for these devices restores stable enumeration.
Signed-off-by: Stephen J. Fuhry <fuhrysteve@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260513171419.44849-1-fuhrysteve@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -514,6 +514,10 @@ static const struct usb_device_id usb_qu
/* Lenovo ThinkPad USB-C Dock Gen2 Ethernet (RTL8153 GigE) */
{ USB_DEVICE(0x17ef, 0xa387), .driver_info = USB_QUIRK_NO_LPM },
+ /* Lenovo ThinkPad USB-C Dock Gen2 USB 3.1 and USB 2.0 hub controllers */
+ { USB_DEVICE(0x17ef, 0xa391), .driver_info = USB_QUIRK_NO_LPM },
+ { USB_DEVICE(0x17ef, 0xa392), .driver_info = USB_QUIRK_NO_LPM },
+
/* BUILDWIN Photo Frame */
{ USB_DEVICE(0x1908, 0x1315), .driver_info =
USB_QUIRK_HONOR_BNUMINTERFACES },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 215/307] usb: chipidea: core: convert ci_role_switch to local variable
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 213/307] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 216/307] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
` (94 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Frank Li,
Xu Yang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8f6aa392653e52a45858cff5c063df550028836b upstream.
When a system contains multiple USB controllers, the global ci_role_switch
variable may be overwritten by subsequent driver initialization code.
This can cause issues in the following cases:
- The 2nd ci_hdrc_probe() sees ci_role_switch.fwnode as non-NULL even
though the "usb-role-switch" property is not present for the controller.
- When the ci_hdrc device is unbound and bound again, ci_role_switch
fwnode will not be reassigned, and the old value will be used instead.
Convert ci_role_switch to a local variable to fix these issues.
Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support")
Cc: stable <stable@kernel.org>
Acked-by: Peter Chen <peter.chen@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260427075755.3611217-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/core.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -669,12 +669,6 @@ static enum ci_role ci_get_role(struct c
return role;
}
-static struct usb_role_switch_desc ci_role_switch = {
- .set = ci_usb_role_switch_set,
- .get = ci_usb_role_switch_get,
- .allow_userspace_control = true,
-};
-
static int ci_get_platdata(struct device *dev,
struct ci_hdrc_platform_data *platdata)
{
@@ -801,9 +795,6 @@ static int ci_get_platdata(struct device
cable->connected = false;
}
- if (device_property_read_bool(dev, "usb-role-switch"))
- ci_role_switch.fwnode = dev->fwnode;
-
platdata->pctl = devm_pinctrl_get(dev);
if (!IS_ERR(platdata->pctl)) {
struct pinctrl_state *p;
@@ -1045,6 +1036,7 @@ ATTRIBUTE_GROUPS(ci);
static int ci_hdrc_probe(struct platform_device *pdev)
{
+ struct usb_role_switch_desc ci_role_switch = {};
struct device *dev = &pdev->dev;
struct ci_hdrc *ci;
struct resource *res;
@@ -1191,7 +1183,11 @@ static int ci_hdrc_probe(struct platform
}
}
- if (ci_role_switch.fwnode) {
+ if (device_property_read_bool(dev, "usb-role-switch")) {
+ ci_role_switch.set = ci_usb_role_switch_set;
+ ci_role_switch.get = ci_usb_role_switch_get;
+ ci_role_switch.allow_userspace_control = true;
+ ci_role_switch.fwnode = dev_fwnode(dev);
ci_role_switch.driver_data = ci;
ci->role_switch = usb_role_switch_register(dev,
&ci_role_switch);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 226/315] usb: storage: Add quirks for PNY Elite Portable SSD
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 225/315] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 227/315] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
` (90 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Burkels, Oliver Neukum, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Burkels <sam@1a38.nl>
commit b53ebb811e00be50a779ce4e7aee604178b4a825 upstream.
The PNY Elite Portable SSD (USB ID 154b:f009) is a sibling of the
already-quirked PNY Pro Elite SSDs (154b:f00b and 154b:f00d). Like its
siblings, it uses a Phison-based USB-SATA bridge that exhibits
firmware bugs when bound to the uas driver.
Without quirks, the device fails to complete READ CAPACITY commands
when accessed over UAS on a SuperSpeed (USB 3) port. The device
enumerates and reports as a SCSI direct-access device, but reports
zero logical blocks and never finishes spin-up:
usb 2-3: new SuperSpeed USB device number 8 using xhci_hcd
usb 2-3: New USB device found, idVendor=154b, idProduct=f009
usb 2-3: Product: PNY ELITE PSSD
usb 2-3: Manufacturer: PNY
scsi host0: uas
scsi 0:0:0:0: Direct-Access PNY PNY ELITE PSSD 0
sd 0:0:0:0: [sda] Spinning up disk...
[...10+ seconds of polling, no progress...]
sd 0:0:0:0: [sda] Read Capacity(16) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] Read Capacity(10) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] 0 512-byte logical blocks: (0 B/0 B)
Tested each individual quirk to find the minimum that fixes this:
- US_FL_NO_ATA_1X alone: device hangs on spin-up
- US_FL_NO_REPORT_OPCODES alone: works on USB 2.0, hangs on USB 3.0
- US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES: works on both
With both quirks the device enumerates correctly while still using
the uas driver, and delivers full UAS throughput (~281 MB/s
sequential read on a USB 3.0 Gen 1 port).
The existing PNY Pro Elite entries (f00b, f00d) only set NO_ATA_1X,
but this device additionally chokes on REPORT OPCODES under
SuperSpeed.
Signed-off-by: Sam Burkels <sam@1a38.nl>
Acked-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260501132346.86572-1-sam@1a38.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -132,6 +132,13 @@ UNUSUAL_DEV(0x152d, 0x0583, 0x0000, 0x99
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_REPORT_OPCODES),
+/* Reported-by: Sam Burkels <sam@1a38.nl> */
+UNUSUAL_DEV(0x154b, 0xf009, 0x0000, 0x9999,
+ "PNY",
+ "PNY ELITE PSSD",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES),
+
/* Reported-by: Thinh Nguyen <thinhn@synopsys.com> */
UNUSUAL_DEV(0x154b, 0xf00b, 0x0000, 0x9999,
"PNY",
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 216/307] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 215/307] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 217/307] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
` (93 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Pecio, Tao Xue
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit 727d045d064b7c9a24db3bce9c0485a382cb768b upstream.
Tao Xue found that some common devices violate USB 3.x section 9.6.7
by reporting wBytesPerInterval lower than the size of packets they
actually send. I confirmed that AX88179 may set it to 0 and RTL8153
CDC configuration sets it to 8 but sends both 8 and 16 byte packets:
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 8 = a1000000 01000000
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 16 = a12a0000 01000800 00000000 00000000
Most xHCI host controllers neglect interrupt bandwidth reservations
and let such devices exceed theirs, some fail the URB with EOVERFLOW.
Assume that wBytesPerInterval lower than wMaxPacketSize is bogus and
increase it to the worst case maximum on interrupt IN endpoints. This
solves xHCI problems and appears to have no other effect. Interrupt
transfers are not limited to one interval and drivers submit URBs of
class defined size without looking at wBytesPerInterval. Any multi-
interval transfer is considered terminated by a packet shorter than
wMaxPacketSize regardless of wBytesPerInterval - see USB3 8.10.3.
Stay in spec on OUT endpoints and isochronous. No buggy devices are
known and we don't want to risk sending more data than the device
is prepared to handle or confusing isoc drivers regarding altsetting
capacities guaranteed by the device itself. And don't complain when
wMaxPacketSize <= wBytesPerInterval < wMaxPacketSize * (bMaxBurst+1)
because enabling this seems to be the exact goal of the spec.
Reported-and-tested-by: Tao Xue <xuetao09@huawei.com>
Closes: https://lore.kernel.org/linux-usb/20260402021400.28853-1-xuetao09@huawei.com/
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Link: https://patch.msgid.link/20260518073207.5b7d26e7.michal.pecio@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -165,7 +165,14 @@ static void usb_parse_ss_endpoint_compan
(desc->bMaxBurst + 1);
else
max_tx = 999999;
- if (le16_to_cpu(desc->wBytesPerInterval) > max_tx) {
+ /*
+ * wBytesPerInterval > max_tx is bogus, but USB3 spec doesn't forbid the opposite.
+ * Experience shows that wBytesPerInterval < wMaxPacketSize on common interrupt IN
+ * endpoints is usually bogus too, and recent HCs enforce interrupt BW limits.
+ */
+ if (le16_to_cpu(desc->wBytesPerInterval) > max_tx ||
+ (le16_to_cpu(desc->wBytesPerInterval) < usb_endpoint_maxp(&ep->desc) &&
+ usb_endpoint_is_int_in(&ep->desc))) {
dev_notice(ddev, "%s endpoint with wBytesPerInterval of %d in "
"config %d interface %d altsetting %d ep %d: "
"setting to %d\n",
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 227/315] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 226/315] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 228/315] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
` (89 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Zheng Wang,
Michael Bommarito, Shuah Khan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit d96209626a29ea64666be98c30b30ac82e5f1be6 upstream.
This patch follows up Zheng Wang's 2023 report of a use-after-free in
vudc_remove(). The original thread stalled on Shuah Khan's request for
runtime testing of the unplug/unbind path. This patch supplies that
testing and keeps Zheng's original fix shape.
In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer().
usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
vudc_remove() can then free the containing struct vudc while the timer is
still pending or executing.
KASAN confirms the race on an unpatched x86_64 QEMU guest with
CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
that repeatedly writes a socket fd to usbip_sockfd, closes the socket
pair, and unbinds/rebinds usbip-vudc.0:
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
Allocated by task 239:
vudc_probe+0x4d/0xaa0
Freed by task 239:
kfree+0x18f/0x520
device_release_driver_internal+0x388/0x540
unbind_store+0xd9/0x100
This lands in the timer core rather than v_timer() itself because the
embedded timer_list is being walked after its containing struct vudc has
already been freed. The underlying lifetime bug is the same one Zheng
reported.
With v_stop_timer() called from vudc_remove() and the timer deleted
synchronously, the same harness completed 5000 bind/unbind iterations
with no KASAN report.
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <zyytlz.wz@163.com>
Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -632,6 +632,7 @@ void vudc_remove(struct platform_device
{
struct vudc *udc = platform_get_drvdata(pdev);
+ v_stop_timer(udc);
usb_del_gadget_udc(&udc->gadget);
cleanup_vudc_hw(udc);
kfree(udc);
--- a/drivers/usb/usbip/vudc_transfer.c
+++ b/drivers/usb/usbip/vudc_transfer.c
@@ -490,7 +490,8 @@ void v_stop_timer(struct vudc *udc)
{
struct transfer_timer *t = &udc->tr_timer;
- /* timer itself will take care of stopping */
+ /* Delete the timer synchronously before teardown frees udc. */
dev_dbg(&udc->pdev->dev, "timer stop");
+ timer_delete_sync(&t->timer);
t->state = VUDC_TR_STOPPED;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 217/307] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 216/307] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 218/307] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
` (92 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen J. Fuhry, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen J. Fuhry <fuhrysteve@gmail.com>
commit 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 upstream.
The Lenovo ThinkPad USB-C Dock Gen2 (17ef:a391, 17ef:a392) hub
controllers exhibit link instability when USB Link Power Management
is enabled, similar to the dock's Ethernet adapter (17ef:a387) which
already carries USB_QUIRK_NO_LPM.
When the dock reconnects after a transient disconnect, the hub
controllers enter LPM states between re-enumeration retries, causing
repeated disconnect/reconnect cycles lasting up to two minutes.
Disabling LPM for these devices restores stable enumeration.
Signed-off-by: Stephen J. Fuhry <fuhrysteve@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260513171419.44849-1-fuhrysteve@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -511,6 +511,10 @@ static const struct usb_device_id usb_qu
/* Lenovo ThinkPad USB-C Dock Gen2 Ethernet (RTL8153 GigE) */
{ USB_DEVICE(0x17ef, 0xa387), .driver_info = USB_QUIRK_NO_LPM },
+ /* Lenovo ThinkPad USB-C Dock Gen2 USB 3.1 and USB 2.0 hub controllers */
+ { USB_DEVICE(0x17ef, 0xa391), .driver_info = USB_QUIRK_NO_LPM },
+ { USB_DEVICE(0x17ef, 0xa392), .driver_info = USB_QUIRK_NO_LPM },
+
/* BUILDWIN Photo Frame */
{ USB_DEVICE(0x1908, 0x1315), .driver_info =
USB_QUIRK_HONOR_BNUMINTERFACES },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 228/315] usb: usbtmc: check URB actual_length for interrupt-IN notifications
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 227/315] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 229/315] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
` (88 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+abbfd103085885cf16a2, stable,
Michal Pecio, Heitor Alves de Siqueira
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd upstream.
USBTMC devices can use an optional interrupt endpoint for notification
messages. These typically contain two-byte headers indicating the
payload format, but the driver does not check if these headers are
present before accessing the data buffers. In cases where the URB
actual_length is not enough to fit these headers, the driver will either
cause an out-of-bounds read, or consume stale leftover data from a
previous notification.
Fix by checking if actual_data contains enough bytes for the headers,
otherwise resubmit URB to the interrupt endpoint.
Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-1-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2310,6 +2310,14 @@ static void usbtmc_interrupt(struct urb
switch (status) {
case 0: /* SUCCESS */
+ /* ensure at least two bytes of headers were transferred */
+ if (urb->actual_length < 2) {
+ dev_warn(dev,
+ "actual length %d not sufficient for interrupt headers\n",
+ urb->actual_length);
+ goto exit;
+ }
+
/* check for valid STB notification */
if (data->iin_buffer[0] > 0x81) {
data->bNotify1 = data->iin_buffer[0];
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 218/307] usb: storage: Add quirks for PNY Elite Portable SSD
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 217/307] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 219/307] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
` (91 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Burkels, Oliver Neukum, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Burkels <sam@1a38.nl>
commit b53ebb811e00be50a779ce4e7aee604178b4a825 upstream.
The PNY Elite Portable SSD (USB ID 154b:f009) is a sibling of the
already-quirked PNY Pro Elite SSDs (154b:f00b and 154b:f00d). Like its
siblings, it uses a Phison-based USB-SATA bridge that exhibits
firmware bugs when bound to the uas driver.
Without quirks, the device fails to complete READ CAPACITY commands
when accessed over UAS on a SuperSpeed (USB 3) port. The device
enumerates and reports as a SCSI direct-access device, but reports
zero logical blocks and never finishes spin-up:
usb 2-3: new SuperSpeed USB device number 8 using xhci_hcd
usb 2-3: New USB device found, idVendor=154b, idProduct=f009
usb 2-3: Product: PNY ELITE PSSD
usb 2-3: Manufacturer: PNY
scsi host0: uas
scsi 0:0:0:0: Direct-Access PNY PNY ELITE PSSD 0
sd 0:0:0:0: [sda] Spinning up disk...
[...10+ seconds of polling, no progress...]
sd 0:0:0:0: [sda] Read Capacity(16) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] Read Capacity(10) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] 0 512-byte logical blocks: (0 B/0 B)
Tested each individual quirk to find the minimum that fixes this:
- US_FL_NO_ATA_1X alone: device hangs on spin-up
- US_FL_NO_REPORT_OPCODES alone: works on USB 2.0, hangs on USB 3.0
- US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES: works on both
With both quirks the device enumerates correctly while still using
the uas driver, and delivers full UAS throughput (~281 MB/s
sequential read on a USB 3.0 Gen 1 port).
The existing PNY Pro Elite entries (f00b, f00d) only set NO_ATA_1X,
but this device additionally chokes on REPORT OPCODES under
SuperSpeed.
Signed-off-by: Sam Burkels <sam@1a38.nl>
Acked-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260501132346.86572-1-sam@1a38.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -132,6 +132,13 @@ UNUSUAL_DEV(0x152d, 0x0583, 0x0000, 0x99
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_REPORT_OPCODES),
+/* Reported-by: Sam Burkels <sam@1a38.nl> */
+UNUSUAL_DEV(0x154b, 0xf009, 0x0000, 0x9999,
+ "PNY",
+ "PNY ELITE PSSD",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES),
+
/* Reported-by: Thinh Nguyen <thinhn@synopsys.com> */
UNUSUAL_DEV(0x154b, 0xf00b, 0x0000, 0x9999,
"PNY",
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 229/315] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 228/315] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 230/315] usb: typec: tipd: Fix error code in tps6598x_probe() Greg Kroah-Hartman
` (87 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Michal Pecio,
Heitor Alves de Siqueira
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 121d2f682ba912b1427cddca7cf84840f41cc620 upstream.
The USB488 subclass specification requires interrupt wMaxPacketSize to
be 0x02, unless the device sends vendor-specific notifications.
Endpoints that advertise less than 2 bytes for wMaxPacketSize are
unlikely to work with the current driver, as URBs will not have enough
space for interrupt headers. Considering that any notification URBs will
be ignored by the driver, reject these endpoints early during probe.
Fixes: 041370cce889 ("USB: usbtmc: refactor endpoint retrieval")
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-2-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2444,6 +2444,12 @@ static int usbtmc_probe(struct usb_inter
data->iin_ep = int_in->bEndpointAddress;
data->iin_wMaxPacketSize = usb_endpoint_maxp(int_in);
data->iin_interval = int_in->bInterval;
+ /* wMaxPacketSize should be 0x02 or more as per USB488 Table 22 */
+ if (iface_desc->desc.bInterfaceProtocol == 1 &&
+ data->iin_wMaxPacketSize < 2) {
+ retcode = -EINVAL;
+ goto err_put;
+ }
dev_dbg(&intf->dev, "Found Int in endpoint at %u\n",
data->iin_ep);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 219/307] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 218/307] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 220/307] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
` (90 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Zheng Wang,
Michael Bommarito, Shuah Khan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit d96209626a29ea64666be98c30b30ac82e5f1be6 upstream.
This patch follows up Zheng Wang's 2023 report of a use-after-free in
vudc_remove(). The original thread stalled on Shuah Khan's request for
runtime testing of the unplug/unbind path. This patch supplies that
testing and keeps Zheng's original fix shape.
In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer().
usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
vudc_remove() can then free the containing struct vudc while the timer is
still pending or executing.
KASAN confirms the race on an unpatched x86_64 QEMU guest with
CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
that repeatedly writes a socket fd to usbip_sockfd, closes the socket
pair, and unbinds/rebinds usbip-vudc.0:
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
Allocated by task 239:
vudc_probe+0x4d/0xaa0
Freed by task 239:
kfree+0x18f/0x520
device_release_driver_internal+0x388/0x540
unbind_store+0xd9/0x100
This lands in the timer core rather than v_timer() itself because the
embedded timer_list is being walked after its containing struct vudc has
already been freed. The underlying lifetime bug is the same one Zheng
reported.
With v_stop_timer() called from vudc_remove() and the timer deleted
synchronously, the same harness completed 5000 bind/unbind iterations
with no KASAN report.
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <zyytlz.wz@163.com>
Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -632,6 +632,7 @@ void vudc_remove(struct platform_device
{
struct vudc *udc = platform_get_drvdata(pdev);
+ v_stop_timer(udc);
usb_del_gadget_udc(&udc->gadget);
cleanup_vudc_hw(udc);
kfree(udc);
--- a/drivers/usb/usbip/vudc_transfer.c
+++ b/drivers/usb/usbip/vudc_transfer.c
@@ -490,7 +490,8 @@ void v_stop_timer(struct vudc *udc)
{
struct transfer_timer *t = &udc->tr_timer;
- /* timer itself will take care of stopping */
+ /* Delete the timer synchronously before teardown frees udc. */
dev_dbg(&udc->pdev->dev, "timer stop");
+ timer_delete_sync(&t->timer);
t->state = VUDC_TR_STOPPED;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 230/315] usb: typec: tipd: Fix error code in tps6598x_probe()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 229/315] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 231/315] usb: typec: tcpm: improve handling of DISCOVER_MODES failures Greg Kroah-Hartman
` (86 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter,
Heikki Krogerus
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit b02900c85a6423cf9b3dcc6b47bf060c85075e69 upstream.
Set the error code on these two error paths. The existing code returns
success.
Fixes: 77ed2f4538da ("usb: typec: tipd: Use read_power_status function in probe")
Fixes: 04041fd7d6ec ("usb: typec: tipd: Read data status in probe and cache its value")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/agL9o7wUK1dOVBTy@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tipd/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/typec/tipd/core.c
+++ b/drivers/usb/typec/tipd/core.c
@@ -1828,6 +1828,7 @@ static int tps6598x_probe(struct i2c_cli
goto err_role_put;
if (status & TPS_STATUS_PLUG_PRESENT) {
+ ret = -EINVAL;
if (!tps6598x_read_power_status(tps))
goto err_unregister_port;
if (!tps->data->read_data_status(tps))
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 220/307] usb: usbtmc: check URB actual_length for interrupt-IN notifications
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 219/307] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 221/307] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
` (89 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+abbfd103085885cf16a2, stable,
Michal Pecio, Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd upstream.
USBTMC devices can use an optional interrupt endpoint for notification
messages. These typically contain two-byte headers indicating the
payload format, but the driver does not check if these headers are
present before accessing the data buffers. In cases where the URB
actual_length is not enough to fit these headers, the driver will either
cause an out-of-bounds read, or consume stale leftover data from a
previous notification.
Fix by checking if actual_data contains enough bytes for the headers,
otherwise resubmit URB to the interrupt endpoint.
Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-1-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2310,6 +2310,14 @@ static void usbtmc_interrupt(struct urb
switch (status) {
case 0: /* SUCCESS */
+ /* ensure at least two bytes of headers were transferred */
+ if (urb->actual_length < 2) {
+ dev_warn(dev,
+ "actual length %d not sufficient for interrupt headers\n",
+ urb->actual_length);
+ goto exit;
+ }
+
/* check for valid STB notification */
if (data->iin_buffer[0] > 0x81) {
data->bNotify1 = data->iin_buffer[0];
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 231/315] usb: typec: tcpm: improve handling of DISCOVER_MODES failures
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 230/315] usb: typec: tipd: Fix error code in tps6598x_probe() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 232/315] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
` (85 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus,
Sebastian Reichel, RD Babiera, Badhri Jagan Sridharan
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
commit c06e6cd488194e37ed4dc29d1488d1ffb760de60 upstream.
UGREEN USB-C Multifunction Adapter Model CM512 (AKA "Revodok 107")
exposes two SVIDs: 0xff01 (DP Alt Mode) and 0x1d5c. The DISCOVER_MODES
step succeeds for 0xff01 and gets a NAK for 0x1d5c. Currently this
results in DP Alt Mode not being registered either, since the modes
are only registered once all of them have been discovered. The NAK
results in the processing being stopped and thus no Alt modes being
registered.
Improve the situation by handling the NAK gracefully and continue
processing the other modes.
Before this change, the TCPM log ends like this:
(more log entries before this)
[ 5.028287] AMS DISCOVER_SVIDS finished
[ 5.028291] cc:=4
[ 5.040040] SVID 1: 0xff01
[ 5.040054] SVID 2: 0x1d5c
[ 5.040082] AMS DISCOVER_MODES start
[ 5.040096] PD TX, header: 0x1b6f
[ 5.050946] PD TX complete, status: 0
[ 5.059609] PD RX, header: 0x264f [1]
[ 5.059626] Rx VDM cmd 0xff018043 type 1 cmd 3 len 2
[ 5.059640] AMS DISCOVER_MODES finished
[ 5.059644] cc:=4
[ 5.069994] Alternate mode 0: SVID 0xff01, VDO 1: 0x000c0045
[ 5.070029] AMS DISCOVER_MODES start
[ 5.070043] PD TX, header: 0x1d6f
[ 5.081139] PD TX complete, status: 0
[ 5.087498] PD RX, header: 0x184f [1]
[ 5.087515] Rx VDM cmd 0x1d5c8083 type 2 cmd 3 len 1
[ 5.087529] AMS DISCOVER_MODES finished
[ 5.087534] cc:=4
(no further log entries after this point)
After this patch the TCPM log looks exactly the same, but then
continues like this:
[ 5.100222] Skip SVID 0x1d5c (failed to discover mode)
[ 5.101699] AMS DFP_TO_UFP_ENTER_MODE start
(log goes on as the system initializes DP AltMode)
Cc: stable <stable@kernel.org>
Fixes: 41d9d75344d9 ("usb: typec: tcpm: add discover svids and discover modes support for sop'")
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: RD Babiera <rdbabiera@google.com>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://patch.msgid.link/20260429-tcpm-discover-modes-nak-fix-v4-1-75945d0ed30f@collabora.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 97 ++++++++++++++++++++++++++----------------
1 file changed, 61 insertions(+), 36 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1989,6 +1989,55 @@ static bool tcpm_cable_vdm_supported(str
tcpm_can_communicate_sop_prime(port);
}
+static int tcpm_handle_discover_mode(struct tcpm_port *port, u32 *response,
+ enum tcpm_transmit_type rx_sop_type,
+ enum tcpm_transmit_type *response_tx_sop_type)
+{
+ struct typec_port *typec = port->typec_port;
+ struct pd_mode_data *modep;
+
+ if (rx_sop_type == TCPC_TX_SOP) {
+ modep = &port->mode_data;
+ modep->svid_index++;
+
+ if (modep->svid_index < modep->nsvids) {
+ u16 svid = modep->svids[modep->svid_index];
+ *response_tx_sop_type = TCPC_TX_SOP;
+ response[0] = VDO(svid, 1,
+ typec_get_negotiated_svdm_version(typec),
+ CMD_DISCOVER_MODES);
+ return 1;
+ }
+
+ if (tcpm_cable_vdm_supported(port)) {
+ *response_tx_sop_type = TCPC_TX_SOP_PRIME;
+ response[0] = VDO(USB_SID_PD, 1,
+ typec_get_cable_svdm_version(typec),
+ CMD_DISCOVER_SVID);
+ return 1;
+ }
+
+ tcpm_register_partner_altmodes(port);
+ } else if (rx_sop_type == TCPC_TX_SOP_PRIME) {
+ modep = &port->mode_data_prime;
+ modep->svid_index++;
+
+ if (modep->svid_index < modep->nsvids) {
+ u16 svid = modep->svids[modep->svid_index];
+ *response_tx_sop_type = TCPC_TX_SOP_PRIME;
+ response[0] = VDO(svid, 1,
+ typec_get_cable_svdm_version(typec),
+ CMD_DISCOVER_MODES);
+ return 1;
+ }
+
+ tcpm_register_plug_altmodes(port);
+ tcpm_register_partner_altmodes(port);
+ }
+
+ return 0;
+}
+
static int tcpm_pd_svdm(struct tcpm_port *port, struct typec_altmode *adev,
const u32 *p, int cnt, u32 *response,
enum adev_actions *adev_action,
@@ -2246,41 +2295,11 @@ static int tcpm_pd_svdm(struct tcpm_port
}
break;
case CMD_DISCOVER_MODES:
- if (rx_sop_type == TCPC_TX_SOP) {
- /* 6.4.4.3.3 */
- svdm_consume_modes(port, p, cnt, rx_sop_type);
- modep->svid_index++;
- if (modep->svid_index < modep->nsvids) {
- u16 svid = modep->svids[modep->svid_index];
- *response_tx_sop_type = TCPC_TX_SOP;
- response[0] = VDO(svid, 1, svdm_version,
- CMD_DISCOVER_MODES);
- rlen = 1;
- } else if (tcpm_cable_vdm_supported(port)) {
- *response_tx_sop_type = TCPC_TX_SOP_PRIME;
- response[0] = VDO(USB_SID_PD, 1,
- typec_get_cable_svdm_version(typec),
- CMD_DISCOVER_SVID);
- rlen = 1;
- } else {
- tcpm_register_partner_altmodes(port);
- }
- } else if (rx_sop_type == TCPC_TX_SOP_PRIME) {
- /* 6.4.4.3.3 */
- svdm_consume_modes(port, p, cnt, rx_sop_type);
- modep_prime->svid_index++;
- if (modep_prime->svid_index < modep_prime->nsvids) {
- u16 svid = modep_prime->svids[modep_prime->svid_index];
- *response_tx_sop_type = TCPC_TX_SOP_PRIME;
- response[0] = VDO(svid, 1,
- typec_get_cable_svdm_version(typec),
- CMD_DISCOVER_MODES);
- rlen = 1;
- } else {
- tcpm_register_plug_altmodes(port);
- tcpm_register_partner_altmodes(port);
- }
- }
+ /* 6.4.4.3.3 */
+ svdm_consume_modes(port, p, cnt, rx_sop_type);
+ rlen = tcpm_handle_discover_mode(port, response,
+ rx_sop_type,
+ response_tx_sop_type);
break;
case CMD_ENTER_MODE:
*response_tx_sop_type = rx_sop_type;
@@ -2323,9 +2342,15 @@ static int tcpm_pd_svdm(struct tcpm_port
switch (cmd) {
case CMD_DISCOVER_IDENT:
case CMD_DISCOVER_SVID:
- case CMD_DISCOVER_MODES:
case VDO_CMD_VENDOR(0) ... VDO_CMD_VENDOR(15):
break;
+ case CMD_DISCOVER_MODES:
+ tcpm_log(port, "Skip SVID 0x%04x (failed to discover mode)",
+ PD_VDO_SVID_SVID0(p[0]));
+ rlen = tcpm_handle_discover_mode(port, response,
+ rx_sop_type,
+ response_tx_sop_type);
+ break;
case CMD_ENTER_MODE:
/* Back to USB Operation */
*adev_action = ADEV_NOTIFY_USB_AND_QUEUE_VDM;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 221/307] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 220/307] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 222/307] usb: typec: tcpm: improve handling of DISCOVER_MODES failures Greg Kroah-Hartman
` (88 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Michal Pecio,
Heitor Alves de Siqueira
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 121d2f682ba912b1427cddca7cf84840f41cc620 upstream.
The USB488 subclass specification requires interrupt wMaxPacketSize to
be 0x02, unless the device sends vendor-specific notifications.
Endpoints that advertise less than 2 bytes for wMaxPacketSize are
unlikely to work with the current driver, as URBs will not have enough
space for interrupt headers. Considering that any notification URBs will
be ignored by the driver, reject these endpoints early during probe.
Fixes: 041370cce889 ("USB: usbtmc: refactor endpoint retrieval")
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-2-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2444,6 +2444,12 @@ static int usbtmc_probe(struct usb_inter
data->iin_ep = int_in->bEndpointAddress;
data->iin_wMaxPacketSize = usb_endpoint_maxp(int_in);
data->iin_interval = int_in->bInterval;
+ /* wMaxPacketSize should be 0x02 or more as per USB488 Table 22 */
+ if (iface_desc->desc.bInterfaceProtocol == 1 &&
+ data->iin_wMaxPacketSize < 2) {
+ retcode = -EINVAL;
+ goto err_put;
+ }
dev_dbg(&intf->dev, "Found Int in endpoint at %u\n",
data->iin_ep);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 232/315] usb: typec: ucsi: Check if power role change actually happened before handling
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 231/315] usb: typec: tcpm: improve handling of DISCOVER_MODES failures Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 233/315] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
` (84 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Heikki Krogerus, Sergey Senozhatsky
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit b80e7d34c7ea6a564525119d6138fbb577a23dba upstream.
The CrOS EC may send a connector status change event with the power
direction changed flag set even if the power direction hasn't actually
changed after initiating a SET_PDR command internally [1]. In practice
this happens on every system suspend due to other changes performed by
the EC [2][3][4], causing suspend to fail.
Fix this by checking if the power role change actually happened before
handling it.
[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=1689;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[2]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=3923;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[3]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=5094;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[4]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=2229;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
Cc: stable <stable@kernel.org>
Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-1-6f1239535187@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1224,7 +1224,7 @@ static void ucsi_handle_connector_change
work);
struct ucsi *ucsi = con->ucsi;
u8 curr_scale, volt_scale;
- enum typec_role role;
+ enum typec_role role, prev_role;
u16 change;
int ret;
u32 val;
@@ -1235,6 +1235,8 @@ static void ucsi_handle_connector_change
dev_err_once(ucsi->dev, "%s entered without EVENT_PENDING\n",
__func__);
+ prev_role = UCSI_CONSTAT(con, PWR_DIR);
+
ret = ucsi_get_connector_status(con, true);
if (ret) {
dev_err(ucsi->dev, "%s: GET_CONNECTOR_STATUS failed (%d)\n",
@@ -1251,7 +1253,7 @@ static void ucsi_handle_connector_change
change = UCSI_CONSTAT(con, CHANGE);
role = UCSI_CONSTAT(con, PWR_DIR);
- if (change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
+ if ((change & UCSI_CONSTAT_POWER_DIR_CHANGE) && role != prev_role) {
typec_set_pwr_role(con->port, role);
ucsi_port_psy_changed(con);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 222/307] usb: typec: tcpm: improve handling of DISCOVER_MODES failures
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 221/307] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 223/307] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
` (87 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus,
Sebastian Reichel, RD Babiera, Badhri Jagan Sridharan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
commit c06e6cd488194e37ed4dc29d1488d1ffb760de60 upstream.
UGREEN USB-C Multifunction Adapter Model CM512 (AKA "Revodok 107")
exposes two SVIDs: 0xff01 (DP Alt Mode) and 0x1d5c. The DISCOVER_MODES
step succeeds for 0xff01 and gets a NAK for 0x1d5c. Currently this
results in DP Alt Mode not being registered either, since the modes
are only registered once all of them have been discovered. The NAK
results in the processing being stopped and thus no Alt modes being
registered.
Improve the situation by handling the NAK gracefully and continue
processing the other modes.
Before this change, the TCPM log ends like this:
(more log entries before this)
[ 5.028287] AMS DISCOVER_SVIDS finished
[ 5.028291] cc:=4
[ 5.040040] SVID 1: 0xff01
[ 5.040054] SVID 2: 0x1d5c
[ 5.040082] AMS DISCOVER_MODES start
[ 5.040096] PD TX, header: 0x1b6f
[ 5.050946] PD TX complete, status: 0
[ 5.059609] PD RX, header: 0x264f [1]
[ 5.059626] Rx VDM cmd 0xff018043 type 1 cmd 3 len 2
[ 5.059640] AMS DISCOVER_MODES finished
[ 5.059644] cc:=4
[ 5.069994] Alternate mode 0: SVID 0xff01, VDO 1: 0x000c0045
[ 5.070029] AMS DISCOVER_MODES start
[ 5.070043] PD TX, header: 0x1d6f
[ 5.081139] PD TX complete, status: 0
[ 5.087498] PD RX, header: 0x184f [1]
[ 5.087515] Rx VDM cmd 0x1d5c8083 type 2 cmd 3 len 1
[ 5.087529] AMS DISCOVER_MODES finished
[ 5.087534] cc:=4
(no further log entries after this point)
After this patch the TCPM log looks exactly the same, but then
continues like this:
[ 5.100222] Skip SVID 0x1d5c (failed to discover mode)
[ 5.101699] AMS DFP_TO_UFP_ENTER_MODE start
(log goes on as the system initializes DP AltMode)
Cc: stable <stable@kernel.org>
Fixes: 41d9d75344d9 ("usb: typec: tcpm: add discover svids and discover modes support for sop'")
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: RD Babiera <rdbabiera@google.com>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://patch.msgid.link/20260429-tcpm-discover-modes-nak-fix-v4-1-75945d0ed30f@collabora.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 97 ++++++++++++++++++++++++++----------------
1 file changed, 61 insertions(+), 36 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1933,6 +1933,55 @@ static bool tcpm_cable_vdm_supported(str
tcpm_can_communicate_sop_prime(port);
}
+static int tcpm_handle_discover_mode(struct tcpm_port *port, u32 *response,
+ enum tcpm_transmit_type rx_sop_type,
+ enum tcpm_transmit_type *response_tx_sop_type)
+{
+ struct typec_port *typec = port->typec_port;
+ struct pd_mode_data *modep;
+
+ if (rx_sop_type == TCPC_TX_SOP) {
+ modep = &port->mode_data;
+ modep->svid_index++;
+
+ if (modep->svid_index < modep->nsvids) {
+ u16 svid = modep->svids[modep->svid_index];
+ *response_tx_sop_type = TCPC_TX_SOP;
+ response[0] = VDO(svid, 1,
+ typec_get_negotiated_svdm_version(typec),
+ CMD_DISCOVER_MODES);
+ return 1;
+ }
+
+ if (tcpm_cable_vdm_supported(port)) {
+ *response_tx_sop_type = TCPC_TX_SOP_PRIME;
+ response[0] = VDO(USB_SID_PD, 1,
+ typec_get_cable_svdm_version(typec),
+ CMD_DISCOVER_SVID);
+ return 1;
+ }
+
+ tcpm_register_partner_altmodes(port);
+ } else if (rx_sop_type == TCPC_TX_SOP_PRIME) {
+ modep = &port->mode_data_prime;
+ modep->svid_index++;
+
+ if (modep->svid_index < modep->nsvids) {
+ u16 svid = modep->svids[modep->svid_index];
+ *response_tx_sop_type = TCPC_TX_SOP_PRIME;
+ response[0] = VDO(svid, 1,
+ typec_get_cable_svdm_version(typec),
+ CMD_DISCOVER_MODES);
+ return 1;
+ }
+
+ tcpm_register_plug_altmodes(port);
+ tcpm_register_partner_altmodes(port);
+ }
+
+ return 0;
+}
+
static int tcpm_pd_svdm(struct tcpm_port *port, struct typec_altmode *adev,
const u32 *p, int cnt, u32 *response,
enum adev_actions *adev_action,
@@ -2190,41 +2239,11 @@ static int tcpm_pd_svdm(struct tcpm_port
}
break;
case CMD_DISCOVER_MODES:
- if (rx_sop_type == TCPC_TX_SOP) {
- /* 6.4.4.3.3 */
- svdm_consume_modes(port, p, cnt, rx_sop_type);
- modep->svid_index++;
- if (modep->svid_index < modep->nsvids) {
- u16 svid = modep->svids[modep->svid_index];
- *response_tx_sop_type = TCPC_TX_SOP;
- response[0] = VDO(svid, 1, svdm_version,
- CMD_DISCOVER_MODES);
- rlen = 1;
- } else if (tcpm_cable_vdm_supported(port)) {
- *response_tx_sop_type = TCPC_TX_SOP_PRIME;
- response[0] = VDO(USB_SID_PD, 1,
- typec_get_cable_svdm_version(typec),
- CMD_DISCOVER_SVID);
- rlen = 1;
- } else {
- tcpm_register_partner_altmodes(port);
- }
- } else if (rx_sop_type == TCPC_TX_SOP_PRIME) {
- /* 6.4.4.3.3 */
- svdm_consume_modes(port, p, cnt, rx_sop_type);
- modep_prime->svid_index++;
- if (modep_prime->svid_index < modep_prime->nsvids) {
- u16 svid = modep_prime->svids[modep_prime->svid_index];
- *response_tx_sop_type = TCPC_TX_SOP_PRIME;
- response[0] = VDO(svid, 1,
- typec_get_cable_svdm_version(typec),
- CMD_DISCOVER_MODES);
- rlen = 1;
- } else {
- tcpm_register_plug_altmodes(port);
- tcpm_register_partner_altmodes(port);
- }
- }
+ /* 6.4.4.3.3 */
+ svdm_consume_modes(port, p, cnt, rx_sop_type);
+ rlen = tcpm_handle_discover_mode(port, response,
+ rx_sop_type,
+ response_tx_sop_type);
break;
case CMD_ENTER_MODE:
*response_tx_sop_type = rx_sop_type;
@@ -2267,9 +2286,15 @@ static int tcpm_pd_svdm(struct tcpm_port
switch (cmd) {
case CMD_DISCOVER_IDENT:
case CMD_DISCOVER_SVID:
- case CMD_DISCOVER_MODES:
case VDO_CMD_VENDOR(0) ... VDO_CMD_VENDOR(15):
break;
+ case CMD_DISCOVER_MODES:
+ tcpm_log(port, "Skip SVID 0x%04x (failed to discover mode)",
+ PD_VDO_SVID_SVID0(p[0]));
+ rlen = tcpm_handle_discover_mode(port, response,
+ rx_sop_type,
+ response_tx_sop_type);
+ break;
case CMD_ENTER_MODE:
/* Back to USB Operation */
*adev_action = ADEV_NOTIFY_USB_AND_QUEUE_VDM;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 233/315] usb: typec: ucsi: Dont update power_supply on power role change if not connected
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 232/315] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 234/315] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
` (83 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Sergey Senozhatsky
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit d98d413ca65d0790a8f3695d0a5845538958ab84 upstream.
We only need to update the power_supply on power role change if the port
is connected, because otherwise the online status should be the same for
both cases.
Cc: stable <stable@kernel.org>
Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-2-6f1239535187@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1255,7 +1255,12 @@ static void ucsi_handle_connector_change
if ((change & UCSI_CONSTAT_POWER_DIR_CHANGE) && role != prev_role) {
typec_set_pwr_role(con->port, role);
- ucsi_port_psy_changed(con);
+
+ /* Some power_supply properties vary depending on the power direction when
+ * connected
+ */
+ if (UCSI_CONSTAT(con, CONNECTED))
+ ucsi_port_psy_changed(con);
/* Complete pending power role swap */
if (!completion_done(&con->complete))
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 223/307] USB: serial: option: add MeiG SRM813Q
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 222/307] usb: typec: tcpm: improve handling of DISCOVER_MODES failures Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 224/307] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
` (86 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Volckaert, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Volckaert <janvolck@gmail.com>
commit 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 upstream.
Add support for the Qualcomm Technology Snapdragon X35-based MeiG
SRM813Q module.
The module can be put in different modes via AT commands to
enable/disable GPS functionality:
MODEM - PPP mode(2dee:4d63): AT+SER=1,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: MODEM
If#= 3: AT
P: Vendor=2dee ProdID=4d63 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
NMEA mode(2dee:4d64): AT+SER=51,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: NMEA
If#= 3: AT
P: Vendor=2dee ProdID=4d64 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Signed-off-by: Jan Volckaert <janvolck@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2450,6 +2450,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x60) }, /* MeiG SRM813Q (NMEA) */
+
{ USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 234/315] USB: serial: option: add MeiG SRM813Q
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 233/315] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 235/315] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
` (82 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Volckaert, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Volckaert <janvolck@gmail.com>
commit 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 upstream.
Add support for the Qualcomm Technology Snapdragon X35-based MeiG
SRM813Q module.
The module can be put in different modes via AT commands to
enable/disable GPS functionality:
MODEM - PPP mode(2dee:4d63): AT+SER=1,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: MODEM
If#= 3: AT
P: Vendor=2dee ProdID=4d63 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
NMEA mode(2dee:4d64): AT+SER=51,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: NMEA
If#= 3: AT
P: Vendor=2dee ProdID=4d64 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Signed-off-by: Jan Volckaert <janvolck@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2450,6 +2450,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x60) }, /* MeiG SRM813Q (NMEA) */
+
{ USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 224/307] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 223/307] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 225/307] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
` (85 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wanquan Zhong, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wanquan Zhong <wanquan.zhong@fibocom.com>
commit 689f2facc689c8add11d7ff69fbbad17d65ee596 upstream.
The RW135R-GL entry added in commit 01e8d0f74222 ("USB: serial: option:
add support for Rolling Wireless RW135R-GL") was missing the
.driver_info = RSVD(5) flag used by other Rolling Wireless MBIM laptop
modules (e.g. RW135-GL and RW350-GL).
Without this flag, the option driver incorrectly binds to the reserved
ADB interface (If#5) in multi-interface USB modes, causing AT/MBIM
communication failures after mode switching. This matches the handling
of other Rolling Wireless MBIM devices.
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, ADB, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Fixes: 01e8d0f74222 ("USB: serial: option: add support for Rolling Wireless RW135R-GL")
Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2476,7 +2476,8 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
.driver_info = RSVD(5) },
- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff), /* Rolling RW135R-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 235/315] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 234/315] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 236/315] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
` (81 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wanquan Zhong, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wanquan Zhong <wanquan.zhong@fibocom.com>
commit 689f2facc689c8add11d7ff69fbbad17d65ee596 upstream.
The RW135R-GL entry added in commit 01e8d0f74222 ("USB: serial: option:
add support for Rolling Wireless RW135R-GL") was missing the
.driver_info = RSVD(5) flag used by other Rolling Wireless MBIM laptop
modules (e.g. RW135-GL and RW350-GL).
Without this flag, the option driver incorrectly binds to the reserved
ADB interface (If#5) in multi-interface USB modes, causing AT/MBIM
communication failures after mode switching. This matches the handling
of other Rolling Wireless MBIM devices.
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, ADB, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Fixes: 01e8d0f74222 ("USB: serial: option: add support for Rolling Wireless RW135R-GL")
Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2476,7 +2476,8 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
.driver_info = RSVD(5) },
- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff), /* Rolling RW135R-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 225/307] USB: serial: belkin_sa: validate interrupt status length
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 224/307] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 226/307] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
` (84 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 upstream.
The Belkin interrupt callback treats interrupt data as a four-byte
status report and reads LSR/MSR fields at offsets 2 and 3. The
interrupt-in buffer length is derived from endpoint wMaxPacketSize, and
short interrupt transfers may complete successfully with a smaller
actual_length.
Check the completed interrupt packet length before parsing status
fields so short interrupt endpoints and short successful packets are
ignored instead of causing out-of-bounds or stale status-byte reads.
KASAN report as below:
BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback()
Read of size 1
Call trace:
belkin_sa_read_int_callback() (drivers/usb/serial/belkin_sa.c:202)
__usb_hcd_giveback_urb() (drivers/usb/core/hcd.c:1630)
dummy_timer() (?:?)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/belkin_sa.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -194,6 +194,9 @@ static void belkin_sa_read_int_callback(
usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
+ if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
+ goto exit;
+
/* Handle known interrupt data */
/* ignore data[0] and data[1] */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 236/315] USB: serial: belkin_sa: validate interrupt status length
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 235/315] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 237/315] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
` (80 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 upstream.
The Belkin interrupt callback treats interrupt data as a four-byte
status report and reads LSR/MSR fields at offsets 2 and 3. The
interrupt-in buffer length is derived from endpoint wMaxPacketSize, and
short interrupt transfers may complete successfully with a smaller
actual_length.
Check the completed interrupt packet length before parsing status
fields so short interrupt endpoints and short successful packets are
ignored instead of causing out-of-bounds or stale status-byte reads.
KASAN report as below:
BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback()
Read of size 1
Call trace:
belkin_sa_read_int_callback() (drivers/usb/serial/belkin_sa.c:202)
__usb_hcd_giveback_urb() (drivers/usb/core/hcd.c:1630)
dummy_timer() (?:?)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/belkin_sa.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -194,6 +194,9 @@ static void belkin_sa_read_int_callback(
usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
+ if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
+ goto exit;
+
/* Handle known interrupt data */
/* ignore data[0] and data[1] */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 226/307] USB: serial: cypress_m8: validate interrupt packet headers
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 225/307] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 227/307] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
` (83 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 9f9bfc80c67f35a275820da7e83a35dface08281 upstream.
cypress_read_int_callback() parses the interrupt-in buffer according to
the selected Cypress packet format. Format 1 has a two-byte status/count
header and format 2 has a one-byte combined status/count header. The
usb-serial core sizes the interrupt-in buffer from the endpoint
descriptor's wMaxPacketSize, and successful interrupt transfers can
complete short when URB_SHORT_NOT_OK is not set.
Check that the completed packet contains the selected header before
reading it. Malformed short reports are ignored and the interrupt URB is
resubmitted through the existing retry path, preventing out-of-bounds
header-byte reads.
KASAN report as below:
KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
Read of size 1
Call trace:
cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
__usb_hcd_giveback_urb()
dummy_timer()
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
[ johan: use constants in header length sanity checks ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/cypress_m8.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -1017,8 +1017,8 @@ static void cypress_read_int_callback(st
char tty_flag = TTY_NORMAL;
int bytes = 0;
int result;
- int i = 0;
int status = urb->status;
+ int i;
switch (status) {
case 0: /* success */
@@ -1056,22 +1056,32 @@ static void cypress_read_int_callback(st
spin_lock_irqsave(&priv->lock, flags);
result = urb->actual_length;
+ i = 0;
switch (priv->pkt_fmt) {
default:
case packet_format_1:
/* This is for the CY7C64013... */
+ if (result < 2)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = data[1] + 2;
i = 2;
break;
case packet_format_2:
/* This is for the CY7C63743... */
+ if (result < 1)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = (data[0] & 0x07) + 1;
i = 1;
break;
}
spin_unlock_irqrestore(&priv->lock, flags);
+ if (i == 0) {
+ dev_dbg(dev, "%s - short packet received: %d bytes\n",
+ __func__, result);
+ goto continue_read;
+ }
if (result < bytes) {
dev_dbg(dev,
"%s - wrong packet size - received %d bytes but packet said %d bytes\n",
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 237/315] USB: serial: cypress_m8: validate interrupt packet headers
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 236/315] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 238/315] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
` (79 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 9f9bfc80c67f35a275820da7e83a35dface08281 upstream.
cypress_read_int_callback() parses the interrupt-in buffer according to
the selected Cypress packet format. Format 1 has a two-byte status/count
header and format 2 has a one-byte combined status/count header. The
usb-serial core sizes the interrupt-in buffer from the endpoint
descriptor's wMaxPacketSize, and successful interrupt transfers can
complete short when URB_SHORT_NOT_OK is not set.
Check that the completed packet contains the selected header before
reading it. Malformed short reports are ignored and the interrupt URB is
resubmitted through the existing retry path, preventing out-of-bounds
header-byte reads.
KASAN report as below:
KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
Read of size 1
Call trace:
cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
__usb_hcd_giveback_urb()
dummy_timer()
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
[ johan: use constants in header length sanity checks ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/cypress_m8.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -1017,8 +1017,8 @@ static void cypress_read_int_callback(st
char tty_flag = TTY_NORMAL;
int bytes = 0;
int result;
- int i = 0;
int status = urb->status;
+ int i;
switch (status) {
case 0: /* success */
@@ -1056,22 +1056,32 @@ static void cypress_read_int_callback(st
spin_lock_irqsave(&priv->lock, flags);
result = urb->actual_length;
+ i = 0;
switch (priv->pkt_fmt) {
default:
case packet_format_1:
/* This is for the CY7C64013... */
+ if (result < 2)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = data[1] + 2;
i = 2;
break;
case packet_format_2:
/* This is for the CY7C63743... */
+ if (result < 1)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = (data[0] & 0x07) + 1;
i = 1;
break;
}
spin_unlock_irqrestore(&priv->lock, flags);
+ if (i == 0) {
+ dev_dbg(dev, "%s - short packet received: %d bytes\n",
+ __func__, result);
+ goto continue_read;
+ }
if (result < bytes) {
dev_dbg(dev,
"%s - wrong packet size - received %d bytes but packet said %d bytes\n",
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 227/307] USB: serial: keyspan: fix missing indat transfer sanity check
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 226/307] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 228/307] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
` (82 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ab8336a7e414f018430aa1af3a46944032f7ff96 upstream.
Add the missing sanity check on the size of usa49wg indat transfers to
avoid parsing stale or uninitialised slab data.
Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
Cc: stable@vger.kernel.org # 2.6.23
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/keyspan.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -1187,6 +1187,10 @@ static void usa49wg_indat_callback(struc
len = 0;
while (i < urb->actual_length) {
+ if (urb->actual_length - i < 3) {
+ dev_warn_ratelimited(&urb->dev->dev, "malformed indat packet\n");
+ break;
+ }
/* Check port number from message */
if (data[i] >= serial->num_ports) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 228/307] USB: serial: mxuport: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 227/307] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 229/307] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
` (81 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd upstream.
Make sure that the bulk-out endpoint max packet size is at least eight
bytes to avoid user-controlled slab corruption should a malicious device
report a smaller size.
Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
Cc: stable@vger.kernel.org # 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mxuport.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct
*/
BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
+ /*
+ * The bulk-out buffers must be large enough for the four-byte header
+ * (and following data), but assume anything smaller than eight bytes
+ * is broken.
+ */
+ if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
+ return -EINVAL;
+
for (i = 1; i < num_ports; ++i)
epds->bulk_out[i] = epds->bulk_out[0];
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 238/315] USB: serial: keyspan: fix missing indat transfer sanity check
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 237/315] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 239/315] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
` (78 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ab8336a7e414f018430aa1af3a46944032f7ff96 upstream.
Add the missing sanity check on the size of usa49wg indat transfers to
avoid parsing stale or uninitialised slab data.
Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
Cc: stable@vger.kernel.org # 2.6.23
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/keyspan.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -1187,6 +1187,10 @@ static void usa49wg_indat_callback(struc
len = 0;
while (i < urb->actual_length) {
+ if (urb->actual_length - i < 3) {
+ dev_warn_ratelimited(&urb->dev->dev, "malformed indat packet\n");
+ break;
+ }
/* Check port number from message */
if (data[i] >= serial->num_ports) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 229/307] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 228/307] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 230/307] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Greg Kroah-Hartman
` (80 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 245aba83e3c288e176ed037a1f6b618b09e92ed8 upstream.
Add the missing sanity check on the size of interrupt-in transfers to
avoid parsing stale or uninitialised slab data (and leaking it to user
space).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mct_u232.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -543,6 +543,11 @@ static void mct_u232_read_int_callback(s
goto exit;
}
+ if (urb->actual_length < 2) {
+ dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
+ goto exit;
+ }
+
/*
* The interrupt-in pipe signals exceptional conditions (modem line
* signal changes and errors). data[0] holds MSR, data[1] holds LSR.
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 239/315] USB: serial: mxuport: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 238/315] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 240/315] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
` (77 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd upstream.
Make sure that the bulk-out endpoint max packet size is at least eight
bytes to avoid user-controlled slab corruption should a malicious device
report a smaller size.
Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
Cc: stable@vger.kernel.org # 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mxuport.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct
*/
BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
+ /*
+ * The bulk-out buffers must be large enough for the four-byte header
+ * (and following data), but assume anything smaller than eight bytes
+ * is broken.
+ */
+ if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
+ return -EINVAL;
+
for (i = 1; i < num_ports; ++i)
epds->bulk_out[i] = epds->bulk_out[0];
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 240/315] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 239/315] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 241/315] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Greg Kroah-Hartman
` (76 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 245aba83e3c288e176ed037a1f6b618b09e92ed8 upstream.
Add the missing sanity check on the size of interrupt-in transfers to
avoid parsing stale or uninitialised slab data (and leaking it to user
space).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mct_u232.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -543,6 +543,11 @@ static void mct_u232_read_int_callback(s
goto exit;
}
+ if (urb->actual_length < 2) {
+ dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
+ goto exit;
+ }
+
/*
* The interrupt-in pipe signals exceptional conditions (modem line
* signal changes and errors). data[0] holds MSR, data[1] holds LSR.
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 230/307] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 229/307] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 231/307] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
` (79 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kai Aizen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Aizen <kai.aizen.dev@gmail.com>
commit 68aa70648b625fa684bc0b71bbfd905f4943ca20 upstream.
uvc_function_bind() walks &opts->extension_units twice without holding
opts->lock:
- directly, for the iExtension string-descriptor fixup loop;
- indirectly, four times via uvc_copy_descriptors() (once per speed),
where the helper iterates uvc->desc.extension_units (which aliases
&opts->extension_units) to size and emit XU descriptors.
The configfs side (uvcg_extension_make / uvcg_extension_drop, in
drivers/usb/gadget/function/uvc_configfs.c) takes opts->lock around its
list_add_tail / list_del operations. A privileged userspace process
that holds the configfs subtree open and writes the gadget UDC name
to bind the function while concurrently rmdir()'ing an extensions
subdir can race uvcg_extension_drop() against the bind-time list walks
and dereference a freed struct uvcg_extension.
Hold opts->lock from the start of the XU string-descriptor fixup
through the last uvc_copy_descriptors() call, releasing on the
descriptor-error path via a new error_unlock label that drops the
lock before falling through to the existing error label. This
matches the locking discipline of the configfs callbacks and removes
the only remaining unsynchronised reader of the XU list during bind.
Reachability: only privileged processes that can mount configfs and
write to gadget UDC files can trigger the race, so this is a
correctness fix rather than a security boundary.
Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs")
Cc: stable <stable@kernel.org>
Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
Link: https://patch.msgid.link/20260430175643.67120-1-kai.aizen.dev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_uvc.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -765,6 +765,16 @@ uvc_function_bind(struct usb_configurati
uvc_ss_streaming_ep.bEndpointAddress = uvc->video.ep->address;
/*
+ * Hold opts->lock across both the XU string-descriptor fixup below and
+ * the descriptor-copy block further down. Without this, configfs
+ * uvcg_extension_drop() (which takes opts->lock) can race with the
+ * list_for_each_entry() walks here and inside uvc_copy_descriptors(),
+ * leading to a UAF on a freed struct uvcg_extension. See
+ * drivers/usb/gadget/function/uvc_configfs.c::uvcg_extension_drop().
+ */
+ mutex_lock(&opts->lock);
+
+ /*
* XUs can have an arbitrary string descriptor describing them. If they
* have one pick up the ID.
*/
@@ -781,7 +791,7 @@ uvc_function_bind(struct usb_configurati
ARRAY_SIZE(uvc_en_us_strings));
if (IS_ERR(us)) {
ret = PTR_ERR(us);
- goto error;
+ goto error_unlock;
}
uvc_iad.iFunction = opts->iad_index ? cdev->usb_strings[opts->iad_index].id :
@@ -795,14 +805,14 @@ uvc_function_bind(struct usb_configurati
/* Allocate interface IDs. */
if ((ret = usb_interface_id(c, f)) < 0)
- goto error;
+ goto error_unlock;
uvc_iad.bFirstInterface = ret;
uvc_control_intf.bInterfaceNumber = ret;
uvc->control_intf = ret;
opts->control_interface = ret;
if ((ret = usb_interface_id(c, f)) < 0)
- goto error;
+ goto error_unlock;
uvc_streaming_intf_alt0.bInterfaceNumber = ret;
uvc_streaming_intf_alt1.bInterfaceNumber = ret;
uvc->streaming_intf = ret;
@@ -813,30 +823,32 @@ uvc_function_bind(struct usb_configurati
if (IS_ERR(f->fs_descriptors)) {
ret = PTR_ERR(f->fs_descriptors);
f->fs_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
f->hs_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_HIGH);
if (IS_ERR(f->hs_descriptors)) {
ret = PTR_ERR(f->hs_descriptors);
f->hs_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
f->ss_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER);
if (IS_ERR(f->ss_descriptors)) {
ret = PTR_ERR(f->ss_descriptors);
f->ss_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS);
if (IS_ERR(f->ssp_descriptors)) {
ret = PTR_ERR(f->ssp_descriptors);
f->ssp_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
+ mutex_unlock(&opts->lock);
+
/* Preallocate control endpoint request. */
uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL);
@@ -868,6 +880,8 @@ uvc_function_bind(struct usb_configurati
return 0;
+error_unlock:
+ mutex_unlock(&opts->lock);
v4l2_error:
v4l2_device_unregister(&uvc->v4l2_dev);
error:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 241/315] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 240/315] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 242/315] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
` (75 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kai Aizen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Aizen <kai.aizen.dev@gmail.com>
commit 68aa70648b625fa684bc0b71bbfd905f4943ca20 upstream.
uvc_function_bind() walks &opts->extension_units twice without holding
opts->lock:
- directly, for the iExtension string-descriptor fixup loop;
- indirectly, four times via uvc_copy_descriptors() (once per speed),
where the helper iterates uvc->desc.extension_units (which aliases
&opts->extension_units) to size and emit XU descriptors.
The configfs side (uvcg_extension_make / uvcg_extension_drop, in
drivers/usb/gadget/function/uvc_configfs.c) takes opts->lock around its
list_add_tail / list_del operations. A privileged userspace process
that holds the configfs subtree open and writes the gadget UDC name
to bind the function while concurrently rmdir()'ing an extensions
subdir can race uvcg_extension_drop() against the bind-time list walks
and dereference a freed struct uvcg_extension.
Hold opts->lock from the start of the XU string-descriptor fixup
through the last uvc_copy_descriptors() call, releasing on the
descriptor-error path via a new error_unlock label that drops the
lock before falling through to the existing error label. This
matches the locking discipline of the configfs callbacks and removes
the only remaining unsynchronised reader of the XU list during bind.
Reachability: only privileged processes that can mount configfs and
write to gadget UDC files can trigger the race, so this is a
correctness fix rather than a security boundary.
Fixes: 0525210c9840 ("usb: gadget: uvc: Allow definition of XUs in configfs")
Cc: stable <stable@kernel.org>
Signed-off-by: Kai Aizen <kai.aizen.dev@gmail.com>
Link: https://patch.msgid.link/20260430175643.67120-1-kai.aizen.dev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_uvc.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -769,6 +769,16 @@ uvc_function_bind(struct usb_configurati
uvc_ss_streaming_ep.bEndpointAddress = uvc->video.ep->address;
/*
+ * Hold opts->lock across both the XU string-descriptor fixup below and
+ * the descriptor-copy block further down. Without this, configfs
+ * uvcg_extension_drop() (which takes opts->lock) can race with the
+ * list_for_each_entry() walks here and inside uvc_copy_descriptors(),
+ * leading to a UAF on a freed struct uvcg_extension. See
+ * drivers/usb/gadget/function/uvc_configfs.c::uvcg_extension_drop().
+ */
+ mutex_lock(&opts->lock);
+
+ /*
* XUs can have an arbitrary string descriptor describing them. If they
* have one pick up the ID.
*/
@@ -785,7 +795,7 @@ uvc_function_bind(struct usb_configurati
ARRAY_SIZE(uvc_en_us_strings));
if (IS_ERR(us)) {
ret = PTR_ERR(us);
- goto error;
+ goto error_unlock;
}
uvc_iad.iFunction = opts->iad_index ? cdev->usb_strings[opts->iad_index].id :
@@ -799,14 +809,14 @@ uvc_function_bind(struct usb_configurati
/* Allocate interface IDs. */
if ((ret = usb_interface_id(c, f)) < 0)
- goto error;
+ goto error_unlock;
uvc_iad.bFirstInterface = ret;
uvc_control_intf.bInterfaceNumber = ret;
uvc->control_intf = ret;
opts->control_interface = ret;
if ((ret = usb_interface_id(c, f)) < 0)
- goto error;
+ goto error_unlock;
uvc_streaming_intf_alt0.bInterfaceNumber = ret;
uvc_streaming_intf_alt1.bInterfaceNumber = ret;
uvc->streaming_intf = ret;
@@ -817,30 +827,32 @@ uvc_function_bind(struct usb_configurati
if (IS_ERR(f->fs_descriptors)) {
ret = PTR_ERR(f->fs_descriptors);
f->fs_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
f->hs_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_HIGH);
if (IS_ERR(f->hs_descriptors)) {
ret = PTR_ERR(f->hs_descriptors);
f->hs_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
f->ss_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER);
if (IS_ERR(f->ss_descriptors)) {
ret = PTR_ERR(f->ss_descriptors);
f->ss_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
f->ssp_descriptors = uvc_copy_descriptors(uvc, USB_SPEED_SUPER_PLUS);
if (IS_ERR(f->ssp_descriptors)) {
ret = PTR_ERR(f->ssp_descriptors);
f->ssp_descriptors = NULL;
- goto error;
+ goto error_unlock;
}
+ mutex_unlock(&opts->lock);
+
/* Preallocate control endpoint request. */
uvc->control_req = usb_ep_alloc_request(cdev->gadget->ep0, GFP_KERNEL);
uvc->control_buf = kmalloc(UVC_MAX_REQUEST_SIZE, GFP_KERNEL);
@@ -872,6 +884,8 @@ uvc_function_bind(struct usb_configurati
return 0;
+error_unlock:
+ mutex_unlock(&opts->lock);
v4l2_error:
v4l2_device_unregister(&uvc->v4l2_dev);
error:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 231/307] usb: gadget: net2280: Fix double free in probe error path
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 230/307] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 232/307] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
` (78 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Guangshuo Li, Alan Stern
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit c8547c74988e0b5f4cbb1b895e2a57aae084f070 upstream.
usb_initialize_gadget() installs gadget_release() as the release
callback for the embedded gadget device. The struct net2280 instance is
therefore released through gadget_release() when the gadget device's last
reference is dropped.
The probe error path calls net2280_remove(), which tears down the
partially initialized device and drops the gadget reference with
usb_put_gadget(). Calling kfree(dev) afterwards can free the same object
again.
Drop the explicit kfree() and let the gadget device release callback
handle the final free. This issue was found by a static analysis tool
I am developing.
Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
Cc: stable <stable@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260427153651.337846-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/net2280.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -3790,10 +3790,8 @@ static int net2280_probe(struct pci_dev
return 0;
done:
- if (dev) {
+ if (dev)
net2280_remove(pdev);
- kfree(dev);
- }
return retval;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 242/315] usb: gadget: net2280: Fix double free in probe error path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 241/315] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 243/315] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
` (74 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Guangshuo Li, Alan Stern
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit c8547c74988e0b5f4cbb1b895e2a57aae084f070 upstream.
usb_initialize_gadget() installs gadget_release() as the release
callback for the embedded gadget device. The struct net2280 instance is
therefore released through gadget_release() when the gadget device's last
reference is dropped.
The probe error path calls net2280_remove(), which tears down the
partially initialized device and drops the gadget reference with
usb_put_gadget(). Calling kfree(dev) afterwards can free the same object
again.
Drop the explicit kfree() and let the gadget device release callback
handle the final free. This issue was found by a static analysis tool
I am developing.
Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
Cc: stable <stable@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260427153651.337846-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/net2280.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -3790,10 +3790,8 @@ static int net2280_probe(struct pci_dev
return 0;
done:
- if (dev) {
+ if (dev)
net2280_remove(pdev);
- kfree(dev);
- }
return retval;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 232/307] usb: gadget: f_hid: fix device reference leak in hidg_alloc()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 231/307] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 233/307] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling Greg Kroah-Hartman
` (77 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Johan Hovold, Guangshuo Li
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 4f88d65def6f3c90121601b4f62a4c967f3063a6 upstream.
hidg_alloc() initializes hidg->dev with device_initialize() before
calling dev_set_name(). If dev_set_name() fails, the function currently
jumps to err_unlock and returns without calling put_device().
This leaves the device reference unbalanced and prevents hidg_release()
from being called. Calling put_device() here is also safe, since
hidg_release() only frees resources owned by hidg.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Route the dev_set_name() failure path through err_put_device so the
device reference is dropped properly.
Fixes: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev")
Cc: stable <stable@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Johan Hovold johan@kernel.org
Link: https://patch.msgid.link/20260413142119.2977716-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_hid.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1562,7 +1562,7 @@ static struct usb_function *hidg_alloc(s
hidg->dev.devt = MKDEV(major, opts->minor);
ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
if (ret)
- goto err_unlock;
+ goto err_put_device;
hidg->bInterfaceSubClass = opts->subclass;
hidg->bInterfaceProtocol = opts->protocol;
@@ -1597,7 +1597,6 @@ static struct usb_function *hidg_alloc(s
err_put_device:
put_device(&hidg->dev);
-err_unlock:
mutex_unlock(&opts->lock);
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 243/315] usb: gadget: f_hid: fix device reference leak in hidg_alloc()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 242/315] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 244/315] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling Greg Kroah-Hartman
` (73 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Johan Hovold, Guangshuo Li
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 4f88d65def6f3c90121601b4f62a4c967f3063a6 upstream.
hidg_alloc() initializes hidg->dev with device_initialize() before
calling dev_set_name(). If dev_set_name() fails, the function currently
jumps to err_unlock and returns without calling put_device().
This leaves the device reference unbalanced and prevents hidg_release()
from being called. Calling put_device() here is also safe, since
hidg_release() only frees resources owned by hidg.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Route the dev_set_name() failure path through err_put_device so the
device reference is dropped properly.
Fixes: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev")
Cc: stable <stable@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Johan Hovold johan@kernel.org
Link: https://patch.msgid.link/20260413142119.2977716-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_hid.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1621,7 +1621,7 @@ static struct usb_function *hidg_alloc(s
hidg->dev.devt = MKDEV(major, opts->minor);
ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
if (ret)
- goto err_unlock;
+ goto err_put_device;
hidg->bInterfaceSubClass = opts->subclass;
hidg->bInterfaceProtocol = opts->protocol;
@@ -1658,7 +1658,6 @@ static struct usb_function *hidg_alloc(s
err_put_device:
put_device(&hidg->dev);
-err_unlock:
mutex_unlock(&opts->lock);
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 233/307] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 232/307] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 234/307] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
` (76 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jeremy Erazo
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Erazo <mendozayt13@gmail.com>
commit 6c5dbc104dadd79fc2923497c20bae759a18758c upstream.
The WebUSB GET_URL handler in composite_setup() narrows
landing_page_length to fit the host-supplied wLength using
landing_page_length = w_length
- WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset;
If wLength is smaller than WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH the
unsigned subtraction wraps, and the subsequent
memcpy(url_descriptor->URL,
cdev->landing_page + landing_page_offset,
landing_page_length - landing_page_offset);
ends up copying close to UINT_MAX bytes from cdev->landing_page into
cdev->req->buf. KASAN reports a slab-out-of-bounds in composite_setup
on the kmalloc-2k gadget_info allocation, and FORTIFY_SOURCE traps the
memcpy as a 4294967293-byte field-spanning write into
url_descriptor->URL (size 252).
A USB host can reach this from a single SETUP packet against any
gadget that has webusb/use=1 and a landingPage configured.
Handle the small-wLength case before the math: when the host requested
fewer bytes than the URL descriptor header, only the header is
meaningful and no URL bytes need to be copied. Setting
landing_page_length to landing_page_offset makes the existing memcpy a
no-op and leaves the descriptor returned to the host unchanged for all
larger wLength values.
Fixes: 93c473948c58 ("usb: gadget: add WebUSB landing page support")
Cc: stable <stable@kernel.org>
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
Link: https://patch.msgid.link/20260512160530.352318-1-mendozayt13@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/composite.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2196,7 +2196,10 @@ unknown:
sizeof(url_descriptor->URL)
- WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset);
- if (w_length < WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_length)
+ if (w_length < WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH)
+ landing_page_length = landing_page_offset;
+ else if (w_length <
+ WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_length)
landing_page_length = w_length
- WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 244/315] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 243/315] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 245/315] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
` (72 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jeremy Erazo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Erazo <mendozayt13@gmail.com>
commit 6c5dbc104dadd79fc2923497c20bae759a18758c upstream.
The WebUSB GET_URL handler in composite_setup() narrows
landing_page_length to fit the host-supplied wLength using
landing_page_length = w_length
- WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset;
If wLength is smaller than WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH the
unsigned subtraction wraps, and the subsequent
memcpy(url_descriptor->URL,
cdev->landing_page + landing_page_offset,
landing_page_length - landing_page_offset);
ends up copying close to UINT_MAX bytes from cdev->landing_page into
cdev->req->buf. KASAN reports a slab-out-of-bounds in composite_setup
on the kmalloc-2k gadget_info allocation, and FORTIFY_SOURCE traps the
memcpy as a 4294967293-byte field-spanning write into
url_descriptor->URL (size 252).
A USB host can reach this from a single SETUP packet against any
gadget that has webusb/use=1 and a landingPage configured.
Handle the small-wLength case before the math: when the host requested
fewer bytes than the URL descriptor header, only the header is
meaningful and no URL bytes need to be copied. Setting
landing_page_length to landing_page_offset makes the existing memcpy a
no-op and leaves the descriptor returned to the host unchanged for all
larger wLength values.
Fixes: 93c473948c58 ("usb: gadget: add WebUSB landing page support")
Cc: stable <stable@kernel.org>
Signed-off-by: Jeremy Erazo <mendozayt13@gmail.com>
Link: https://patch.msgid.link/20260512160530.352318-1-mendozayt13@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/composite.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2172,7 +2172,10 @@ unknown:
sizeof(url_descriptor->URL)
- WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset);
- if (w_length < WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_length)
+ if (w_length < WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH)
+ landing_page_length = landing_page_offset;
+ else if (w_length <
+ WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_length)
landing_page_length = w_length
- WEBUSB_URL_DESCRIPTOR_HEADER_LENGTH + landing_page_offset;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 234/307] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 233/307] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 235/307] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
` (75 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Seungjin Bae
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
commit 7d9633528dd40e33964d2dc74a5abbf5c4d116ce upstream.
The `dummy_hub_control()` function handles USB hub class requests
to the virtual root hub. The `GetPortStatus` case returns -EPIPE for
requests with `wIndex != 1`, since the virtual root hub has only a
single port. However, the `ClearPortFeature` and `SetPortFeature`
cases lack the same check.
Fix this by extending the `wIndex != 1` rejection to both cases,
matching the existing behavior of `GetPortStatus`.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260518234314.1889396-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/dummy_hcd.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -2132,6 +2132,8 @@ static int dummy_hub_control(
case ClearHubFeature:
break;
case ClearPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
if (hcd->speed == HCD_USB3) {
@@ -2246,6 +2248,8 @@ static int dummy_hub_control(
retval = -EPIPE;
break;
case SetPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_LINK_STATE:
if (hcd->speed != HCD_USB3) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 245/315] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 244/315] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 246/315] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
` (71 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Seungjin Bae
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
commit 7d9633528dd40e33964d2dc74a5abbf5c4d116ce upstream.
The `dummy_hub_control()` function handles USB hub class requests
to the virtual root hub. The `GetPortStatus` case returns -EPIPE for
requests with `wIndex != 1`, since the virtual root hub has only a
single port. However, the `ClearPortFeature` and `SetPortFeature`
cases lack the same check.
Fix this by extending the `wIndex != 1` rejection to both cases,
matching the existing behavior of `GetPortStatus`.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260518234314.1889396-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/dummy_hcd.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -2134,6 +2134,8 @@ static int dummy_hub_control(
case ClearHubFeature:
break;
case ClearPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
if (hcd->speed == HCD_USB3) {
@@ -2248,6 +2250,8 @@ static int dummy_hub_control(
retval = -EPIPE;
break;
case SetPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_LINK_STATE:
if (hcd->speed != HCD_USB3) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 235/307] usb: gadget: f_fs: copy only received bytes on short ep0 read
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 234/307] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 236/307] usb: gadget: f_fs: serialize DMABUF cancel against request completion Greg Kroah-Hartman
` (74 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Michael Bommarito
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4e036c10e7f4df5d951c69cc3697bc8e209c6d02 upstream.
ffs_ep0_read() allocates its control-OUT data buffer with
kmalloc() (not kzalloc) at the Length value from the Setup
packet, then copies that full len to userspace regardless of
how many bytes were actually received:
data = kmalloc(len, GFP_KERNEL);
...
ret = __ffs_ep0_queue_wait(ffs, data, len);
if ((ret > 0) && (copy_to_user(buf, data, len)))
ret = -EFAULT;
__ffs_ep0_queue_wait() returns req->actual, which on a short
control OUT transfer is strictly less than len. The
copy_to_user() call still copies len bytes, so on a short OUT
the last (len - ret) bytes of the kmalloc() buffer --
uninitialised slab residue -- are delivered to the FunctionFS
daemon.
Short ep0 OUT completions are specified USB control-transfer
behavior and are produced by in-tree UDCs:
* dwc2 continues on req->actual < req->length for ep0 DATA OUT
(short-not-ok is the only ep0-OUT stall path).
* aspeed_udc ends ep0 OUT on rx_len < ep->ep.maxpacket.
* renesas_usbf logs "ep0 short packet" and completes the
request.
* dwc3 stalls on short IN but not on short OUT.
A short ep0 OUT is therefore not evidence of a broken UDC; it is
a normal condition f_fs has to cope with. The sibling gadgetfs
implementation in drivers/usb/gadget/legacy/inode.c already does
this correctly via min(len, dev->req->actual) before
copy_to_user(). This patch brings f_fs.c to the same safe
pattern rather than trimming at a defensive layer.
The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace. Linux host stacks
normally reject short-wLength control OUTs before they reach
the gadget, so reproducing this required a build that
bypasses that host-side check. With the bypass in place, a
1-byte payload on a 64-byte Setup produces 63 bytes of
non-canary slab residue in the daemon's read buffer.
Fix by copying only ret (actually received) bytes to
userspace.
Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Cc: stable <stable@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419160359.1577270-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -622,7 +622,7 @@ static ssize_t ffs_ep0_read(struct file
/* unlocks spinlock */
ret = __ffs_ep0_queue_wait(ffs, data, len);
- if ((ret > 0) && (copy_to_user(buf, data, len)))
+ if ((ret > 0) && (copy_to_user(buf, data, ret)))
ret = -EFAULT;
goto done_mutex;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 246/315] usb: gadget: f_fs: copy only received bytes on short ep0 read
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 245/315] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 247/315] usb: gadget: f_fs: serialize DMABUF cancel against request completion Greg Kroah-Hartman
` (70 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Michael Bommarito
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4e036c10e7f4df5d951c69cc3697bc8e209c6d02 upstream.
ffs_ep0_read() allocates its control-OUT data buffer with
kmalloc() (not kzalloc) at the Length value from the Setup
packet, then copies that full len to userspace regardless of
how many bytes were actually received:
data = kmalloc(len, GFP_KERNEL);
...
ret = __ffs_ep0_queue_wait(ffs, data, len);
if ((ret > 0) && (copy_to_user(buf, data, len)))
ret = -EFAULT;
__ffs_ep0_queue_wait() returns req->actual, which on a short
control OUT transfer is strictly less than len. The
copy_to_user() call still copies len bytes, so on a short OUT
the last (len - ret) bytes of the kmalloc() buffer --
uninitialised slab residue -- are delivered to the FunctionFS
daemon.
Short ep0 OUT completions are specified USB control-transfer
behavior and are produced by in-tree UDCs:
* dwc2 continues on req->actual < req->length for ep0 DATA OUT
(short-not-ok is the only ep0-OUT stall path).
* aspeed_udc ends ep0 OUT on rx_len < ep->ep.maxpacket.
* renesas_usbf logs "ep0 short packet" and completes the
request.
* dwc3 stalls on short IN but not on short OUT.
A short ep0 OUT is therefore not evidence of a broken UDC; it is
a normal condition f_fs has to cope with. The sibling gadgetfs
implementation in drivers/usb/gadget/legacy/inode.c already does
this correctly via min(len, dev->req->actual) before
copy_to_user(). This patch brings f_fs.c to the same safe
pattern rather than trimming at a defensive layer.
The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace. Linux host stacks
normally reject short-wLength control OUTs before they reach
the gadget, so reproducing this required a build that
bypasses that host-side check. With the bypass in place, a
1-byte payload on a 64-byte Setup produces 63 bytes of
non-canary slab residue in the daemon's read buffer.
Fix by copying only ret (actually received) bytes to
userspace.
Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Cc: stable <stable@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419160359.1577270-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -622,7 +622,7 @@ static ssize_t ffs_ep0_read(struct file
/* unlocks spinlock */
ret = __ffs_ep0_queue_wait(ffs, data, len);
- if ((ret > 0) && (copy_to_user(buf, data, len)))
+ if ((ret > 0) && (copy_to_user(buf, data, ret)))
ret = -EFAULT;
goto done_mutex;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 236/307] usb: gadget: f_fs: serialize DMABUF cancel against request completion
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 235/307] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 237/307] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
` (73 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Michael Bommarito
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 2796646f6d892c1eb6818c7ca41fdfa12568e8d1 upstream.
ffs_epfile_dmabuf_io_complete() calls usb_ep_free_request() on the
completed request but leaves priv->req, the back-pointer that
ffs_dmabuf_transfer() set on submission, pointing at the freed
memory. A later FUNCTIONFS_DMABUF_DETACH ioctl or
ffs_epfile_release() on the close path still sees priv->req
non-NULL under ffs->eps_lock:
if (priv->ep && priv->req)
usb_ep_dequeue(priv->ep, priv->req);
so usb_ep_dequeue() is called on a freed usb_request.
On dummy_hcd the dequeue path only walks a live queue and
pointer-compares, so the freed pointer reads without faulting and
KASAN requires an explicit check at the FunctionFS call site to
surface the use-after-free. On SG-capable in-tree UDCs the
dequeue path dereferences the supplied request immediately:
* chipidea's ep_dequeue() does
container_of(req, struct ci_hw_req, req) and reads
hwreq->req.status before acquiring its own lock.
* cdnsp's cdnsp_gadget_ep_dequeue() reads request->status first.
The narrower option of clearing priv->req via cmpxchg() in the
completion does not close the race: the completion runs without
eps_lock, so a cancel path holding eps_lock can still observe
priv->req non-NULL, race a concurrent completion that clears and
frees, and pass the freed pointer to usb_ep_dequeue(). A slightly
longer fix that moves the free into the cleanup work is needed.
Same class of lifetime race as the recent usbip-vudc timer fix [1].
Take eps_lock in the sole place that mutates priv->req from the
callback direction by moving usb_ep_free_request() out of the
completion into ffs_dmabuf_cleanup(), the existing work handler
scheduled by ffs_dmabuf_signal_done() on
ffs->io_completion_wq. Clear priv->req there under eps_lock
before freeing, and only clear if priv->req still names our
request (a subsequent ffs_dmabuf_transfer() on the same
attachment may have queued a new one).
This keeps the existing dummy_hcd sync-dequeue invariant: the
completion callback is still invoked by the UDC without
eps_lock held (dummy_hcd drops its own lock before calling the
callback), and the callback now takes no f_fs lock at all.
Serialization against the cancel path happens in cleanup, which
runs from the workqueue with no f_fs lock held on entry.
The priv ref count protects the containing ffs_dmabuf_priv:
ffs_dmabuf_transfer() takes a ref via ffs_dmabuf_get(), cleanup
drops it via ffs_dmabuf_put(), so priv stays live for the
cleanup even after the cancel path's list_del + ffs_dmabuf_put.
The ffs_dmabuf_transfer() error path no longer frees usb_req
inline: fence->req and fence->ep are set before usb_ep_queue(),
so ffs_dmabuf_cleanup() (scheduled by the error-path
ffs_dmabuf_signal_done()) owns the free regardless of whether
the queue succeeded.
Reproduced under KASAN on both detach and close paths against
dummy_hcd with an observability hook
(kasan_check_byte(priv->req) immediately before usb_ep_dequeue)
at the two FunctionFS cancel sites to surface the stale-pointer
access; the hook is not part of this patch. The KASAN
allocator / free stacks in the captured splats identify the
same request: alloc in dummy_alloc_request, free in
dummy_timer, fault reached from ffs_epfile_release (close) and
from the FUNCTIONFS_DMABUF_DETACH ioctl (detach). With the
patch applied, both paths are silent under the same hook.
The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace or from a USB host on the
cable. FunctionFS mounts default to GLOBAL_ROOT_UID, but the
filesystem supports uid=, gid=, and fmode= delegation to a
non-root gadget daemon, so on real deployments the attacker may
be a less-privileged service rather than root.
Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Link: https://lore.kernel.org/all/20260417163552.807548-1-michael.bommarito@gmail.com/ [1]
Cc: stable <stable@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419161227.1587668-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -151,6 +151,8 @@ struct ffs_dma_fence {
struct dma_fence base;
struct ffs_dmabuf_priv *priv;
struct work_struct work;
+ struct usb_ep *ep;
+ struct usb_request *req;
};
struct ffs_epfile {
@@ -1375,6 +1377,21 @@ static void ffs_dmabuf_cleanup(struct wo
struct ffs_dmabuf_priv *priv = dma_fence->priv;
struct dma_buf_attachment *attach = priv->attach;
struct dma_fence *fence = &dma_fence->base;
+ struct usb_request *req = dma_fence->req;
+ struct usb_ep *ep = dma_fence->ep;
+
+ /*
+ * eps_lock pairs with the cancel paths so they cannot pass a freed
+ * req to usb_ep_dequeue(). Only clear if priv->req still names ours;
+ * a re-queue on the same attachment may have taken that slot.
+ */
+ spin_lock_irq(&priv->ffs->eps_lock);
+ if (priv->req == req)
+ priv->req = NULL;
+ spin_unlock_irq(&priv->ffs->eps_lock);
+
+ if (ep && req)
+ usb_ep_free_request(ep, req);
ffs_dmabuf_put(attach);
dma_fence_put(fence);
@@ -1404,8 +1421,8 @@ static void ffs_epfile_dmabuf_io_complet
struct usb_request *req)
{
pr_vdebug("FFS: DMABUF transfer complete, status=%d\n", req->status);
+ /* req is freed by ffs_dmabuf_cleanup() under eps_lock. */
ffs_dmabuf_signal_done(req->context, req->status);
- usb_ep_free_request(ep, req);
}
static const char *ffs_dmabuf_get_driver_name(struct dma_fence *fence)
@@ -1689,6 +1706,10 @@ static int ffs_dmabuf_transfer(struct fi
usb_req->context = fence;
usb_req->complete = ffs_epfile_dmabuf_io_complete;
+ /* ffs_dmabuf_cleanup() frees usb_req via these two fields. */
+ fence->req = usb_req;
+ fence->ep = ep->ep;
+
cookie = dma_fence_begin_signalling();
ret = usb_ep_queue(ep->ep, usb_req, GFP_ATOMIC);
dma_fence_end_signalling(cookie);
@@ -1698,7 +1719,6 @@ static int ffs_dmabuf_transfer(struct fi
} else {
pr_warn("FFS: Failed to queue DMABUF: %d\n", ret);
ffs_dmabuf_signal_done(fence, ret);
- usb_ep_free_request(ep->ep, usb_req);
}
spin_unlock_irq(&epfile->ffs->eps_lock);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 247/315] usb: gadget: f_fs: serialize DMABUF cancel against request completion
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 246/315] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 248/315] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
` (69 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Michael Bommarito
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 2796646f6d892c1eb6818c7ca41fdfa12568e8d1 upstream.
ffs_epfile_dmabuf_io_complete() calls usb_ep_free_request() on the
completed request but leaves priv->req, the back-pointer that
ffs_dmabuf_transfer() set on submission, pointing at the freed
memory. A later FUNCTIONFS_DMABUF_DETACH ioctl or
ffs_epfile_release() on the close path still sees priv->req
non-NULL under ffs->eps_lock:
if (priv->ep && priv->req)
usb_ep_dequeue(priv->ep, priv->req);
so usb_ep_dequeue() is called on a freed usb_request.
On dummy_hcd the dequeue path only walks a live queue and
pointer-compares, so the freed pointer reads without faulting and
KASAN requires an explicit check at the FunctionFS call site to
surface the use-after-free. On SG-capable in-tree UDCs the
dequeue path dereferences the supplied request immediately:
* chipidea's ep_dequeue() does
container_of(req, struct ci_hw_req, req) and reads
hwreq->req.status before acquiring its own lock.
* cdnsp's cdnsp_gadget_ep_dequeue() reads request->status first.
The narrower option of clearing priv->req via cmpxchg() in the
completion does not close the race: the completion runs without
eps_lock, so a cancel path holding eps_lock can still observe
priv->req non-NULL, race a concurrent completion that clears and
frees, and pass the freed pointer to usb_ep_dequeue(). A slightly
longer fix that moves the free into the cleanup work is needed.
Same class of lifetime race as the recent usbip-vudc timer fix [1].
Take eps_lock in the sole place that mutates priv->req from the
callback direction by moving usb_ep_free_request() out of the
completion into ffs_dmabuf_cleanup(), the existing work handler
scheduled by ffs_dmabuf_signal_done() on
ffs->io_completion_wq. Clear priv->req there under eps_lock
before freeing, and only clear if priv->req still names our
request (a subsequent ffs_dmabuf_transfer() on the same
attachment may have queued a new one).
This keeps the existing dummy_hcd sync-dequeue invariant: the
completion callback is still invoked by the UDC without
eps_lock held (dummy_hcd drops its own lock before calling the
callback), and the callback now takes no f_fs lock at all.
Serialization against the cancel path happens in cleanup, which
runs from the workqueue with no f_fs lock held on entry.
The priv ref count protects the containing ffs_dmabuf_priv:
ffs_dmabuf_transfer() takes a ref via ffs_dmabuf_get(), cleanup
drops it via ffs_dmabuf_put(), so priv stays live for the
cleanup even after the cancel path's list_del + ffs_dmabuf_put.
The ffs_dmabuf_transfer() error path no longer frees usb_req
inline: fence->req and fence->ep are set before usb_ep_queue(),
so ffs_dmabuf_cleanup() (scheduled by the error-path
ffs_dmabuf_signal_done()) owns the free regardless of whether
the queue succeeded.
Reproduced under KASAN on both detach and close paths against
dummy_hcd with an observability hook
(kasan_check_byte(priv->req) immediately before usb_ep_dequeue)
at the two FunctionFS cancel sites to surface the stale-pointer
access; the hook is not part of this patch. The KASAN
allocator / free stacks in the captured splats identify the
same request: alloc in dummy_alloc_request, free in
dummy_timer, fault reached from ffs_epfile_release (close) and
from the FUNCTIONFS_DMABUF_DETACH ioctl (detach). With the
patch applied, both paths are silent under the same hook.
The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace or from a USB host on the
cable. FunctionFS mounts default to GLOBAL_ROOT_UID, but the
filesystem supports uid=, gid=, and fmode= delegation to a
non-root gadget daemon, so on real deployments the attacker may
be a less-privileged service rather than root.
Fixes: 7b07a2a7ca02 ("usb: gadget: functionfs: Add DMABUF import interface")
Link: https://lore.kernel.org/all/20260417163552.807548-1-michael.bommarito@gmail.com/ [1]
Cc: stable <stable@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419161227.1587668-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -151,6 +151,8 @@ struct ffs_dma_fence {
struct dma_fence base;
struct ffs_dmabuf_priv *priv;
struct work_struct work;
+ struct usb_ep *ep;
+ struct usb_request *req;
};
struct ffs_epfile {
@@ -1365,6 +1367,21 @@ static void ffs_dmabuf_cleanup(struct wo
struct ffs_dmabuf_priv *priv = dma_fence->priv;
struct dma_buf_attachment *attach = priv->attach;
struct dma_fence *fence = &dma_fence->base;
+ struct usb_request *req = dma_fence->req;
+ struct usb_ep *ep = dma_fence->ep;
+
+ /*
+ * eps_lock pairs with the cancel paths so they cannot pass a freed
+ * req to usb_ep_dequeue(). Only clear if priv->req still names ours;
+ * a re-queue on the same attachment may have taken that slot.
+ */
+ spin_lock_irq(&priv->ffs->eps_lock);
+ if (priv->req == req)
+ priv->req = NULL;
+ spin_unlock_irq(&priv->ffs->eps_lock);
+
+ if (ep && req)
+ usb_ep_free_request(ep, req);
ffs_dmabuf_put(attach);
dma_fence_put(fence);
@@ -1394,8 +1411,8 @@ static void ffs_epfile_dmabuf_io_complet
struct usb_request *req)
{
pr_vdebug("FFS: DMABUF transfer complete, status=%d\n", req->status);
+ /* req is freed by ffs_dmabuf_cleanup() under eps_lock. */
ffs_dmabuf_signal_done(req->context, req->status);
- usb_ep_free_request(ep, req);
}
static const char *ffs_dmabuf_get_driver_name(struct dma_fence *fence)
@@ -1679,6 +1696,10 @@ static int ffs_dmabuf_transfer(struct fi
usb_req->context = fence;
usb_req->complete = ffs_epfile_dmabuf_io_complete;
+ /* ffs_dmabuf_cleanup() frees usb_req via these two fields. */
+ fence->req = usb_req;
+ fence->ep = ep->ep;
+
cookie = dma_fence_begin_signalling();
ret = usb_ep_queue(ep->ep, usb_req, GFP_ATOMIC);
dma_fence_end_signalling(cookie);
@@ -1688,7 +1709,6 @@ static int ffs_dmabuf_transfer(struct fi
} else {
pr_warn("FFS: Failed to queue DMABUF: %d\n", ret);
ffs_dmabuf_signal_done(fence, ret);
- usb_ep_free_request(ep->ep, usb_req);
}
spin_unlock_irq(&epfile->ffs->eps_lock);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 237/307] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 236/307] usb: gadget: f_fs: serialize DMABUF cancel against request completion Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 238/307] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
` (72 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 01deda0152066c6c955f0619114ea6afa070aaec upstream.
entry->value is u32 and entry->length is u16; the sum is performed in
u32 and wraps. A malicious XDomain peer can pick
value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0
and passes the > block_len check. tb_property_parse() then passes
entry->value to parse_dwdata() as a dword offset into the property
block, reading attacker-directed memory far past the allocation.
For TEXT-typed entries with the "deviceid" or "vendorid" keys this
lands in xd->device_name / xd->vendor_name and is readable back via
the per-XDomain device_name / vendor_name sysfs attributes; the leak
is NUL-bounded (kstrdup() stops at the first zero byte) and
untargeted (the attacker picks a delta, not an absolute address).
DATA-typed entries are parsed into property->value.data but not
generically surfaced to userspace.
Use check_add_overflow() so a wrapped sum is rejected.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -8,6 +8,7 @@
*/
#include <linux/err.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uuid.h>
@@ -52,13 +53,16 @@ static inline void format_dwdata(void *d
static bool tb_property_entry_valid(const struct tb_property_entry *entry,
size_t block_len)
{
+ u32 end;
+
switch (entry->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
if (entry->length > block_len)
return false;
- if (entry->value + entry->length > block_len)
+ if (check_add_overflow(entry->value, entry->length, &end) ||
+ end > block_len)
return false;
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 248/315] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 247/315] usb: gadget: f_fs: serialize DMABUF cancel against request completion Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 249/315] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
` (68 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 01deda0152066c6c955f0619114ea6afa070aaec upstream.
entry->value is u32 and entry->length is u16; the sum is performed in
u32 and wraps. A malicious XDomain peer can pick
value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0
and passes the > block_len check. tb_property_parse() then passes
entry->value to parse_dwdata() as a dword offset into the property
block, reading attacker-directed memory far past the allocation.
For TEXT-typed entries with the "deviceid" or "vendorid" keys this
lands in xd->device_name / xd->vendor_name and is readable back via
the per-XDomain device_name / vendor_name sysfs attributes; the leak
is NUL-bounded (kstrdup() stops at the first zero byte) and
untargeted (the attacker picks a delta, not an absolute address).
DATA-typed entries are parsed into property->value.data but not
generically surfaced to userspace.
Use check_add_overflow() so a wrapped sum is rejected.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -8,6 +8,7 @@
*/
#include <linux/err.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uuid.h>
@@ -52,13 +53,16 @@ static inline void format_dwdata(void *d
static bool tb_property_entry_valid(const struct tb_property_entry *entry,
size_t block_len)
{
+ u32 end;
+
switch (entry->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
if (entry->length > block_len)
return false;
- if (entry->value + entry->length > block_len)
+ if (check_add_overflow(entry->value, entry->length, &end) ||
+ end > block_len)
return false;
break;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 238/307] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 237/307] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 239/307] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
` (71 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit de21b59c29e31c5108ddc04210631bbfab81b997 upstream.
On the non-root path, __tb_property_parse_dir() takes dir_len from
entry->length (u16 widened to size_t). Two distinct OOB conditions
follow when entry->length < 4:
1. The non-root path begins with kmemdup(&block[dir_offset],
sizeof(*dir->uuid), ...) which always reads 4 dwords from
dir_offset. tb_property_entry_valid() only enforces
dir_offset + entry->length <= block_len, so a crafted entry
with dir_offset close to the end of the property block and
entry->length in 0..3 passes that gate but lets the UUID copy
run off the block (e.g. dir_offset = 497, dir_len = 3 in a
500-dword block reads block[497..501]).
2. After the kmemdup, content_len = dir_len - 4 underflows size_t
to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry
walk runs OOB on each iteration until an entry fails
validation or the kernel oopses on an unmapped page.
Reject dir_len < 4 on the non-root path *before* the UUID kmemdup,
which closes both holes.
Also move INIT_LIST_HEAD(&dir->properties) up to immediately after
the dir allocation so the new error-return path (and the existing
uuid-alloc failure path) calling tb_property_free_dir() sees a
walkable list rather than the zero-initialized NULL next/prev that
list_for_each_entry_safe() would oops on.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -174,10 +174,16 @@ static struct tb_property_dir *__tb_prop
if (!dir)
return NULL;
+ INIT_LIST_HEAD(&dir->properties);
+
if (is_root) {
content_offset = dir_offset + 2;
content_len = dir_len;
} else {
+ if (dir_len < 4) {
+ tb_property_free_dir(dir);
+ return NULL;
+ }
dir->uuid = kmemdup(&block[dir_offset], sizeof(*dir->uuid),
GFP_KERNEL);
if (!dir->uuid) {
@@ -191,8 +197,6 @@ static struct tb_property_dir *__tb_prop
entries = (const struct tb_property_entry *)&block[content_offset];
nentries = content_len / (sizeof(*entries) / 4);
- INIT_LIST_HEAD(&dir->properties);
-
for (i = 0; i < nentries; i++) {
struct tb_property *property;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 249/315] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 248/315] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 250/315] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
` (67 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit de21b59c29e31c5108ddc04210631bbfab81b997 upstream.
On the non-root path, __tb_property_parse_dir() takes dir_len from
entry->length (u16 widened to size_t). Two distinct OOB conditions
follow when entry->length < 4:
1. The non-root path begins with kmemdup(&block[dir_offset],
sizeof(*dir->uuid), ...) which always reads 4 dwords from
dir_offset. tb_property_entry_valid() only enforces
dir_offset + entry->length <= block_len, so a crafted entry
with dir_offset close to the end of the property block and
entry->length in 0..3 passes that gate but lets the UUID copy
run off the block (e.g. dir_offset = 497, dir_len = 3 in a
500-dword block reads block[497..501]).
2. After the kmemdup, content_len = dir_len - 4 underflows size_t
to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry
walk runs OOB on each iteration until an entry fails
validation or the kernel oopses on an unmapped page.
Reject dir_len < 4 on the non-root path *before* the UUID kmemdup,
which closes both holes.
Also move INIT_LIST_HEAD(&dir->properties) up to immediately after
the dir allocation so the new error-return path (and the existing
uuid-alloc failure path) calling tb_property_free_dir() sees a
walkable list rather than the zero-initialized NULL next/prev that
list_for_each_entry_safe() would oops on.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -174,10 +174,16 @@ static struct tb_property_dir *__tb_prop
if (!dir)
return NULL;
+ INIT_LIST_HEAD(&dir->properties);
+
if (is_root) {
content_offset = dir_offset + 2;
content_len = dir_len;
} else {
+ if (dir_len < 4) {
+ tb_property_free_dir(dir);
+ return NULL;
+ }
dir->uuid = kmemdup(&block[dir_offset], sizeof(*dir->uuid),
GFP_KERNEL);
if (!dir->uuid) {
@@ -191,8 +197,6 @@ static struct tb_property_dir *__tb_prop
entries = (const struct tb_property_entry *)&block[content_offset];
nentries = content_len / (sizeof(*entries) / 4);
- INIT_LIST_HEAD(&dir->properties);
-
for (i = 0; i < nentries; i++) {
struct tb_property *property;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 239/307] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 238/307] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 240/307] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
` (70 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Hannes Reinecke,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 9eed1bd59937e6828b00d2f2dfef631d964f3636 upstream.
drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the
descriptor cursor by an attacker-supplied fip_dlen without ever
requiring dlen >= sizeof(struct fip_desc) in the default branch. The
named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked
their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor
(fip_dtype >= 128, which the standard requires receivers to silently
ignore) skipped that check entirely.
An unauthenticated L2 peer on the FCoE control VLAN could hang
fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely
by emitting one FIP CVL frame whose single descriptor had fip_dtype ==
FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes
per iteration and the loop condition rlen >= sizeof(*desc) stayed true
forever, blocking every subsequent FIP frame on that controller.
Tighten the outer dlen guard to also reject dlen < sizeof(struct
fip_desc), so a malformed descriptor whose length cannot even cover the
descriptor header is rejected before the switch. This is the same
lower-bound the named cases already apply and is the minimum scope that
closes the loop.
Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -1386,7 +1386,7 @@ static void fcoe_ctlr_recv_clr_vlink(str
while (rlen >= sizeof(*desc)) {
dlen = desc->fip_dlen * FIP_BPW;
- if (dlen > rlen)
+ if (dlen < sizeof(*desc) || dlen > rlen)
goto err;
/* Drop CVL if there are duplicate critical descriptors */
if ((desc->fip_dtype < 32) &&
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 250/315] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 249/315] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 251/315] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
` (66 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Hannes Reinecke,
Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 9eed1bd59937e6828b00d2f2dfef631d964f3636 upstream.
drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the
descriptor cursor by an attacker-supplied fip_dlen without ever
requiring dlen >= sizeof(struct fip_desc) in the default branch. The
named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked
their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor
(fip_dtype >= 128, which the standard requires receivers to silently
ignore) skipped that check entirely.
An unauthenticated L2 peer on the FCoE control VLAN could hang
fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely
by emitting one FIP CVL frame whose single descriptor had fip_dtype ==
FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes
per iteration and the loop condition rlen >= sizeof(*desc) stayed true
forever, blocking every subsequent FIP frame on that controller.
Tighten the outer dlen guard to also reject dlen < sizeof(struct
fip_desc), so a malformed descriptor whose length cannot even cover the
descriptor header is rejected before the switch. This is the same
lower-bound the named cases already apply and is the minimum scope that
closes the loop.
Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -1386,7 +1386,7 @@ static void fcoe_ctlr_recv_clr_vlink(str
while (rlen >= sizeof(*desc)) {
dlen = desc->fip_dlen * FIP_BPW;
- if (dlen > rlen)
+ if (dlen < sizeof(*desc) || dlen > rlen)
goto err;
/* Drop CVL if there are duplicate critical descriptors */
if ((desc->fip_dtype < 32) &&
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 240/307] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 239/307] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 241/307] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
` (69 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Christoph Hellwig,
John Garry, Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a9a39233ec1fc9f97ea1340a4d09bb7ec2be5153 upstream.
An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS
frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in
the generic FC transport. This is not a local userspace or IP network
path; the attacker must be able to inject fabric traffic, for example as
a compromised switch or fabric controller, or as a same-zone N_Port on a
fabric that permits source spoofing.
The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop
counter against the 32-bit on-wire pname_count field, and did not bound
pname_count by the descriptor body already validated by the TLV walker.
A pname_count of 256 therefore wraps the counter and keeps the loop
condition true indefinitely.
Factor the shared pname_list[] walk into one helper, widen the counter
to u32, and clamp pname_count against the entries that fit in the
descriptor body before iterating.
Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_transport_fc.c | 77 ++++++++++++++++++++-------------------
1 file changed, 41 insertions(+), 36 deletions(-)
--- a/drivers/scsi/scsi_transport_fc.c
+++ b/drivers/scsi/scsi_transport_fc.c
@@ -742,6 +742,37 @@ fc_cn_stats_update(u16 event_type, struc
}
}
+static void
+fc_fpin_pname_stats_update(struct Scsi_Host *shost,
+ struct fc_rport *attach_rport, u16 event_type,
+ u32 desc_len, u32 fixed_len, u32 pname_count,
+ __be64 *pname_list,
+ void (*stats_update)(u16 event_type,
+ struct fc_fpin_stats *stats))
+{
+ u32 i;
+ struct fc_rport *rport;
+ u64 wwpn;
+
+ if (desc_len < fixed_len)
+ pname_count = 0;
+ else
+ pname_count = min(pname_count, (desc_len - fixed_len) /
+ sizeof(pname_list[0]));
+
+ for (i = 0; i < pname_count; i++) {
+ wwpn = be64_to_cpu(pname_list[i]);
+ rport = fc_find_rport_by_wwpn(shost, wwpn);
+ if (rport &&
+ (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
+ rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
+ if (rport == attach_rport)
+ continue;
+ stats_update(event_type, &rport->fpin_stats);
+ }
+ }
+}
+
/*
* fc_fpin_li_stats_update - routine to update Link Integrity
* event statistics.
@@ -752,13 +783,11 @@ fc_cn_stats_update(u16 event_type, struc
static void
fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_host_attrs *fc_host = shost_to_fc_host(shost);
struct fc_fn_li_desc *li_desc = (struct fc_fn_li_desc *)tlv;
u16 event_type = be16_to_cpu(li_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(li_desc->attached_wwpn));
@@ -769,22 +798,11 @@ fc_fpin_li_stats_update(struct Scsi_Host
fc_li_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(li_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(li_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(li_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_li_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(li_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*li_desc),
+ be32_to_cpu(li_desc->pname_count),
+ li_desc->pname_list, fc_li_stats_update);
if (fc_host->port_name == be64_to_cpu(li_desc->attached_wwpn))
fc_li_stats_update(event_type, &fc_host->fpin_stats);
@@ -832,13 +850,11 @@ static void
fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost,
struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_fn_peer_congn_desc *pc_desc =
(struct fc_fn_peer_congn_desc *)tlv;
u16 event_type = be16_to_cpu(pc_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(pc_desc->attached_wwpn));
@@ -849,22 +865,11 @@ fc_fpin_peer_congn_stats_update(struct S
fc_cn_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(pc_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(pc_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(pc_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_cn_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(pc_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*pc_desc),
+ be32_to_cpu(pc_desc->pname_count),
+ pc_desc->pname_list, fc_cn_stats_update);
}
/*
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 251/315] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 250/315] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 252/315] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
` (65 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Christoph Hellwig,
John Garry, Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a9a39233ec1fc9f97ea1340a4d09bb7ec2be5153 upstream.
An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS
frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in
the generic FC transport. This is not a local userspace or IP network
path; the attacker must be able to inject fabric traffic, for example as
a compromised switch or fabric controller, or as a same-zone N_Port on a
fabric that permits source spoofing.
The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop
counter against the 32-bit on-wire pname_count field, and did not bound
pname_count by the descriptor body already validated by the TLV walker.
A pname_count of 256 therefore wraps the counter and keeps the loop
condition true indefinitely.
Factor the shared pname_list[] walk into one helper, widen the counter
to u32, and clamp pname_count against the entries that fit in the
descriptor body before iterating.
Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_transport_fc.c | 77 ++++++++++++++++++++-------------------
1 file changed, 41 insertions(+), 36 deletions(-)
--- a/drivers/scsi/scsi_transport_fc.c
+++ b/drivers/scsi/scsi_transport_fc.c
@@ -735,6 +735,37 @@ fc_cn_stats_update(u16 event_type, struc
}
}
+static void
+fc_fpin_pname_stats_update(struct Scsi_Host *shost,
+ struct fc_rport *attach_rport, u16 event_type,
+ u32 desc_len, u32 fixed_len, u32 pname_count,
+ __be64 *pname_list,
+ void (*stats_update)(u16 event_type,
+ struct fc_fpin_stats *stats))
+{
+ u32 i;
+ struct fc_rport *rport;
+ u64 wwpn;
+
+ if (desc_len < fixed_len)
+ pname_count = 0;
+ else
+ pname_count = min(pname_count, (desc_len - fixed_len) /
+ sizeof(pname_list[0]));
+
+ for (i = 0; i < pname_count; i++) {
+ wwpn = be64_to_cpu(pname_list[i]);
+ rport = fc_find_rport_by_wwpn(shost, wwpn);
+ if (rport &&
+ (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
+ rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
+ if (rport == attach_rport)
+ continue;
+ stats_update(event_type, &rport->fpin_stats);
+ }
+ }
+}
+
/*
* fc_fpin_li_stats_update - routine to update Link Integrity
* event statistics.
@@ -745,13 +776,11 @@ fc_cn_stats_update(u16 event_type, struc
static void
fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_host_attrs *fc_host = shost_to_fc_host(shost);
struct fc_fn_li_desc *li_desc = (struct fc_fn_li_desc *)tlv;
u16 event_type = be16_to_cpu(li_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(li_desc->attached_wwpn));
@@ -762,22 +791,11 @@ fc_fpin_li_stats_update(struct Scsi_Host
fc_li_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(li_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(li_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(li_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_li_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(li_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*li_desc),
+ be32_to_cpu(li_desc->pname_count),
+ li_desc->pname_list, fc_li_stats_update);
if (fc_host->port_name == be64_to_cpu(li_desc->attached_wwpn))
fc_li_stats_update(event_type, &fc_host->fpin_stats);
@@ -825,13 +843,11 @@ static void
fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost,
struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_fn_peer_congn_desc *pc_desc =
(struct fc_fn_peer_congn_desc *)tlv;
u16 event_type = be16_to_cpu(pc_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(pc_desc->attached_wwpn));
@@ -842,22 +858,11 @@ fc_fpin_peer_congn_stats_update(struct S
fc_cn_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(pc_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(pc_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(pc_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_cn_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(pc_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*pc_desc),
+ be32_to_cpu(pc_desc->pname_count),
+ pc_desc->pname_list, fc_cn_stats_update);
}
/*
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 241/307] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 240/307] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 242/307] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
` (68 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit bf33e01f88388c43e285492a63e539df6ffed64c upstream.
iscsi_encode_text_output() concatenates "key=value\0" records into
login->rsp_buf, an 8192-byte kzalloc(MAX_KEY_VALUE_PAIRS) buffer
allocated in iscsit_alloc_login_setup_buffer(). The three sprintf() call
sites in this function (lines 1398, 1411, 1424 in v7.1-rc2) never check
the remaining buffer capacity:
*length += sprintf(output_buf, "%s=%s", er->key, er->value);
*length += 1;
output_buf = textbuf + *length;
The 8192-byte ceiling at iscsi_target_check_login_request() bounds the
*input* Login PDU payload, but a single PDU can carry up to 2048 minimal
four-byte "a=b\0" pairs, each unknown key expanding to a 16-byte
"a=NotUnderstood\0" output record via iscsi_add_notunderstood_response().
2048 * 16 = 32 KiB of output into an 8 KiB buffer, producing a ~24 KiB
heap overrun in the kmalloc-8k slab.
The fix introduces a static iscsi_encode_text_record() helper that uses
snprintf() with a per-call bounds check against the remaining buffer,
and threads a u32 textbuf_size parameter through
iscsi_encode_text_output(). Both call sites in
iscsi_target_handle_csg_zero() (PHASE_SECURITY) and
iscsi_target_handle_csg_one() (PHASE_OPERATIONAL) pass
MAX_KEY_VALUE_PAIRS. On overflow the encoder logs the condition, calls
iscsi_release_extra_responses() to drop queued records, and returns -1;
both caller sites now emit ISCSI_STATUS_CLS_INITIATOR_ERR /
ISCSI_LOGIN_STATUS_INIT_ERR via iscsit_tx_login_rsp() before returning,
so the initiator sees an explicit failed-login response rather than a
silent connection drop. (Prior to this patch only the PHASE_OPERATIONAL
caller did that; the PHASE_SECURITY caller is converted to the same
shape.)
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_nego.c | 7 ++
drivers/target/iscsi/iscsi_target_parameters.c | 62 +++++++++++++++++++------
drivers/target/iscsi/iscsi_target_parameters.h | 2
3 files changed, 55 insertions(+), 16 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -899,10 +899,14 @@ static int iscsi_target_handle_csg_zero(
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
- if (ret < 0)
+ if (ret < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
+ ISCSI_LOGIN_STATUS_INIT_ERR);
return -1;
+ }
if (!iscsi_check_negotiated_keys(conn->param_list)) {
bool auth_required = iscsi_conn_auth_required(conn);
@@ -986,6 +990,7 @@ static int iscsi_target_handle_csg_one(s
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
if (ret < 0) {
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -1419,19 +1419,42 @@ free_buffer:
return -1;
}
+/*
+ * Append "key=value" plus a trailing NUL into @textbuf at *@length.
+ * Returns 0 on success and advances *@length, or -EMSGSIZE if the
+ * record (including the NUL) would not fit in the remaining buffer.
+ */
+static int iscsi_encode_text_record(char *textbuf, u32 *length,
+ u32 textbuf_size,
+ const char *key, const char *value)
+{
+ int n;
+ u32 avail;
+
+ if (*length >= textbuf_size)
+ return -EMSGSIZE;
+
+ avail = textbuf_size - *length;
+ n = snprintf(textbuf + *length, avail, "%s=%s", key, value);
+ if (n < 0 || (u32)n + 1 > avail)
+ return -EMSGSIZE;
+
+ *length += n + 1;
+ return 0;
+}
+
int iscsi_encode_text_output(
u8 phase,
u8 sender,
char *textbuf,
u32 *length,
+ u32 textbuf_size,
struct iscsi_param_list *param_list,
bool keys_workaround)
{
- char *output_buf = NULL;
struct iscsi_extra_response *er;
struct iscsi_param *param;
-
- output_buf = textbuf + *length;
+ int ret;
if (iscsi_enforce_integrity_rules(phase, param_list) < 0)
return -1;
@@ -1443,10 +1466,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_RESPONSE_SENT(param) &&
!IS_PSTATE_REPLY_OPTIONAL(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_RESPONSE_SENT(param);
pr_debug("Sending key: %s=%s\n",
param->name, param->value);
@@ -1456,10 +1481,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_ACCEPTOR(param) &&
!IS_PSTATE_PROPOSER(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_PROPOSER(param);
iscsi_check_proposer_for_optional_reply(param,
keys_workaround);
@@ -1469,14 +1496,21 @@ int iscsi_encode_text_output(
}
list_for_each_entry(er, ¶m_list->extra_response_list, er_list) {
- *length += sprintf(output_buf, "%s=%s", er->key, er->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length, textbuf_size,
+ er->key, er->value);
+ if (ret < 0)
+ goto err_overflow;
pr_debug("Sending key: %s=%s\n", er->key, er->value);
}
iscsi_release_extra_responses(param_list);
return 0;
+
+err_overflow:
+ pr_err("iSCSI login response buffer (%u bytes) exhausted, dropping login.\n",
+ textbuf_size);
+ iscsi_release_extra_responses(param_list);
+ return -1;
}
int iscsi_check_negotiated_keys(struct iscsi_param_list *param_list)
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -46,7 +46,7 @@ extern struct iscsi_param *iscsi_find_pa
extern int iscsi_extract_key_value(char *, char **, char **);
extern int iscsi_update_param_value(struct iscsi_param *, char *);
extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsit_conn *);
-extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
+extern int iscsi_encode_text_output(u8, u8, char *, u32 *, u32,
struct iscsi_param_list *, bool);
extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 252/315] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 251/315] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 253/315] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
` (64 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 778c2ab142c625a8a8afa570e0f9b7873f445d99 upstream.
Two latent bugs in the Text-phase handler, both present since the
original LIO integration in commit e48354ce078c ("iscsi-target: Add
iSCSI fabric support for target v4.1"):
1) DataDigest CRC buffer overread (4 bytes past text_in).
text_in is kzalloc()'d at ALIGN(payload_length, 4). rx_size is then
incremented by ISCSI_CRC_LEN to make room for the received DataDigest
in the iovec, but the same (now-bumped) rx_size is passed as the
buffer length to iscsit_crc_buf():
if (conn->conn_ops->DataDigest) {
...
rx_size += ISCSI_CRC_LEN;
}
...
if (conn->conn_ops->DataDigest) {
data_crc = iscsit_crc_buf(text_in, rx_size, 0, NULL);
iscsit_crc_buf() walks rx_size bytes of text_in with crc32c(), so
when DataDigest is negotiated it reads 4 bytes past the end of the
text_in allocation. KASAN reproduces this directly on the unpatched
mainline tree as slab-out-of-bounds in crc32c() called from the Text
PDU path. The OOB bytes feed crc32c() and are then compared against
the initiator-supplied checksum, so the value does not flow back to
the attacker, but the kernel does read past the buffer on every Text
PDU with DataDigest=CRC32C.
Fix by passing the actual padded payload length
(ALIGN(payload_length, 4)) that was used for the kzalloc().
2) Stale cmd->text_in_ptr re-free (double-free) on ERL>0 bad DataDigest
drop.
On DataDigest mismatch with ErrorRecoveryLevel > 0 the handler
silently drops the PDU and lets the initiator plug the CmdSN gap:
kfree(text_in);
return 0;
cmd->text_in_ptr still points at the freed buffer. The next Text
Request on the same ITT re-enters iscsit_setup_text_cmd(), which
unconditionally does
kfree(cmd->text_in_ptr);
cmd->text_in_ptr = NULL;
freeing the same pointer a second time. Session teardown via
iscsit_release_cmd() has the same shape and hits the same double-free
if the connection is dropped before a second Text Request arrives.
On an unmodified mainline tree the bug-1 CRC overread fires first on
the initial valid Text Request and perturbs the subsequent state, so
#4 was isolated by building a kernel with only the bug-1 hunk of this
patch applied plus temporary printk() observability around the three
relevant kfree() sites. The observability prints are not part of
this patch. On that build, a three-PDU Text Request sequence after
login produces two back-to-back splats:
BUG: KASAN: double-free in iscsit_setup_text_cmd+0x??
BUG: KASAN: double-free in iscsit_release_cmd+0x??
showing the same pointer freed in the ERL>0 drop path and again in
iscsit_setup_text_cmd() (next Text Request on the same ITT) and once
more in iscsit_release_cmd() (session teardown). On distro kernels
with CONFIG_SLAB_FREELIST_HARDENED=y (default) the double-free
becomes a remote kernel BUG(); on non-hardened kernels it corrupts
the slab freelist.
Fix by clearing cmd->text_in_ptr after the kfree() in the ERL>0 drop
path. With both hunks applied #4 is directly observable on the stock
tree without observability printks; fixing bug-1 alone would mask #4
less, not more, so the hunks are submitted together.
Both fixes are one-liners. The Text PDU state machine is unchanged and
the wire protocol is unaffected.
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2281,7 +2281,9 @@ iscsit_handle_text_cmd(struct iscsit_con
goto reject;
if (conn->conn_ops->DataDigest) {
- data_crc = iscsit_crc_buf(text_in, rx_size, 0, NULL);
+ data_crc = iscsit_crc_buf(text_in,
+ ALIGN(payload_length, 4),
+ 0, NULL);
if (checksum != data_crc) {
pr_err("Text data CRC32C DataDigest"
" 0x%08x does not match computed"
@@ -2300,6 +2302,7 @@ iscsit_handle_text_cmd(struct iscsit_con
" Command CmdSN: 0x%08x due to"
" DataCRC error.\n", hdr->cmdsn);
kfree(text_in);
+ cmd->text_in_ptr = NULL;
return 0;
}
} else {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 242/307] scsi: target: iscsi: Validate CHAP_R length before base64 decode
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 241/307] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 243/307] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
` (67 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandru Hossu, David Disseldorp,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit 85db7391310b1304d2dc8ae3b0b12105a9567147 upstream.
chap_server_compute_hash() allocates client_digest as
kzalloc(chap->digest_size) and then, for BASE64-encoded responses,
passes chap_r directly to chap_base64_decode() without checking whether
the input length could produce more than digest_size bytes of output.
chap_base64_decode() writes to the destination unconditionally as long
as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and
the "0b" prefix stripped by extract_param(), up to 127 base64 characters
can reach the decoder. 127 characters decode to 95 bytes. For SHA-256
(digest_size=32) this overflows client_digest by 63 bytes; for MD5
(digest_size=16) the overflow is 79 bytes.
The length check at line 344 fires after the write has already happened.
The HEX branch in the same switch statement already validates the length
up front. Apply the same approach to the BASE64 branch: strip trailing
base64 padding characters, then reject any input whose data length
exceeds DIV_ROUND_UP(digest_size * 4, 3) before calling the decoder.
Stripping trailing '=' before the comparison handles both padded and
unpadded encodings. chap_base64_decode() already returns early on '=',
so the full original string is still passed to the decoder unchanged.
The mutual CHAP path decodes CHAP_C into initiatorchg_binhex, which is
kzalloc(CHAP_CHALLENGE_STR_LEN). extract_param() caps initiatorchg at
CHAP_CHALLENGE_STR_LEN characters, so at most CHAP_CHALLENGE_STR_LEN-1
base64 characters reach the decoder. The maximum decoded size,
DIV_ROUND_UP((CHAP_CHALLENGE_STR_LEN-1) * 3, 4), is less than
CHAP_CHALLENGE_STR_LEN, so no overflow is possible there. A comment is
added at the call site to document this.
Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Link: https://patch.msgid.link/20260521151121.808477-1-hossu.alexandru@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_auth.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -339,13 +339,22 @@ static int chap_server_compute_hash(
goto out;
}
break;
- case BASE64:
+ case BASE64: {
+ size_t r_len = strlen(chap_r);
+
+ while (r_len > 0 && chap_r[r_len - 1] == '=')
+ r_len--;
+ if (r_len > DIV_ROUND_UP(chap->digest_size * 4, 3)) {
+ pr_err("Malformed CHAP_R: base64 payload too long\n");
+ goto out;
+ }
if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
chap->digest_size) {
pr_err("Malformed CHAP_R: invalid BASE64\n");
goto out;
}
break;
+ }
default:
pr_err("Could not find CHAP_R\n");
goto out;
@@ -472,6 +481,14 @@ static int chap_server_compute_hash(
}
break;
case BASE64:
+ /*
+ * No overflow check needed: initiatorchg_binhex is
+ * CHAP_CHALLENGE_STR_LEN bytes and extract_param() caps
+ * initiatorchg at CHAP_CHALLENGE_STR_LEN characters, so
+ * the decoded output is at most DIV_ROUND_UP(
+ * (CHAP_CHALLENGE_STR_LEN - 1) * 3, 4) bytes, which is
+ * less than CHAP_CHALLENGE_STR_LEN.
+ */
initiatorchg_len = chap_base64_decode(initiatorchg_binhex,
initiatorchg,
strlen(initiatorchg));
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 253/315] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 252/315] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 254/315] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
` (63 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit bf33e01f88388c43e285492a63e539df6ffed64c upstream.
iscsi_encode_text_output() concatenates "key=value\0" records into
login->rsp_buf, an 8192-byte kzalloc(MAX_KEY_VALUE_PAIRS) buffer
allocated in iscsit_alloc_login_setup_buffer(). The three sprintf() call
sites in this function (lines 1398, 1411, 1424 in v7.1-rc2) never check
the remaining buffer capacity:
*length += sprintf(output_buf, "%s=%s", er->key, er->value);
*length += 1;
output_buf = textbuf + *length;
The 8192-byte ceiling at iscsi_target_check_login_request() bounds the
*input* Login PDU payload, but a single PDU can carry up to 2048 minimal
four-byte "a=b\0" pairs, each unknown key expanding to a 16-byte
"a=NotUnderstood\0" output record via iscsi_add_notunderstood_response().
2048 * 16 = 32 KiB of output into an 8 KiB buffer, producing a ~24 KiB
heap overrun in the kmalloc-8k slab.
The fix introduces a static iscsi_encode_text_record() helper that uses
snprintf() with a per-call bounds check against the remaining buffer,
and threads a u32 textbuf_size parameter through
iscsi_encode_text_output(). Both call sites in
iscsi_target_handle_csg_zero() (PHASE_SECURITY) and
iscsi_target_handle_csg_one() (PHASE_OPERATIONAL) pass
MAX_KEY_VALUE_PAIRS. On overflow the encoder logs the condition, calls
iscsi_release_extra_responses() to drop queued records, and returns -1;
both caller sites now emit ISCSI_STATUS_CLS_INITIATOR_ERR /
ISCSI_LOGIN_STATUS_INIT_ERR via iscsit_tx_login_rsp() before returning,
so the initiator sees an explicit failed-login response rather than a
silent connection drop. (Prior to this patch only the PHASE_OPERATIONAL
caller did that; the PHASE_SECURITY caller is converted to the same
shape.)
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_nego.c | 7 ++
drivers/target/iscsi/iscsi_target_parameters.c | 62 +++++++++++++++++++------
drivers/target/iscsi/iscsi_target_parameters.h | 2
3 files changed, 55 insertions(+), 16 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -899,10 +899,14 @@ static int iscsi_target_handle_csg_zero(
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
- if (ret < 0)
+ if (ret < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
+ ISCSI_LOGIN_STATUS_INIT_ERR);
return -1;
+ }
if (!iscsi_check_negotiated_keys(conn->param_list)) {
bool auth_required = iscsi_conn_auth_required(conn);
@@ -986,6 +990,7 @@ static int iscsi_target_handle_csg_one(s
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
if (ret < 0) {
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -1371,19 +1371,42 @@ free_buffer:
return -1;
}
+/*
+ * Append "key=value" plus a trailing NUL into @textbuf at *@length.
+ * Returns 0 on success and advances *@length, or -EMSGSIZE if the
+ * record (including the NUL) would not fit in the remaining buffer.
+ */
+static int iscsi_encode_text_record(char *textbuf, u32 *length,
+ u32 textbuf_size,
+ const char *key, const char *value)
+{
+ int n;
+ u32 avail;
+
+ if (*length >= textbuf_size)
+ return -EMSGSIZE;
+
+ avail = textbuf_size - *length;
+ n = snprintf(textbuf + *length, avail, "%s=%s", key, value);
+ if (n < 0 || (u32)n + 1 > avail)
+ return -EMSGSIZE;
+
+ *length += n + 1;
+ return 0;
+}
+
int iscsi_encode_text_output(
u8 phase,
u8 sender,
char *textbuf,
u32 *length,
+ u32 textbuf_size,
struct iscsi_param_list *param_list,
bool keys_workaround)
{
- char *output_buf = NULL;
struct iscsi_extra_response *er;
struct iscsi_param *param;
-
- output_buf = textbuf + *length;
+ int ret;
if (iscsi_enforce_integrity_rules(phase, param_list) < 0)
return -1;
@@ -1395,10 +1418,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_RESPONSE_SENT(param) &&
!IS_PSTATE_REPLY_OPTIONAL(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_RESPONSE_SENT(param);
pr_debug("Sending key: %s=%s\n",
param->name, param->value);
@@ -1408,10 +1433,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_ACCEPTOR(param) &&
!IS_PSTATE_PROPOSER(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_PROPOSER(param);
iscsi_check_proposer_for_optional_reply(param,
keys_workaround);
@@ -1421,14 +1448,21 @@ int iscsi_encode_text_output(
}
list_for_each_entry(er, ¶m_list->extra_response_list, er_list) {
- *length += sprintf(output_buf, "%s=%s", er->key, er->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length, textbuf_size,
+ er->key, er->value);
+ if (ret < 0)
+ goto err_overflow;
pr_debug("Sending key: %s=%s\n", er->key, er->value);
}
iscsi_release_extra_responses(param_list);
return 0;
+
+err_overflow:
+ pr_err("iSCSI login response buffer (%u bytes) exhausted, dropping login.\n",
+ textbuf_size);
+ iscsi_release_extra_responses(param_list);
+ return -1;
}
int iscsi_check_negotiated_keys(struct iscsi_param_list *param_list)
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -43,7 +43,7 @@ extern struct iscsi_param *iscsi_find_pa
extern int iscsi_extract_key_value(char *, char **, char **);
extern int iscsi_update_param_value(struct iscsi_param *, char *);
extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsit_conn *);
-extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
+extern int iscsi_encode_text_output(u8, u8, char *, u32 *, u32,
struct iscsi_param_list *, bool);
extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 243/307] drm/hyperv: validate resolution_count and fix WIN8 fallback
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 242/307] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 244/307] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
` (66 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
commit 13d33b9ef67066c77c84273fac5a1d3fde3533d1 upstream.
A SYNTHVID_RESOLUTION_RESPONSE with resolution_count > 64 walks past
the supported_resolution[SYNTHVID_MAX_RESOLUTION_COUNT] array in the
parse loop. Bound resolution_count against the array size, folded
into the existing zero-check.
When the WIN10 resolution probe fails, the caller in
hyperv_connect_vsp() left hv->screen_*_max / preferred_* unpopulated,
which sets mode_config.max_width / max_height to 0 and makes
drm_internal_framebuffer_create() reject every userspace framebuffer
with -EINVAL. The pre-WIN10 branch had the same gap for
preferred_width / preferred_height. Use a single post-probe fallback
guarded by screen_width_max == 0 so both paths converge on the WIN8
defaults.
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/6945b22419c7d404b4954a113de2ac9c900dba93.1779542874.git.me@berkoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -396,8 +396,11 @@ static int hyperv_get_supported_resoluti
return -ETIMEDOUT;
}
- if (msg->resolution_resp.resolution_count == 0) {
- drm_err(dev, "No supported resolutions\n");
+ if (msg->resolution_resp.resolution_count == 0 ||
+ msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err(dev, "Invalid resolution count: %d\n",
+ msg->resolution_resp.resolution_count);
return -ENODEV;
}
@@ -513,9 +516,13 @@ int hyperv_connect_vsp(struct hv_device
ret = hyperv_get_supported_resolution(hdev);
if (ret)
drm_err(dev, "Failed to get supported resolution from host, use default\n");
- } else {
+ }
+
+ if (!hv->screen_width_max) {
hv->screen_width_max = SYNTHVID_WIDTH_WIN8;
hv->screen_height_max = SYNTHVID_HEIGHT_WIN8;
+ hv->preferred_width = SYNTHVID_WIDTH_WIN8;
+ hv->preferred_height = SYNTHVID_HEIGHT_WIN8;
}
hv->mmio_megabytes = hdev->channel->offermsg.offer.mmio_megabytes;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 254/315] scsi: target: iscsi: Validate CHAP_R length before base64 decode
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 253/315] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 255/315] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
` (62 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandru Hossu, David Disseldorp,
Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Hossu <hossu.alexandru@gmail.com>
commit 85db7391310b1304d2dc8ae3b0b12105a9567147 upstream.
chap_server_compute_hash() allocates client_digest as
kzalloc(chap->digest_size) and then, for BASE64-encoded responses,
passes chap_r directly to chap_base64_decode() without checking whether
the input length could produce more than digest_size bytes of output.
chap_base64_decode() writes to the destination unconditionally as long
as there is input to consume. With MAX_RESPONSE_LENGTH set to 128 and
the "0b" prefix stripped by extract_param(), up to 127 base64 characters
can reach the decoder. 127 characters decode to 95 bytes. For SHA-256
(digest_size=32) this overflows client_digest by 63 bytes; for MD5
(digest_size=16) the overflow is 79 bytes.
The length check at line 344 fires after the write has already happened.
The HEX branch in the same switch statement already validates the length
up front. Apply the same approach to the BASE64 branch: strip trailing
base64 padding characters, then reject any input whose data length
exceeds DIV_ROUND_UP(digest_size * 4, 3) before calling the decoder.
Stripping trailing '=' before the comparison handles both padded and
unpadded encodings. chap_base64_decode() already returns early on '=',
so the full original string is still passed to the decoder unchanged.
The mutual CHAP path decodes CHAP_C into initiatorchg_binhex, which is
kzalloc(CHAP_CHALLENGE_STR_LEN). extract_param() caps initiatorchg at
CHAP_CHALLENGE_STR_LEN characters, so at most CHAP_CHALLENGE_STR_LEN-1
base64 characters reach the decoder. The maximum decoded size,
DIV_ROUND_UP((CHAP_CHALLENGE_STR_LEN-1) * 3, 4), is less than
CHAP_CHALLENGE_STR_LEN, so no overflow is possible there. A comment is
added at the call site to document this.
Fixes: 1e5733883421 ("scsi: target: iscsi: Support base64 in CHAP")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
Link: https://patch.msgid.link/20260521151121.808477-1-hossu.alexandru@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_auth.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -339,13 +339,22 @@ static int chap_server_compute_hash(
goto out;
}
break;
- case BASE64:
+ case BASE64: {
+ size_t r_len = strlen(chap_r);
+
+ while (r_len > 0 && chap_r[r_len - 1] == '=')
+ r_len--;
+ if (r_len > DIV_ROUND_UP(chap->digest_size * 4, 3)) {
+ pr_err("Malformed CHAP_R: base64 payload too long\n");
+ goto out;
+ }
if (chap_base64_decode(client_digest, chap_r, strlen(chap_r)) !=
chap->digest_size) {
pr_err("Malformed CHAP_R: invalid BASE64\n");
goto out;
}
break;
+ }
default:
pr_err("Could not find CHAP_R\n");
goto out;
@@ -472,6 +481,14 @@ static int chap_server_compute_hash(
}
break;
case BASE64:
+ /*
+ * No overflow check needed: initiatorchg_binhex is
+ * CHAP_CHALLENGE_STR_LEN bytes and extract_param() caps
+ * initiatorchg at CHAP_CHALLENGE_STR_LEN characters, so
+ * the decoded output is at most DIV_ROUND_UP(
+ * (CHAP_CHALLENGE_STR_LEN - 1) * 3, 4) bytes, which is
+ * less than CHAP_CHALLENGE_STR_LEN.
+ */
initiatorchg_len = chap_base64_decode(initiatorchg_binhex,
initiatorchg,
strlen(initiatorchg));
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 244/307] drm/hyperv: validate VMBus packet size in receive callback
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 243/307] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 245/307] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
` (65 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
commit 7f87763f47a3c22fb50265a00619ef10f2394b18 upstream.
hyperv_receive_sub() reads msg->vid_hdr.type and dispatches into one
of four message-type branches without knowing how many bytes the host
wrote into hv->recv_buf. The completion path then runs
memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE), so the consumer that
wakes on wait_for_completion_timeout() can read up to 16 KiB of
residue from a prior message as if it were the response payload.
Pass bytes_recvd into hyperv_receive_sub() and reject any packet that
does not cover the pipe + synthvid header. A single switch on
msg->vid_hdr.type then computes the type-specific payload size: the
three completion-driving types (SYNTHVID_VERSION_RESPONSE,
SYNTHVID_RESOLUTION_RESPONSE, SYNTHVID_VRAM_LOCATION_ACK) fall through
to a shared exit that requires that size before memcpy/complete, while
SYNTHVID_FEATURE_CHANGE validates its own payload and returns before
reading is_dirt_needed. Unknown types are dropped.
SYNTHVID_RESOLUTION_RESPONSE is variable length: the host fills
resolution_count entries, not the full SYNTHVID_MAX_RESOLUTION_COUNT
array. Validate the fixed prefix first so resolution_count can be
read, bound it against the array, then require only the count-sized
array, so the shorter responses the host actually sends are accepted.
Only run the sub-handler when vmbus_recvpacket() returned success. The
memcpy length is bytes_recvd, which is bounded by VMBUS_MAX_PACKET_SIZE
only on a successful receive; on -ENOBUFS vmbus_recvpacket() instead
reports the required length, which can exceed hv->recv_buf, so copying
bytes_recvd would read and write past the 16 KiB buffers. Gating on the
success return keeps the copy bounded. The nonzero-return path is itself
a malformed-message case and is now logged rather than silently skipped;
channel recovery is not attempted.
Rejected packets are reported via drm_err_ratelimited() rather than
silently dropped, matching the CoCo-hardened pattern in
hv_kvp_onchannelcallback().
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/8200dbc199c7a9b75ac7e8af6c748d2189b5ebd5.1779542874.git.me@berkoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 100 ++++++++++++++++++++++++++----
1 file changed, 87 insertions(+), 13 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -425,30 +425,92 @@ static int hyperv_get_supported_resoluti
return 0;
}
-static void hyperv_receive_sub(struct hv_device *hdev)
+static void hyperv_receive_sub(struct hv_device *hdev, u32 bytes_recvd)
{
struct hyperv_drm_device *hv = hv_get_drvdata(hdev);
struct synthvid_msg *msg;
+ size_t hdr_size;
+ size_t need;
if (!hv)
return;
- msg = (struct synthvid_msg *)hv->recv_buf;
-
- /* Complete the wait event */
- if (msg->vid_hdr.type == SYNTHVID_VERSION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_RESOLUTION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_VRAM_LOCATION_ACK) {
- memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE);
- complete(&hv->wait);
+ hdr_size = sizeof(struct pipe_msg_hdr) +
+ sizeof(struct synthvid_msg_hdr);
+ if (bytes_recvd < hdr_size) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for header: %u\n",
+ bytes_recvd);
return;
}
- if (msg->vid_hdr.type == SYNTHVID_FEATURE_CHANGE) {
+ msg = (struct synthvid_msg *)hv->recv_buf;
+ need = hdr_size;
+
+ switch (msg->vid_hdr.type) {
+ case SYNTHVID_VERSION_RESPONSE:
+ need += sizeof(struct synthvid_version_resp);
+ break;
+ case SYNTHVID_RESOLUTION_RESPONSE:
+ /*
+ * The resolution response is variable length: the host
+ * fills resolution_count entries, not the full
+ * SYNTHVID_MAX_RESOLUTION_COUNT array. Require the fixed
+ * prefix first so resolution_count can be read, then
+ * demand exactly the count-sized array.
+ */
+ need += offsetof(struct synthvid_supported_resolution_resp,
+ supported_resolution);
+ if (bytes_recvd < need)
+ break;
+ if (msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid resolution count too large: %u\n",
+ msg->resolution_resp.resolution_count);
+ return;
+ }
+ need += msg->resolution_resp.resolution_count *
+ sizeof(struct hvd_screen_info);
+ break;
+ case SYNTHVID_VRAM_LOCATION_ACK:
+ need += sizeof(struct synthvid_vram_location_ack);
+ break;
+ case SYNTHVID_FEATURE_CHANGE:
+ /*
+ * Not a completion-driving message: validate its own payload
+ * and consume it here rather than falling through to the
+ * memcpy/complete shared by the wait-event responses.
+ */
+ if (bytes_recvd < need +
+ sizeof(struct synthvid_feature_change)) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid feature change packet too small: %u\n",
+ bytes_recvd);
+ return;
+ }
hv->dirt_needed = msg->feature_chg.is_dirt_needed;
if (hv->dirt_needed)
hyperv_hide_hw_ptr(hv->hdev);
+ return;
+ default:
+ return;
+ }
+
+ /*
+ * Shared completion path for the wait-event responses
+ * (VERSION_RESPONSE, RESOLUTION_RESPONSE, VRAM_LOCATION_ACK):
+ * require the type-specific payload before handing the buffer to
+ * the waiter.
+ */
+ if (bytes_recvd < need) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for type %u: %u < %zu\n",
+ msg->vid_hdr.type, bytes_recvd, need);
+ return;
}
+ memcpy(hv->init_buf, msg, bytes_recvd);
+ complete(&hv->wait);
}
static void hyperv_receive(void *ctx)
@@ -469,9 +531,21 @@ static void hyperv_receive(void *ctx)
ret = vmbus_recvpacket(hdev->channel, recv_buf,
VMBUS_MAX_PACKET_SIZE,
&bytes_recvd, &req_id);
- if (bytes_recvd > 0 &&
- recv_buf->pipe_hdr.type == PIPE_MSG_DATA)
- hyperv_receive_sub(hdev);
+ if (ret) {
+ /*
+ * A nonzero return (e.g. -ENOBUFS for an oversized
+ * packet) is itself a malformed message: bytes_recvd
+ * then reports the required length rather than a copied
+ * payload, so it must not be forwarded to the
+ * sub-handler. Channel recovery is not attempted.
+ */
+ drm_err_ratelimited(&hv->dev,
+ "vmbus_recvpacket failed: %d (need %u)\n",
+ ret, bytes_recvd);
+ } else if (bytes_recvd > 0 &&
+ recv_buf->pipe_hdr.type == PIPE_MSG_DATA) {
+ hyperv_receive_sub(hdev, bytes_recvd);
+ }
} while (bytes_recvd > 0 && ret == 0);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 255/315] drm/hyperv: validate resolution_count and fix WIN8 fallback
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 254/315] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 256/315] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
` (61 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
commit 13d33b9ef67066c77c84273fac5a1d3fde3533d1 upstream.
A SYNTHVID_RESOLUTION_RESPONSE with resolution_count > 64 walks past
the supported_resolution[SYNTHVID_MAX_RESOLUTION_COUNT] array in the
parse loop. Bound resolution_count against the array size, folded
into the existing zero-check.
When the WIN10 resolution probe fails, the caller in
hyperv_connect_vsp() left hv->screen_*_max / preferred_* unpopulated,
which sets mode_config.max_width / max_height to 0 and makes
drm_internal_framebuffer_create() reject every userspace framebuffer
with -EINVAL. The pre-WIN10 branch had the same gap for
preferred_width / preferred_height. Use a single post-probe fallback
guarded by screen_width_max == 0 so both paths converge on the WIN8
defaults.
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/6945b22419c7d404b4954a113de2ac9c900dba93.1779542874.git.me@berkoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -396,8 +396,11 @@ static int hyperv_get_supported_resoluti
return -ETIMEDOUT;
}
- if (msg->resolution_resp.resolution_count == 0) {
- drm_err(dev, "No supported resolutions\n");
+ if (msg->resolution_resp.resolution_count == 0 ||
+ msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err(dev, "Invalid resolution count: %d\n",
+ msg->resolution_resp.resolution_count);
return -ENODEV;
}
@@ -513,9 +516,13 @@ int hyperv_connect_vsp(struct hv_device
ret = hyperv_get_supported_resolution(hdev);
if (ret)
drm_err(dev, "Failed to get supported resolution from host, use default\n");
- } else {
+ }
+
+ if (!hv->screen_width_max) {
hv->screen_width_max = SYNTHVID_WIDTH_WIN8;
hv->screen_height_max = SYNTHVID_HEIGHT_WIN8;
+ hv->preferred_width = SYNTHVID_WIDTH_WIN8;
+ hv->preferred_height = SYNTHVID_HEIGHT_WIN8;
}
hv->mmio_megabytes = hdev->channel->offermsg.offer.mmio_megabytes;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 245/307] drm/i915: Fix potential UAF in TTM object purge
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 244/307] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 246/307] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
` (64 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janusz Krzysztofik, Matthew Auld,
Thomas Hellström, Sebastian Brzezinka, Christian König,
Andi Shyti, Tvrtko Ursulin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
commit 5c4063c87a619e4df954c179d24628636f5db15f upstream.
TLDR: The bo->ttm object might be changed by calling ttm_bo_validate(),
move casting it to an i915_tt object later to actually get the right
pointer.
A user reported hitting the following bug under heavy use on DG2:
[26620.095550] Oops: general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 1 SMP NOPTI
[26620.095556] CPU: 2 UID: 0 PID: 631 Comm: Xorg Not tainted 6.18.8 #1 PREEMPT(lazy)
[26620.095558] Hardware name: ASRock B850M Steel Legend WiFi/B850M Steel Legend WiFi, BIOS 3.50 09/18/2025
[26620.095559] RIP: 0010:i915_ttm_purge+0x84/0x100 [i915]
[26620.095604] Code: 00 00 00 48 8d 54 24 10 48 89 e6 48 89 fb e8 83 aa ae ff 85 c0 75 6f 48 83 bb a8 01 00 00 00 74 2c 48 8b 45 78 48 85 c0 74 23 <48> 8b 78 20 48 c7 c2 ff ff ff ff 31 f6 e8 7a 73 e3 e0 48 8b 7d 78
[26620.095605] RSP: 0018:ffffc90005fd7430 EFLAGS: 00010282
[26620.095607] RAX: a56b6b6b6b6b6b6b RBX: ffff8881f46c3dc0 RCX: 0000000000000000
[26620.095608] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 00000000ffffffff
[26620.095609] RBP: ffff888289610f00 R08: 0000000000000001 R09: ffff88823b022000
[26620.095609] R10: ffff888103029b28 R11: ffff8881fc7f3800 R12: ffff88810b6150d0
[26620.095609] R13: ffff888289610f00 R14: 0000000000000000 R15: ffff8881f46c3dc0
[26620.095610] FS: 00007f1004d86900(0000) GS:ffff88901c858000(0000) knlGS:0000000000000000
[26620.095611] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[26620.095611] CR2: 00007f0fdf489000 CR3: 000000035b0c1000 CR4: 0000000000750ef0
[26620.095612] PKRU: 55555554
[26620.095612] Call Trace:
[26620.095615] <TASK>
[26620.095615] i915_ttm_move+0x2b9/0x420 [i915]
[26620.095642] ? ttm_tt_init+0x65/0x80 [ttm]
[26620.095644] ? i915_ttm_tt_create+0xc6/0x150 [i915]
[26620.095667] ttm_bo_handle_move_mem+0xb6/0x160 [ttm]
[26620.095669] ttm_bo_evict+0x100/0x150 [ttm]
[26620.095671] ? preempt_count_add+0x64/0xa0
[26620.095673] ? _raw_spin_lock+0xe/0x30
[26620.095675] ? _raw_spin_unlock+0xd/0x30
[26620.095675] ? i915_gem_object_evictable+0xb7/0xd0 [i915]
[26620.095704] ttm_bo_evict_cb+0x6e/0xd0 [ttm]
[26620.095705] ttm_lru_walk_for_evict+0xa6/0x200 [ttm]
[26620.095708] ttm_bo_alloc_resource+0x185/0x4f0 [ttm]
[26620.095709] ? init_object+0x62/0xd0
[26620.095712] ttm_bo_validate+0x7a/0x180 [ttm]
[26620.095713] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095714] __i915_ttm_get_pages+0xb0/0x170 [i915]
[26620.095737] i915_ttm_get_pages+0x9f/0x150 [i915]
[26620.095759] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
[26620.095786] ? alloc_debug_processing+0xd0/0x100
[26620.095787] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095788] ? i915_vma_instance+0xa0/0x4e0 [i915]
[26620.095822] __i915_gem_object_get_pages+0x2f/0x40 [i915]
[26620.095848] i915_vma_pin_ww+0x706/0x980 [i915]
[26620.095875] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
[26620.095904] eb_validate_vmas+0x170/0xa00 [i915]
[26620.095930] i915_gem_do_execbuffer+0x1201/0x2b40 [i915]
[26620.095953] ? alloc_debug_processing+0xd0/0x100
[26620.095954] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095955] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
[26620.095977] ? __wake_up_sync_key+0x32/0x50
[26620.095979] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
[26620.096001] ? __slab_alloc.isra.0+0x67/0xc0
[26620.096003] i915_gem_execbuffer2_ioctl+0x11a/0x240 [i915]
Results from decode_stacktrace.sh pointed to dereference of a file pointer
field of a i915 TTM page vector container associated with an object being
purged on eviction. That path is taken when the object is marked as no
longer needed.
Code analysis revealed a possibility of the i915 TTM page vector container
being replaced with a new instance inside a function that purges content
of the object, should it be still busy. That function is called,
indirectly via a more general function that changes the object's placement
and caching policy, before the problematic dereference, but still after
a pointer to the container is captured, rendering the pointer no longer
valid.
Fix the issue by capturing the pointer to the container only after its
potential replacement.
v2: Move the container_of() inside the if block (Sebastian),
- a simplified version of the commit description that explains briefly
why the change is necessary (Christian).
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/14882
Fixes: 7ae034590ceae ("drm/i915/ttm: add tt shmem backend")
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Cc: stable@vger.kernel.org # v5.17+
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Cc: Christian König <christian.koenig@amd.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/20260508122612.469227-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 4462966a93eb185849b7f174f0d0de53476d00a4)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -416,8 +416,6 @@ void i915_ttm_free_cached_io_rsgt(struct
int i915_ttm_purge(struct drm_i915_gem_object *obj)
{
struct ttm_buffer_object *bo = i915_gem_to_ttm(obj);
- struct i915_ttm_tt *i915_tt =
- container_of(bo->ttm, typeof(*i915_tt), ttm);
struct ttm_operation_ctx ctx = {
.interruptible = true,
.no_wait_gpu = false,
@@ -432,16 +430,22 @@ int i915_ttm_purge(struct drm_i915_gem_o
if (ret)
return ret;
- if (bo->ttm && i915_tt->filp) {
- /*
- * The below fput(which eventually calls shmem_truncate) might
- * be delayed by worker, so when directly called to purge the
- * pages(like by the shrinker) we should try to be more
- * aggressive and release the pages immediately.
- */
- shmem_truncate_range(file_inode(i915_tt->filp),
- 0, (loff_t)-1);
- fput(fetch_and_zero(&i915_tt->filp));
+ if (bo->ttm) {
+ struct i915_ttm_tt *i915_tt =
+ container_of(bo->ttm, typeof(*i915_tt), ttm);
+
+ if (i915_tt->filp) {
+ /*
+ * The below fput(which eventually calls shmem_truncate)
+ * might be delayed by worker, so when directly called
+ * to purge the pages(like by the shrinker) we should
+ * try to be more aggressive and release the pages
+ * immediately.
+ */
+ shmem_truncate_range(file_inode(i915_tt->filp),
+ 0, (loff_t)-1);
+ fput(fetch_and_zero(&i915_tt->filp));
+ }
}
obj->write_domain = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 256/315] drm/hyperv: validate VMBus packet size in receive callback
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 255/315] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 257/315] drm/gem: fix race between change_handle and handle_delete Greg Kroah-Hartman
` (60 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
commit 7f87763f47a3c22fb50265a00619ef10f2394b18 upstream.
hyperv_receive_sub() reads msg->vid_hdr.type and dispatches into one
of four message-type branches without knowing how many bytes the host
wrote into hv->recv_buf. The completion path then runs
memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE), so the consumer that
wakes on wait_for_completion_timeout() can read up to 16 KiB of
residue from a prior message as if it were the response payload.
Pass bytes_recvd into hyperv_receive_sub() and reject any packet that
does not cover the pipe + synthvid header. A single switch on
msg->vid_hdr.type then computes the type-specific payload size: the
three completion-driving types (SYNTHVID_VERSION_RESPONSE,
SYNTHVID_RESOLUTION_RESPONSE, SYNTHVID_VRAM_LOCATION_ACK) fall through
to a shared exit that requires that size before memcpy/complete, while
SYNTHVID_FEATURE_CHANGE validates its own payload and returns before
reading is_dirt_needed. Unknown types are dropped.
SYNTHVID_RESOLUTION_RESPONSE is variable length: the host fills
resolution_count entries, not the full SYNTHVID_MAX_RESOLUTION_COUNT
array. Validate the fixed prefix first so resolution_count can be
read, bound it against the array, then require only the count-sized
array, so the shorter responses the host actually sends are accepted.
Only run the sub-handler when vmbus_recvpacket() returned success. The
memcpy length is bytes_recvd, which is bounded by VMBUS_MAX_PACKET_SIZE
only on a successful receive; on -ENOBUFS vmbus_recvpacket() instead
reports the required length, which can exceed hv->recv_buf, so copying
bytes_recvd would read and write past the 16 KiB buffers. Gating on the
success return keeps the copy bounded. The nonzero-return path is itself
a malformed-message case and is now logged rather than silently skipped;
channel recovery is not attempted.
Rejected packets are reported via drm_err_ratelimited() rather than
silently dropped, matching the CoCo-hardened pattern in
hv_kvp_onchannelcallback().
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/8200dbc199c7a9b75ac7e8af6c748d2189b5ebd5.1779542874.git.me@berkoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 100 ++++++++++++++++++++++++++----
1 file changed, 87 insertions(+), 13 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -425,30 +425,92 @@ static int hyperv_get_supported_resoluti
return 0;
}
-static void hyperv_receive_sub(struct hv_device *hdev)
+static void hyperv_receive_sub(struct hv_device *hdev, u32 bytes_recvd)
{
struct hyperv_drm_device *hv = hv_get_drvdata(hdev);
struct synthvid_msg *msg;
+ size_t hdr_size;
+ size_t need;
if (!hv)
return;
- msg = (struct synthvid_msg *)hv->recv_buf;
-
- /* Complete the wait event */
- if (msg->vid_hdr.type == SYNTHVID_VERSION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_RESOLUTION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_VRAM_LOCATION_ACK) {
- memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE);
- complete(&hv->wait);
+ hdr_size = sizeof(struct pipe_msg_hdr) +
+ sizeof(struct synthvid_msg_hdr);
+ if (bytes_recvd < hdr_size) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for header: %u\n",
+ bytes_recvd);
return;
}
- if (msg->vid_hdr.type == SYNTHVID_FEATURE_CHANGE) {
+ msg = (struct synthvid_msg *)hv->recv_buf;
+ need = hdr_size;
+
+ switch (msg->vid_hdr.type) {
+ case SYNTHVID_VERSION_RESPONSE:
+ need += sizeof(struct synthvid_version_resp);
+ break;
+ case SYNTHVID_RESOLUTION_RESPONSE:
+ /*
+ * The resolution response is variable length: the host
+ * fills resolution_count entries, not the full
+ * SYNTHVID_MAX_RESOLUTION_COUNT array. Require the fixed
+ * prefix first so resolution_count can be read, then
+ * demand exactly the count-sized array.
+ */
+ need += offsetof(struct synthvid_supported_resolution_resp,
+ supported_resolution);
+ if (bytes_recvd < need)
+ break;
+ if (msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid resolution count too large: %u\n",
+ msg->resolution_resp.resolution_count);
+ return;
+ }
+ need += msg->resolution_resp.resolution_count *
+ sizeof(struct hvd_screen_info);
+ break;
+ case SYNTHVID_VRAM_LOCATION_ACK:
+ need += sizeof(struct synthvid_vram_location_ack);
+ break;
+ case SYNTHVID_FEATURE_CHANGE:
+ /*
+ * Not a completion-driving message: validate its own payload
+ * and consume it here rather than falling through to the
+ * memcpy/complete shared by the wait-event responses.
+ */
+ if (bytes_recvd < need +
+ sizeof(struct synthvid_feature_change)) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid feature change packet too small: %u\n",
+ bytes_recvd);
+ return;
+ }
hv->dirt_needed = msg->feature_chg.is_dirt_needed;
if (hv->dirt_needed)
hyperv_hide_hw_ptr(hv->hdev);
+ return;
+ default:
+ return;
+ }
+
+ /*
+ * Shared completion path for the wait-event responses
+ * (VERSION_RESPONSE, RESOLUTION_RESPONSE, VRAM_LOCATION_ACK):
+ * require the type-specific payload before handing the buffer to
+ * the waiter.
+ */
+ if (bytes_recvd < need) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for type %u: %u < %zu\n",
+ msg->vid_hdr.type, bytes_recvd, need);
+ return;
}
+ memcpy(hv->init_buf, msg, bytes_recvd);
+ complete(&hv->wait);
}
static void hyperv_receive(void *ctx)
@@ -469,9 +531,21 @@ static void hyperv_receive(void *ctx)
ret = vmbus_recvpacket(hdev->channel, recv_buf,
VMBUS_MAX_PACKET_SIZE,
&bytes_recvd, &req_id);
- if (bytes_recvd > 0 &&
- recv_buf->pipe_hdr.type == PIPE_MSG_DATA)
- hyperv_receive_sub(hdev);
+ if (ret) {
+ /*
+ * A nonzero return (e.g. -ENOBUFS for an oversized
+ * packet) is itself a malformed message: bytes_recvd
+ * then reports the required length rather than a copied
+ * payload, so it must not be forwarded to the
+ * sub-handler. Channel recovery is not attempted.
+ */
+ drm_err_ratelimited(&hv->dev,
+ "vmbus_recvpacket failed: %d (need %u)\n",
+ ret, bytes_recvd);
+ } else if (bytes_recvd > 0 &&
+ recv_buf->pipe_hdr.type == PIPE_MSG_DATA) {
+ hyperv_receive_sub(hdev, bytes_recvd);
+ }
} while (bytes_recvd > 0 && ret == 0);
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 246/307] drm/amd/pm/si: Disregard vblank time when no displays are connected
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 245/307] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 247/307] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
` (63 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Jeremy Klarenbeek,
Timur Kristóf
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit dd4f3ee535b3b0ac027f75dbf9dc5fc88733c765 upstream.
When no displays are connected, there is no vblank
happening so the power management code shouldn't
worry about it.
This fixes a regression that caused the memory clock
to be stuck at maximum when there were no displays
connected to a SI GPU.
Fixes: 9003a0746864 ("drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)")
Fixes: 9d73b107a61b ("drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Jeremy Klarenbeek <jeremy.klarenbeek99@gmail.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6d87e0199f7b83735b56e422d59f170a201897a8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
@@ -3062,6 +3062,10 @@ static bool si_dpm_vblank_too_short(void
/* we never hit the non-gddr5 limit so disable it */
u32 switch_limit = adev->gmc.vram_type == AMDGPU_VRAM_TYPE_GDDR5 ? 450 : 0;
+ /* Disregard vblank time when there are no displays connected */
+ if (!adev->pm.pm_display_cfg.num_display)
+ return false;
+
/* Consider zero vblank time too short and disable MCLK switching.
* Note that the vblank time is set to maximum when no displays are attached,
* so we'll still enable MCLK switching in that case.
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 257/315] drm/gem: fix race between change_handle and handle_delete
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 256/315] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 258/315] drm/i915/psr: Block DC states on vblank enable when Panel Replay supported Greg Kroah-Hartman
` (59 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Dave Airlie
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
commit 7164d78559b0ff29931a366a840a9e5dd53d4b7c upstream.
drm_gem_change_handle_ioctl leaves the old handle live in the IDR
during the window between spin_unlock(table_lock) and the final
spin_lock(table_lock). A concurrent drm_gem_handle_delete on the old
handle succeeds in this window, decrements handle_count to 0, and frees
the GEM object while the new handle's IDR entry still references it.
NULL the old handle's IDR entry before dropping table_lock so that any
concurrent GEM_CLOSE on the old handle sees NULL and returns -EINVAL.
Restore the old entry on the prime-bookkeeping error path.
Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260526085313.26791-1-kipreyyy@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_gem.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/drm_gem.c
+++ b/drivers/gpu/drm/drm_gem.c
@@ -1015,6 +1015,7 @@ int drm_gem_change_handle_ioctl(struct d
goto out_unlock;
}
+ idr_replace(&file_priv->object_idr, NULL, args->handle);
spin_unlock(&file_priv->table_lock);
if (obj->dma_buf) {
@@ -1023,6 +1024,7 @@ int drm_gem_change_handle_ioctl(struct d
if (ret < 0) {
spin_lock(&file_priv->table_lock);
idr_remove(&file_priv->object_idr, handle);
+ idr_replace(&file_priv->object_idr, obj, args->handle);
spin_unlock(&file_priv->table_lock);
goto out_unlock;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 247/307] serial: altera_jtaguart: handle uart_add_one_port() failures
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 246/307] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 248/307] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
` (62 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit ea66be25f0e934f49d24cd0c5845d13cdba3520b upstream.
altera_jtaguart_probe() maps the register window before registering the
UART port, but it ignores failures from uart_add_one_port(). If port
registration fails, probe still returns success and the mapping remains
live until a later remove path that is not part of probe failure cleanup.
Return the uart_add_one_port() error and unmap the register window on
that failure path.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: 5bcd601049c6 ("serial: Add driver for the Altera JTAG UART")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260512065837.79528-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/altera_jtaguart.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/altera_jtaguart.c
+++ b/drivers/tty/serial/altera_jtaguart.c
@@ -381,6 +381,7 @@ static int altera_jtaguart_probe(struct
struct resource *res_mem;
int i = pdev->id;
int irq;
+ int ret;
/* -1 emphasizes that the platform must have one port, no .N suffix */
if (i == -1)
@@ -420,7 +421,11 @@ static int altera_jtaguart_probe(struct
port->flags = UPF_BOOT_AUTOCONF;
port->dev = &pdev->dev;
- uart_add_one_port(&altera_jtaguart_driver, port);
+ ret = uart_add_one_port(&altera_jtaguart_driver, port);
+ if (ret) {
+ iounmap(port->membase);
+ return ret;
+ }
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 258/315] drm/i915/psr: Block DC states on vblank enable when Panel Replay supported
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 257/315] drm/gem: fix race between change_handle and handle_delete Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 259/315] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
` (58 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander,
Michał Grzelak, Tvrtko Ursulin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit 8bb9093df555f9e89fdbe1405118b11384c03e04 upstream.
Currently we are blocking DC states only when Panel Replay is enabled on
vblank enable. It may happen that Panel Replay is getting enabled when
vblank is already enabled. Fix this by blocking DC states always if Panel
Replay is supported.
While at it take care of possible dual eDP case by looping all encoders
supporting PSR.
Fixes: 0c427ac78a1d ("drm/i915/psr: Add interface to notify PSR of vblank enable/disable")
Cc: <stable@vger.kernel.org> # v6.16+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Michał Grzelak <michal.grzelak@intel.com>
Link: https://patch.msgid.link/20260520104944.239797-1-jouni.hogander@intel.com
(cherry picked from commit eb5911f990554f7ce947dd53df00c114362e4465)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -3982,32 +3982,33 @@ void intel_psr_notify_vblank_enable_disa
bool enable)
{
struct intel_encoder *encoder;
+ bool block_dc_states = false;
for_each_intel_encoder_with_psr(display->drm, encoder) {
struct intel_dp *intel_dp = enc_to_intel_dp(encoder);
mutex_lock(&intel_dp->psr.lock);
- if (intel_dp->psr.panel_replay_enabled) {
- mutex_unlock(&intel_dp->psr.lock);
- break;
- }
+ if (CAN_PANEL_REPLAY(intel_dp))
+ block_dc_states = true;
- if (intel_dp->psr.enabled && intel_dp->psr.pkg_c_latency_used)
+ if (intel_dp->psr.enabled && !intel_dp->psr.panel_replay_enabled &&
+ intel_dp->psr.pkg_c_latency_used)
intel_psr_apply_underrun_on_idle_wa_locked(intel_dp);
mutex_unlock(&intel_dp->psr.lock);
- return;
}
/*
* NOTE: intel_display_power_set_target_dc_state is used
- * only by PSR * code for DC3CO handling. DC3CO target
+ * only by PSR code for DC3CO handling. DC3CO target
* state is currently disabled in * PSR code. If DC3CO
* is taken into use we need take that into account here
* as well.
*/
- intel_display_power_set_target_dc_state(display, enable ? DC_STATE_DISABLE :
- DC_STATE_EN_UPTO_DC6);
+ if (block_dc_states)
+ intel_display_power_set_target_dc_state(display, enable ?
+ DC_STATE_DISABLE :
+ DC_STATE_EN_UPTO_DC6);
}
static void
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 248/307] serial: qcom-geni: fix UART_RX_PAR_EN bit position
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 247/307] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 249/307] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ Greg Kroah-Hartman
` (61 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Prasanna S, Konrad Dybcio
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prasanna S <prasanna.s@oss.qualcomm.com>
commit ca2584d841b69391ffc4144840563d2e1a0018df upstream.
UART_RX_PAR_EN is incorrectly defined as bit 3, which triggers false
framing errors (S_GP_IRQ_1_EN) and causes received data to be dropped
when parity is enabled and the parity bit is 0.
Define UART_RX_PAR_EN as bit 4 of the SE_UART_RX_TRANS_CFG register, as
specified in the reference manual.
Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP")
Cc: stable <stable@kernel.org>
Signed-off-by: Prasanna S <prasanna.s@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260428-serial-bit-correct-v1-1-9131ad5b97d8@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -46,7 +46,7 @@
#define TX_STOP_BIT_LEN_2 2
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_PAR_EN BIT(3)
+#define UART_RX_PAR_EN BIT(4)
/* SE_UART_RX_WORD_LEN */
#define RX_WORD_LEN_MASK GENMASK(9, 0)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 259/315] drm/i915: Fix potential UAF in TTM object purge
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 258/315] drm/i915/psr: Block DC states on vblank enable when Panel Replay supported Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 260/315] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
` (57 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janusz Krzysztofik, Matthew Auld,
Thomas Hellström, Sebastian Brzezinka, Christian König,
Andi Shyti, Tvrtko Ursulin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
commit 5c4063c87a619e4df954c179d24628636f5db15f upstream.
TLDR: The bo->ttm object might be changed by calling ttm_bo_validate(),
move casting it to an i915_tt object later to actually get the right
pointer.
A user reported hitting the following bug under heavy use on DG2:
[26620.095550] Oops: general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 1 SMP NOPTI
[26620.095556] CPU: 2 UID: 0 PID: 631 Comm: Xorg Not tainted 6.18.8 #1 PREEMPT(lazy)
[26620.095558] Hardware name: ASRock B850M Steel Legend WiFi/B850M Steel Legend WiFi, BIOS 3.50 09/18/2025
[26620.095559] RIP: 0010:i915_ttm_purge+0x84/0x100 [i915]
[26620.095604] Code: 00 00 00 48 8d 54 24 10 48 89 e6 48 89 fb e8 83 aa ae ff 85 c0 75 6f 48 83 bb a8 01 00 00 00 74 2c 48 8b 45 78 48 85 c0 74 23 <48> 8b 78 20 48 c7 c2 ff ff ff ff 31 f6 e8 7a 73 e3 e0 48 8b 7d 78
[26620.095605] RSP: 0018:ffffc90005fd7430 EFLAGS: 00010282
[26620.095607] RAX: a56b6b6b6b6b6b6b RBX: ffff8881f46c3dc0 RCX: 0000000000000000
[26620.095608] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 00000000ffffffff
[26620.095609] RBP: ffff888289610f00 R08: 0000000000000001 R09: ffff88823b022000
[26620.095609] R10: ffff888103029b28 R11: ffff8881fc7f3800 R12: ffff88810b6150d0
[26620.095609] R13: ffff888289610f00 R14: 0000000000000000 R15: ffff8881f46c3dc0
[26620.095610] FS: 00007f1004d86900(0000) GS:ffff88901c858000(0000) knlGS:0000000000000000
[26620.095611] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[26620.095611] CR2: 00007f0fdf489000 CR3: 000000035b0c1000 CR4: 0000000000750ef0
[26620.095612] PKRU: 55555554
[26620.095612] Call Trace:
[26620.095615] <TASK>
[26620.095615] i915_ttm_move+0x2b9/0x420 [i915]
[26620.095642] ? ttm_tt_init+0x65/0x80 [ttm]
[26620.095644] ? i915_ttm_tt_create+0xc6/0x150 [i915]
[26620.095667] ttm_bo_handle_move_mem+0xb6/0x160 [ttm]
[26620.095669] ttm_bo_evict+0x100/0x150 [ttm]
[26620.095671] ? preempt_count_add+0x64/0xa0
[26620.095673] ? _raw_spin_lock+0xe/0x30
[26620.095675] ? _raw_spin_unlock+0xd/0x30
[26620.095675] ? i915_gem_object_evictable+0xb7/0xd0 [i915]
[26620.095704] ttm_bo_evict_cb+0x6e/0xd0 [ttm]
[26620.095705] ttm_lru_walk_for_evict+0xa6/0x200 [ttm]
[26620.095708] ttm_bo_alloc_resource+0x185/0x4f0 [ttm]
[26620.095709] ? init_object+0x62/0xd0
[26620.095712] ttm_bo_validate+0x7a/0x180 [ttm]
[26620.095713] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095714] __i915_ttm_get_pages+0xb0/0x170 [i915]
[26620.095737] i915_ttm_get_pages+0x9f/0x150 [i915]
[26620.095759] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
[26620.095786] ? alloc_debug_processing+0xd0/0x100
[26620.095787] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095788] ? i915_vma_instance+0xa0/0x4e0 [i915]
[26620.095822] __i915_gem_object_get_pages+0x2f/0x40 [i915]
[26620.095848] i915_vma_pin_ww+0x706/0x980 [i915]
[26620.095875] ? i915_gem_do_execbuffer+0xedc/0x2b40 [i915]
[26620.095904] eb_validate_vmas+0x170/0xa00 [i915]
[26620.095930] i915_gem_do_execbuffer+0x1201/0x2b40 [i915]
[26620.095953] ? alloc_debug_processing+0xd0/0x100
[26620.095954] ? _raw_spin_unlock_irqrestore+0x16/0x30
[26620.095955] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
[26620.095977] ? __wake_up_sync_key+0x32/0x50
[26620.095979] ? i915_gem_execbuffer2_ioctl+0xc9/0x240 [i915]
[26620.096001] ? __slab_alloc.isra.0+0x67/0xc0
[26620.096003] i915_gem_execbuffer2_ioctl+0x11a/0x240 [i915]
Results from decode_stacktrace.sh pointed to dereference of a file pointer
field of a i915 TTM page vector container associated with an object being
purged on eviction. That path is taken when the object is marked as no
longer needed.
Code analysis revealed a possibility of the i915 TTM page vector container
being replaced with a new instance inside a function that purges content
of the object, should it be still busy. That function is called,
indirectly via a more general function that changes the object's placement
and caching policy, before the problematic dereference, but still after
a pointer to the container is captured, rendering the pointer no longer
valid.
Fix the issue by capturing the pointer to the container only after its
potential replacement.
v2: Move the container_of() inside the if block (Sebastian),
- a simplified version of the commit description that explains briefly
why the change is necessary (Christian).
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/14882
Fixes: 7ae034590ceae ("drm/i915/ttm: add tt shmem backend")
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Cc: stable@vger.kernel.org # v5.17+
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
Cc: Christian König <christian.koenig@amd.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://lore.kernel.org/r/20260508122612.469227-2-janusz.krzysztofik@linux.intel.com
(cherry picked from commit 4462966a93eb185849b7f174f0d0de53476d00a4)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -416,8 +416,6 @@ void i915_ttm_free_cached_io_rsgt(struct
int i915_ttm_purge(struct drm_i915_gem_object *obj)
{
struct ttm_buffer_object *bo = i915_gem_to_ttm(obj);
- struct i915_ttm_tt *i915_tt =
- container_of(bo->ttm, typeof(*i915_tt), ttm);
struct ttm_operation_ctx ctx = {
.interruptible = true,
.no_wait_gpu = false,
@@ -432,16 +430,22 @@ int i915_ttm_purge(struct drm_i915_gem_o
if (ret)
return ret;
- if (bo->ttm && i915_tt->filp) {
- /*
- * The below fput(which eventually calls shmem_truncate) might
- * be delayed by worker, so when directly called to purge the
- * pages(like by the shrinker) we should try to be more
- * aggressive and release the pages immediately.
- */
- shmem_truncate_range(file_inode(i915_tt->filp),
- 0, (loff_t)-1);
- fput(fetch_and_zero(&i915_tt->filp));
+ if (bo->ttm) {
+ struct i915_ttm_tt *i915_tt =
+ container_of(bo->ttm, typeof(*i915_tt), ttm);
+
+ if (i915_tt->filp) {
+ /*
+ * The below fput(which eventually calls shmem_truncate)
+ * might be delayed by worker, so when directly called
+ * to purge the pages(like by the shrinker) we should
+ * try to be more aggressive and release the pages
+ * immediately.
+ */
+ shmem_truncate_range(file_inode(i915_tt->filp),
+ 0, (loff_t)-1);
+ fput(fetch_and_zero(&i915_tt->filp));
+ }
}
obj->write_domain = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 249/307] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 248/307] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 250/307] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
` (60 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Viken Dadhaniya,
Bartosz Golaszewski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
commit 452d6fa37ae9b021f4f6d397dbae077f7296f6f4 upstream.
When uart_flush_buffer() runs before the DMA completion IRQ is delivered,
the following race can occur (all steps serialized by uart_port_lock):
1. DMA starts: tx_remaining = N, kfifo contains N bytes
2. DMA completes in hardware; IRQ is pending but not yet delivered
3. uart_flush_buffer() acquires the port lock and calls kfifo_reset(),
making kfifo_len() = 0 while tx_remaining remains N
4. uart_flush_buffer() releases the port lock
5. DMA IRQ fires; handle_tx_dma() acquires the port lock and calls
uart_xmit_advance(uport, tx_remaining) on an empty kfifo
uart_xmit_advance() increments kfifo->out by tx_remaining. Since
kfifo_reset() already set both in and out to 0, out wraps past in,
causing kfifo_len() to return UART_XMIT_SIZE - tx_remaining. The next
start_tx_dma() call then submits a DMA transfer of stale buffer data.
Fix this by snapshotting kfifo_len() at the start of handle_tx_dma()
and skipping uart_xmit_advance() when fifo_len < tx_remaining, which
indicates the kfifo was reset by a preceding flush.
Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
Cc: stable <stable@kernel.org>
Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260506-serial-dma-stale-tx-buf-v1-1-e3ccb360d719@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -993,8 +993,20 @@ static void qcom_geni_serial_handle_tx_d
{
struct qcom_geni_serial_port *port = to_dev_port(uport);
struct tty_port *tport = &uport->state->port;
+ unsigned int fifo_len = kfifo_len(&tport->xmit_fifo);
+
+ /*
+ * Only advance the kfifo if it still contains the bytes that were
+ * transferred. uart_flush_buffer() may have run before this IRQ
+ * fired: it calls kfifo_reset() under the port lock, making
+ * fifo_len = 0 while tx_remaining remains non-zero. Calling
+ * uart_xmit_advance() in that case would underflow kfifo->out past
+ * kfifo->in, making kfifo_len() wrap to UART_XMIT_SIZE - tx_remaining
+ * and triggering a spurious large DMA transfer of stale data.
+ */
+ if (fifo_len >= port->tx_remaining)
+ uart_xmit_advance(uport, port->tx_remaining);
- uart_xmit_advance(uport, port->tx_remaining);
geni_se_tx_dma_unprep(&port->se, port->tx_dma_addr, port->tx_remaining);
port->tx_dma_addr = 0;
port->tx_remaining = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 260/315] drm/amd/pm/si: Disregard vblank time when no displays are connected
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 259/315] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 261/315] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
` (56 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Jeremy Klarenbeek,
Timur Kristóf
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit dd4f3ee535b3b0ac027f75dbf9dc5fc88733c765 upstream.
When no displays are connected, there is no vblank
happening so the power management code shouldn't
worry about it.
This fixes a regression that caused the memory clock
to be stuck at maximum when there were no displays
connected to a SI GPU.
Fixes: 9003a0746864 ("drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)")
Fixes: 9d73b107a61b ("drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)")
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Jeremy Klarenbeek <jeremy.klarenbeek99@gmail.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6d87e0199f7b83735b56e422d59f170a201897a8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
@@ -3081,6 +3081,10 @@ static bool si_dpm_vblank_too_short(void
/* we never hit the non-gddr5 limit so disable it */
u32 switch_limit = adev->gmc.vram_type == AMDGPU_VRAM_TYPE_GDDR5 ? 450 : 0;
+ /* Disregard vblank time when there are no displays connected */
+ if (!adev->pm.pm_display_cfg.num_display)
+ return false;
+
/* Consider zero vblank time too short and disable MCLK switching.
* Note that the vblank time is set to maximum when no displays are attached,
* so we'll still enable MCLK switching in that case.
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 250/307] serial: sh-sci: fix memory region release in error path
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 249/307] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 251/307] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
` (59 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, kernel test robot,
Dan Carpenter, Hongling Zeng, Geert Uytterhoeven
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 92b1ea22454b08a39baef3a7290fb3ec50366616 upstream.
The sci_request_port() function uses request_mem_region() to reserve
I/O memory, but in the error path when sci_remap_port() fails, it
incorrectly calls release_resource() instead of release_mem_region().
This mismatch can cause resource accounting issues. Fix it by using
the correct release function, consistent with sci_release_port().
Fixes: e2651647080930a1 ("serial: sh-sci: Handle port memory region reservations.")
Cc: stable <stable@kernel.org>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604032356.SzEjYkBC-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260421065737.724187-1-zenghongling@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2849,7 +2849,7 @@ static int sci_request_port(struct uart_
ret = sci_remap_port(port);
if (unlikely(ret != 0)) {
- release_resource(res);
+ release_mem_region(port->mapbase, sport->reg_size);
return ret;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 261/315] serial: altera_jtaguart: handle uart_add_one_port() failures
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 260/315] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 262/315] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
` (55 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
commit ea66be25f0e934f49d24cd0c5845d13cdba3520b upstream.
altera_jtaguart_probe() maps the register window before registering the
UART port, but it ignores failures from uart_add_one_port(). If port
registration fails, probe still returns success and the mapping remains
live until a later remove path that is not part of probe failure cleanup.
Return the uart_add_one_port() error and unmap the register window on
that failure path.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: 5bcd601049c6 ("serial: Add driver for the Altera JTAG UART")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260512065837.79528-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/altera_jtaguart.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/altera_jtaguart.c
+++ b/drivers/tty/serial/altera_jtaguart.c
@@ -379,6 +379,7 @@ static int altera_jtaguart_probe(struct
struct resource *res_mem;
int i = pdev->id;
int irq;
+ int ret;
/* -1 emphasizes that the platform must have one port, no .N suffix */
if (i == -1)
@@ -418,7 +419,11 @@ static int altera_jtaguart_probe(struct
port->flags = UPF_BOOT_AUTOCONF;
port->dev = &pdev->dev;
- uart_add_one_port(&altera_jtaguart_driver, port);
+ ret = uart_add_one_port(&altera_jtaguart_driver, port);
+ if (ret) {
+ iounmap(port->membase);
+ return ret;
+ }
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 251/307] serial: zs: Fix swapped RI/DSR modem line transition counting
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 250/307] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 252/307] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
` (58 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Maciej W. Rozycki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit d15cd40cb1858f75846eaafa9a6bca841b790a92 upstream.
Fix a thinko in the status interrupt handler that has caused counters
for the RI and DSR modem line transitions to be used for the other line
each.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Cc: stable <stable@kernel.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://patch.msgid.link/alpine.DEB.2.21.2604101747110.29980@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -680,9 +680,9 @@ static void zs_status_handle(struct zs_p
uart_handle_dcd_change(uport,
zport->mctrl & TIOCM_CAR);
if (delta & TIOCM_RNG)
- uport->icount.dsr++;
- if (delta & TIOCM_DSR)
uport->icount.rng++;
+ if (delta & TIOCM_DSR)
+ uport->icount.dsr++;
if (delta)
wake_up_interruptible(&uport->state->port.delta_msr_wait);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 262/315] serial: qcom-geni: fix UART_RX_PAR_EN bit position
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 261/315] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 263/315] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ Greg Kroah-Hartman
` (54 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Prasanna S, Konrad Dybcio
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prasanna S <prasanna.s@oss.qualcomm.com>
commit ca2584d841b69391ffc4144840563d2e1a0018df upstream.
UART_RX_PAR_EN is incorrectly defined as bit 3, which triggers false
framing errors (S_GP_IRQ_1_EN) and causes received data to be dropped
when parity is enabled and the parity bit is 0.
Define UART_RX_PAR_EN as bit 4 of the SE_UART_RX_TRANS_CFG register, as
specified in the reference manual.
Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP")
Cc: stable <stable@kernel.org>
Signed-off-by: Prasanna S <prasanna.s@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260428-serial-bit-correct-v1-1-9131ad5b97d8@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -49,7 +49,7 @@
#define TX_STOP_BIT_LEN_2 2
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_PAR_EN BIT(3)
+#define UART_RX_PAR_EN BIT(4)
/* SE_UART_RX_WORD_LEN */
#define RX_WORD_LEN_MASK GENMASK(9, 0)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 252/307] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 251/307] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 253/307] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
` (57 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Shitalkumar Gandhi, Frank Li
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
commit 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 upstream.
lpuart_start_rx_dma() allocates sport->rx_ring.buf with kzalloc() and
then maps a scatterlist via dma_map_sg(). On three subsequent error
paths the function returns directly without releasing those resources:
- when dma_map_sg() returns 0 (-EINVAL):
ring->buf is leaked.
- when dmaengine_slave_config() fails:
ring->buf and the DMA mapping are leaked.
- when dmaengine_prep_dma_cyclic() returns NULL:
ring->buf and the DMA mapping are leaked.
The sole cleanup path, lpuart_dma_rx_free(), is only reached when
lpuart_dma_rx_use is set, and the caller lpuart_rx_dma_startup() clears
that flag on failure of lpuart_start_rx_dma(). So these resources are
permanently leaked on every failure in this function. Repeated port
open/close or termios changes under error conditions will slowly consume
memory and leave stale streaming DMA mappings behind.
Fix it by introducing two error labels that unmap the scatterlist and
free the ring buffer as appropriate. While here, replace the misleading
-EFAULT (bad userspace pointer) returned when dmaengine_prep_dma_cyclic()
fails with the more accurate -ENOMEM, matching how other dmaengine users
in the tree treat this failure.
No functional change on the success path.
Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
Cc: stable <stable@kernel.org>
Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260420135903.2062024-1-shitalkumar.gandhi@cambiumnetworks.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1375,7 +1375,8 @@ static inline int lpuart_start_rx_dma(st
if (!nent) {
dev_err(sport->port.dev, "DMA Rx mapping error\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_free_buf;
}
dma_rx_sconfig.src_addr = lpuart_dma_datareg_addr(sport);
@@ -1387,7 +1388,7 @@ static inline int lpuart_start_rx_dma(st
if (ret < 0) {
dev_err(sport->port.dev,
"DMA Rx slave config failed, err = %d\n", ret);
- return ret;
+ goto err_unmap_sg;
}
sport->dma_rx_desc = dmaengine_prep_dma_cyclic(chan,
@@ -1398,7 +1399,8 @@ static inline int lpuart_start_rx_dma(st
DMA_PREP_INTERRUPT);
if (!sport->dma_rx_desc) {
dev_err(sport->port.dev, "Cannot prepare cyclic DMA\n");
- return -EFAULT;
+ ret = -ENOMEM;
+ goto err_unmap_sg;
}
sport->dma_rx_desc->callback = lpuart_dma_rx_complete;
@@ -1422,6 +1424,13 @@ static inline int lpuart_start_rx_dma(st
}
return 0;
+
+err_unmap_sg:
+ dma_unmap_sg(chan->device->dev, &sport->rx_sgl, 1, DMA_FROM_DEVICE);
+err_free_buf:
+ kfree(ring->buf);
+ ring->buf = NULL;
+ return ret;
}
static void lpuart_dma_rx_free(struct uart_port *port)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 263/315] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 262/315] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 264/315] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
` (53 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Viken Dadhaniya,
Bartosz Golaszewski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
commit 452d6fa37ae9b021f4f6d397dbae077f7296f6f4 upstream.
When uart_flush_buffer() runs before the DMA completion IRQ is delivered,
the following race can occur (all steps serialized by uart_port_lock):
1. DMA starts: tx_remaining = N, kfifo contains N bytes
2. DMA completes in hardware; IRQ is pending but not yet delivered
3. uart_flush_buffer() acquires the port lock and calls kfifo_reset(),
making kfifo_len() = 0 while tx_remaining remains N
4. uart_flush_buffer() releases the port lock
5. DMA IRQ fires; handle_tx_dma() acquires the port lock and calls
uart_xmit_advance(uport, tx_remaining) on an empty kfifo
uart_xmit_advance() increments kfifo->out by tx_remaining. Since
kfifo_reset() already set both in and out to 0, out wraps past in,
causing kfifo_len() to return UART_XMIT_SIZE - tx_remaining. The next
start_tx_dma() call then submits a DMA transfer of stale buffer data.
Fix this by snapshotting kfifo_len() at the start of handle_tx_dma()
and skipping uart_xmit_advance() when fifo_len < tx_remaining, which
indicates the kfifo was reset by a preceding flush.
Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
Cc: stable <stable@kernel.org>
Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260506-serial-dma-stale-tx-buf-v1-1-e3ccb360d719@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -1022,8 +1022,20 @@ static void qcom_geni_serial_handle_tx_d
{
struct qcom_geni_serial_port *port = to_dev_port(uport);
struct tty_port *tport = &uport->state->port;
+ unsigned int fifo_len = kfifo_len(&tport->xmit_fifo);
+
+ /*
+ * Only advance the kfifo if it still contains the bytes that were
+ * transferred. uart_flush_buffer() may have run before this IRQ
+ * fired: it calls kfifo_reset() under the port lock, making
+ * fifo_len = 0 while tx_remaining remains non-zero. Calling
+ * uart_xmit_advance() in that case would underflow kfifo->out past
+ * kfifo->in, making kfifo_len() wrap to UART_XMIT_SIZE - tx_remaining
+ * and triggering a spurious large DMA transfer of stale data.
+ */
+ if (fifo_len >= port->tx_remaining)
+ uart_xmit_advance(uport, port->tx_remaining);
- uart_xmit_advance(uport, port->tx_remaining);
geni_se_tx_dma_unprep(&port->se, port->tx_dma_addr, port->tx_remaining);
port->tx_dma_addr = 0;
port->tx_remaining = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 253/307] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 252/307] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 254/307] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger Greg Kroah-Hartman
` (56 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Huang, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Huang <jinhuieric.huang@amd.com>
commit e984d61d92e702096058f0f828f4b2b8563b88ce upstream.
The process_info could be NULL if user doesn't call kfd_ioctl_acquire_vm
before calling kfd_ioctl_svm.
Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 83a26c812e0529eb040d31a76f73e33e637243d4)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -3668,6 +3668,9 @@ svm_range_set_attr(struct kfd_process *p
svms = &p->svms;
+ if (!process_info)
+ return -EINVAL;
+
mutex_lock(&process_info->lock);
svm_range_list_lock_and_flush_work(svms, mm);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 254/307] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 253/307] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 255/307] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
` (55 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Huang, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Huang <jinhuieric.huang@amd.com>
commit 93f5534b35a05ef8a0109c1eefa800062fee810a upstream.
get_queue_ids() computes array_size = num_queues * sizeof(uint32_t),
which could overflow on 32-bit size_t build. using array_size()
instead, it saturates to SIZE_MAX on overflow.
Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2d57a0475f085c08b49312dfd8edcb461845f285)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -3194,12 +3194,14 @@ static void copy_context_work_handler (s
static uint32_t *get_queue_ids(uint32_t num_queues, uint32_t *usr_queue_id_array)
{
- size_t array_size = num_queues * sizeof(uint32_t);
-
if (!usr_queue_id_array)
return NULL;
- return memdup_user(usr_queue_id_array, array_size);
+ if (num_queues > KFD_MAX_NUM_OF_QUEUES_PER_PROCESS)
+ return ERR_PTR(-EINVAL);
+
+ return memdup_user(usr_queue_id_array,
+ array_size(num_queues, sizeof(uint32_t)));
}
int resume_queues(struct kfd_process *p,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 264/315] serial: sh-sci: fix memory region release in error path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 263/315] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 265/315] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
` (52 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, kernel test robot,
Dan Carpenter, Hongling Zeng, Geert Uytterhoeven
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 92b1ea22454b08a39baef3a7290fb3ec50366616 upstream.
The sci_request_port() function uses request_mem_region() to reserve
I/O memory, but in the error path when sci_remap_port() fails, it
incorrectly calls release_resource() instead of release_mem_region().
This mismatch can cause resource accounting issues. Fix it by using
the correct release function, consistent with sci_release_port().
Fixes: e2651647080930a1 ("serial: sh-sci: Handle port memory region reservations.")
Cc: stable <stable@kernel.org>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604032356.SzEjYkBC-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260421065737.724187-1-zenghongling@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2845,7 +2845,7 @@ int sci_request_port(struct uart_port *p
ret = sci_remap_port(port);
if (unlikely(ret != 0)) {
- release_resource(res);
+ release_mem_region(port->mapbase, sport->reg_size);
return ret;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 255/307] drm/amdkfd: Check for pdd drm file first in CRIU restore path
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 254/307] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 256/307] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
` (54 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Francis, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Francis <David.Francis@amd.com>
commit 6842b6a4b72da9b2906ffc5ca9d846ace2c54c14 upstream.
CRIU restore ioctls are meant to be called by CRIU with no
existing drm file. There's an error path
for if the drm file unexpectedly exists. It was positioned so
it was missing a fput(drm_file).
Do that check earlier, as soon as we have the pdd.
Signed-off-by: David Francis <David.Francis@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2bab781dac78916c5cc8de76345a4102449267d7)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -2260,6 +2260,11 @@ static int criu_restore_devices(struct k
ret = -EINVAL;
goto exit;
}
+
+ if (pdd->drm_file) {
+ ret = -EINVAL;
+ goto exit;
+ }
pdd->user_gpu_id = device_buckets[i].user_gpu_id;
drm_file = fget(device_buckets[i].drm_fd);
@@ -2269,11 +2274,6 @@ static int criu_restore_devices(struct k
ret = -EINVAL;
goto exit;
}
-
- if (pdd->drm_file) {
- ret = -EINVAL;
- goto exit;
- }
/* create the vm using render nodes for kfd pdd */
if (kfd_process_device_init_vm(pdd, drm_file)) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 265/315] serial: zs: Fix swapped RI/DSR modem line transition counting
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 264/315] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 266/315] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
` (51 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Maciej W. Rozycki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit d15cd40cb1858f75846eaafa9a6bca841b790a92 upstream.
Fix a thinko in the status interrupt handler that has caused counters
for the RI and DSR modem line transitions to be used for the other line
each.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Cc: stable <stable@kernel.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://patch.msgid.link/alpine.DEB.2.21.2604101747110.29980@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -680,9 +680,9 @@ static void zs_status_handle(struct zs_p
uart_handle_dcd_change(uport,
zport->mctrl & TIOCM_CAR);
if (delta & TIOCM_RNG)
- uport->icount.dsr++;
- if (delta & TIOCM_DSR)
uport->icount.rng++;
+ if (delta & TIOCM_DSR)
+ uport->icount.dsr++;
if (delta)
wake_up_interruptible(&uport->state->port.delta_msr_wait);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 266/315] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 265/315] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 267/315] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
` (50 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Shitalkumar Gandhi, Frank Li
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
commit 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 upstream.
lpuart_start_rx_dma() allocates sport->rx_ring.buf with kzalloc() and
then maps a scatterlist via dma_map_sg(). On three subsequent error
paths the function returns directly without releasing those resources:
- when dma_map_sg() returns 0 (-EINVAL):
ring->buf is leaked.
- when dmaengine_slave_config() fails:
ring->buf and the DMA mapping are leaked.
- when dmaengine_prep_dma_cyclic() returns NULL:
ring->buf and the DMA mapping are leaked.
The sole cleanup path, lpuart_dma_rx_free(), is only reached when
lpuart_dma_rx_use is set, and the caller lpuart_rx_dma_startup() clears
that flag on failure of lpuart_start_rx_dma(). So these resources are
permanently leaked on every failure in this function. Repeated port
open/close or termios changes under error conditions will slowly consume
memory and leave stale streaming DMA mappings behind.
Fix it by introducing two error labels that unmap the scatterlist and
free the ring buffer as appropriate. While here, replace the misleading
-EFAULT (bad userspace pointer) returned when dmaengine_prep_dma_cyclic()
fails with the more accurate -ENOMEM, matching how other dmaengine users
in the tree treat this failure.
No functional change on the success path.
Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
Cc: stable <stable@kernel.org>
Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260420135903.2062024-1-shitalkumar.gandhi@cambiumnetworks.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1379,7 +1379,8 @@ static inline int lpuart_start_rx_dma(st
if (!nent) {
dev_err(sport->port.dev, "DMA Rx mapping error\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_free_buf;
}
dma_rx_sconfig.src_addr = lpuart_dma_datareg_addr(sport);
@@ -1391,7 +1392,7 @@ static inline int lpuart_start_rx_dma(st
if (ret < 0) {
dev_err(sport->port.dev,
"DMA Rx slave config failed, err = %d\n", ret);
- return ret;
+ goto err_unmap_sg;
}
sport->dma_rx_desc = dmaengine_prep_dma_cyclic(chan,
@@ -1402,7 +1403,8 @@ static inline int lpuart_start_rx_dma(st
DMA_PREP_INTERRUPT);
if (!sport->dma_rx_desc) {
dev_err(sport->port.dev, "Cannot prepare cyclic DMA\n");
- return -EFAULT;
+ ret = -ENOMEM;
+ goto err_unmap_sg;
}
sport->dma_rx_desc->callback = lpuart_dma_rx_complete;
@@ -1426,6 +1428,13 @@ static inline int lpuart_start_rx_dma(st
}
return 0;
+
+err_unmap_sg:
+ dma_unmap_sg(chan->device->dev, &sport->rx_sgl, 1, DMA_FROM_DEVICE);
+err_free_buf:
+ kfree(ring->buf);
+ ring->buf = NULL;
+ return ret;
}
static void lpuart_dma_rx_free(struct uart_port *port)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 256/307] serial: dz: Fix bootconsole message clobbering at chip reset
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 255/307] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 257/307] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
` (53 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit ca904f4b42355287bc5ce8b7550ebe909cda4c2c upstream.
In the DZ interface as implemented by the DC7085 gate array the serial
transmitters are double buffered, meaning that at the time a transmitter
is ready to accept the next character there is one in the transmit shift
register still being sent to the line. Issuing a master clear at this
time causes this character to be lost, so wait an extra amount of time
sufficient for the transmit shift register to drain at 9600bps, which is
the baud rate setting used by the firmware console.
Mind the specified 1.4us TRDY recovery time in the course and continue
using iob() as the completion barrier, since the platforms involved use
a write buffer that can delay and combine writes, and reorder them with
respect to reads regardless of the MMIO locations accessed and we still
lack a platform-independent handler for that.
When called from dz_serial_console_init() this is too early for fsleep()
to work and even before lpj has been calculated and therefore the delay
is actually not sufficient for the transmitter to drain and is merely a
placeholder now. This will be addressed in a follow-up change.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062259080.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/dz.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -542,10 +542,31 @@ static int dz_encode_baud_rate(unsigned
static void dz_reset(struct dz_port *dport)
{
struct dz_mux *mux = dport->mux;
+ unsigned short tcr;
+ int loops = 10000;
if (mux->initialised)
return;
+ tcr = dz_in(dport, DZ_TCR);
+
+ /* Do not disturb any ongoing transmissions. */
+ if (dz_in(dport, DZ_CSR) & DZ_MSE) {
+ unsigned short csr, mask;
+
+ mask = tcr;
+ while ((mask & DZ_LNENB) && loops--) {
+ csr = dz_in(dport, DZ_CSR);
+ if (!(csr & DZ_TRDY))
+ continue;
+ mask &= ~(1 << ((csr & DZ_TLINE) >> 8));
+ dz_out(dport, DZ_TCR, mask);
+ iob();
+ udelay(2); /* 1.4us TRDY recovery. */
+ }
+ udelay(1200); /* Transmitter drain. */
+ }
+
dz_out(dport, DZ_CSR, DZ_CLR);
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 267/315] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 266/315] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 268/315] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger Greg Kroah-Hartman
` (49 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Huang, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Huang <jinhuieric.huang@amd.com>
commit e984d61d92e702096058f0f828f4b2b8563b88ce upstream.
The process_info could be NULL if user doesn't call kfd_ioctl_acquire_vm
before calling kfd_ioctl_svm.
Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 83a26c812e0529eb040d31a76f73e33e637243d4)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -3680,6 +3680,9 @@ svm_range_set_attr(struct kfd_process *p
svms = &p->svms;
+ if (!process_info)
+ return -EINVAL;
+
mutex_lock(&process_info->lock);
svm_range_list_lock_and_flush_work(svms, mm);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 257/307] serial: dz: Fix bootconsole handover lockup
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 256/307] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 258/307] serial: dz: Convert to use a platform device Greg Kroah-Hartman
` (52 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7f127b2208e5e2b817243cad41fe4211a6d5a7a3 upstream.
Calling dz_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by dz_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix dz_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means dz_pm() serves no purpose anymore, so drop it.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062302010.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/dz.c | 36 ++++++++++++------------------------
1 file changed, 12 insertions(+), 24 deletions(-)
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -571,6 +571,18 @@ static void dz_reset(struct dz_port *dpo
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
+ /*
+ * Set parameters across all lines such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to produce rubbish.
+ */
+ for (int line = 0; line < DZ_NB_PORT; line++)
+ dz_out(dport, DZ_LPR, DZ_B9600 | DZ_CS8 | line);
+
+ /* Re-enable transmission for the initial PROM-based console. */
+ dz_out(dport, DZ_TCR, tcr);
+
/* Enable scanning. */
dz_out(dport, DZ_CSR, DZ_MSE);
@@ -654,26 +666,6 @@ static void dz_set_termios(struct uart_p
uart_port_unlock_irqrestore(&dport->port, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void dz_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct dz_port *dport = to_dport(uport);
- unsigned long flags;
-
- uart_port_lock_irqsave(&dport->port, &flags);
- if (state < 3)
- dz_start_tx(&dport->port);
- else
- dz_stop_tx(&dport->port);
- uart_port_unlock_irqrestore(&dport->port, flags);
-}
-
-
static const char *dz_type(struct uart_port *uport)
{
return "DZ";
@@ -769,7 +761,6 @@ static const struct uart_ops dz_ops = {
.startup = dz_startup,
.shutdown = dz_shutdown,
.set_termios = dz_set_termios,
- .pm = dz_pm,
.type = dz_type,
.release_port = dz_release_port,
.request_port = dz_request_port,
@@ -894,10 +885,7 @@ static int __init dz_console_setup(struc
if (ret)
return ret;
- spin_lock_init(&dport->port.lock); /* For dz_pm(). */
-
dz_reset(dport);
- dz_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 268/315] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 267/315] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 269/315] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
` (48 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Huang, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Huang <jinhuieric.huang@amd.com>
commit 93f5534b35a05ef8a0109c1eefa800062fee810a upstream.
get_queue_ids() computes array_size = num_queues * sizeof(uint32_t),
which could overflow on 32-bit size_t build. using array_size()
instead, it saturates to SIZE_MAX on overflow.
Signed-off-by: Eric Huang <jinhuieric.huang@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2d57a0475f085c08b49312dfd8edcb461845f285)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -3292,12 +3292,14 @@ static void copy_context_work_handler(st
static uint32_t *get_queue_ids(uint32_t num_queues, uint32_t *usr_queue_id_array)
{
- size_t array_size = num_queues * sizeof(uint32_t);
-
if (!usr_queue_id_array)
return NULL;
- return memdup_user(usr_queue_id_array, array_size);
+ if (num_queues > KFD_MAX_NUM_OF_QUEUES_PER_PROCESS)
+ return ERR_PTR(-EINVAL);
+
+ return memdup_user(usr_queue_id_array,
+ array_size(num_queues, sizeof(uint32_t)));
}
int resume_queues(struct kfd_process *p,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 258/307] serial: dz: Convert to use a platform device
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 257/307] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 259/307] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
` (51 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 5d7a49d60b8fda66da60e240fd7315232fa1754f upstream.
Prevent a crash from happening as the first serial port is initialised:
Console: switching to colour frame buffer device 160x64
tgafb: SFB+ detected, rev=0x02
fb0: Digital ZLX-E1 frame buffer device at 0x1e000000
DECstation DZ serial driver version 1.04
CPU 0 Unable to handle kernel paging request at virtual address 000000bc, epc == 8048b3a4, ra == 80470a78
Oops[#1]:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0-dirty #35 NONE
$ 0 : 00000000 1000ac00 00000004 804707ac
$ 4 : 00000000 80e20850 80e20858 81000030
$ 8 : 00000000 8072c81c 00000008 fefefeff
$12 : 6c616972 00000006 80c5917f 69726420
$16 : 80e20800 00000000 808f8968 80e20800
$20 : 00000000 807f5a90 808b0094 808d3bc8
$24 : 00000018 80479030
$28 : 80c2e000 80c2fd70 00000069 80470a78
Hi : 00000004
Lo : 00000000
epc : 8048b3a4 __dev_fwnode+0x0/0xc
ra : 80470a78 serial_base_ctrl_add+0xa0/0x168
Status: 1000ac04 IEp
Cause : 30000008 (ExcCode 02)
BadVA : 000000bc
PrId : 00000220 (R3000)
Modules linked in:
Process swapper/0 (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=00000000)
Stack : 00400044 00400040 8046f4cc 00000000 808a6148 808a0000 808f8968 8086983c
808e0000 8046fc84 1000ac01 00000028 80e20700 802ba3f8 80e20700 80d34a94
80c1b900 80e20700 80e20700 80e20700 80e20700 80444650 00000000 00000000
00000000 807f5a90 808b0094 80447080 00400040 808e0000 80d34a94 808a6148
80d34a94 00000004 80e20700 00000000 8076974c 80469810 80c2fe3c 1000ac01
...
Call Trace:
[<8048b3a4>] __dev_fwnode+0x0/0xc
[<80470a78>] serial_base_ctrl_add+0xa0/0x168
[<8046fc84>] serial_core_register_port+0x1c8/0x974
[<808c6af0>] dz_init+0x74/0xc8
[<800470e0>] do_one_initcall+0x44/0x2d4
[<808b111c>] kernel_init_freeable+0x258/0x308
[<8072e434>] kernel_init+0x20/0x114
[<80049cd0>] ret_from_kernel_thread+0x14/0x1c
Code: 27bd0018 03e00008 2402ffea <8c8200bc> 03e00008 00000000 27bdffc0 afbe0038 afb30024
---[ end trace 0000000000000000 ]---
-- where a pointer is dereferenced that has been derived from a null
pointer to the port's parent device.
Since no device is available with legacy probing and it's not anymore a
preferable way to discover devices anyway, switch the driver to using a
platform device and use it as the port's parent device. Update resource
handling accordingly and only request the actual span of addresses used
within the slot, which will have had its resource already requested by
generic platform device code.
Use platform_driver_probe() not just because the DZ device is fixed with
solder on board and not straightforward to remove, but foremost because
the associated TTY's major device number is the same as used by the zs
driver and the first driver to claim it will prevent the other one from
using it. Either one DZ device or some SCC devices will be present in a
given system but never both at a time, and therefore we want the major
device number to be claimed by the first driver to actually successfully
bind to its device and platform_driver_probe() is a way to fulfil that.
An unfortunate consequence of the switch to a platform device is we now
hand the console over from the bootconsole much later in the bootstrap.
The firmware console handler appears good enough though to work so late
and in particular with interrupts enabled.
Conversely only starting the console port so late lets the reset code
fully utilise our delay handlers, so switch from udelay() to fsleep()
for transmitter draining so as to avoid busy-waiting for an excessive
amount of time.
Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # needs to use .remove_new for <= 6.10
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062326540.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/platform.c | 55 +++++++++++++++++++++-
drivers/tty/serial/dz.c | 116 ++++++++++++++++++++++-------------------------
2 files changed, 110 insertions(+), 61 deletions(-)
--- a/arch/mips/dec/platform.c
+++ b/arch/mips/dec/platform.c
@@ -10,6 +10,13 @@
#include <linux/mc146818rtc.h>
#include <linux/platform_device.h>
+#include <asm/bootinfo.h>
+
+#include <asm/dec/interrupts.h>
+#include <asm/dec/kn01.h>
+#include <asm/dec/kn02.h>
+#include <asm/dec/system.h>
+
static struct resource dec_rtc_resources[] = {
{
.name = "rtc",
@@ -30,11 +37,57 @@ static struct platform_device dec_rtc_de
.num_resources = ARRAY_SIZE(dec_rtc_resources),
};
+static struct resource dec_dz_resources[] = {
+ { .name = "dz", .flags = IORESOURCE_MEM, },
+ { .name = "dz", .flags = IORESOURCE_IRQ, },
+};
+
+static struct platform_device dec_dz_device = {
+ .name = "dz",
+ .id = PLATFORM_DEVID_NONE,
+ .resource = dec_dz_resources,
+ .num_resources = ARRAY_SIZE(dec_dz_resources),
+};
+
+static struct platform_device *dec_dz_devices[] __initdata = {
+ &dec_dz_device,
+};
+
static int __init dec_add_devices(void)
{
+ int ret1, ret2;
+ int num_dz;
+ int irq, i;
+
dec_rtc_resources[0].start = RTC_PORT(0);
dec_rtc_resources[0].end = RTC_PORT(0) + dec_kn_slot_size - 1;
- return platform_device_register(&dec_rtc_device);
+
+ i = 0;
+ irq = dec_interrupt[DEC_IRQ_DZ11];
+ if (IS_ENABLED(CONFIG_32BIT) && irq >= 0) {
+ resource_size_t base;
+
+ switch (mips_machtype) {
+ case MACH_DS23100:
+ case MACH_DS5100:
+ base = dec_kn_slot_base + KN01_DZ11;
+ break;
+ default:
+ base = dec_kn_slot_base + KN02_DZ11;
+ break;
+ }
+ dec_dz_device.resource[0].start = base;
+ dec_dz_device.resource[0].end = base + dec_kn_slot_size - 1;
+ dec_dz_device.resource[1].start = irq;
+ dec_dz_device.resource[1].end = irq;
+ i++;
+ }
+ num_dz = i;
+
+ ret1 = platform_device_register(&dec_rtc_device);
+ ret2 = IS_ENABLED(CONFIG_32BIT) ?
+ platform_add_devices(dec_dz_devices, num_dz) : 0;
+ return ret1 ? ret1 : ret2;
}
device_initcall(dec_add_devices);
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -40,6 +40,7 @@
#include <linux/kernel.h>
#include <linux/major.h>
#include <linux/module.h>
+#include <linux/platform_device.h>
#include <linux/serial.h>
#include <linux/serial_core.h>
#include <linux/sysrq.h>
@@ -48,14 +49,6 @@
#include <linux/atomic.h>
#include <linux/io.h>
-#include <asm/bootinfo.h>
-
-#include <asm/dec/interrupts.h>
-#include <asm/dec/kn01.h>
-#include <asm/dec/kn02.h>
-#include <asm/dec/machtype.h>
-#include <asm/dec/prom.h>
-#include <asm/dec/system.h>
#include "dz.h"
@@ -65,7 +58,9 @@ MODULE_LICENSE("GPL");
static char dz_name[] __initdata = "DECstation DZ serial driver version ";
-static char dz_version[] __initdata = "1.04";
+static char dz_version[] __initdata = "1.05";
+
+#define DZ_IO_SIZE 0x20 /* IOMEM space size. */
struct dz_port {
struct dz_mux *mux;
@@ -81,6 +76,7 @@ struct dz_mux {
};
static struct dz_mux dz_mux;
+static struct uart_driver dz_reg;
static inline struct dz_port *to_dport(struct uart_port *uport)
{
@@ -564,7 +560,7 @@ static void dz_reset(struct dz_port *dpo
iob();
udelay(2); /* 1.4us TRDY recovery. */
}
- udelay(1200); /* Transmitter drain. */
+ fsleep(1200); /* Transmitter drain. */
}
dz_out(dport, DZ_CSR, DZ_CLR);
@@ -681,14 +677,13 @@ static void dz_release_port(struct uart_
map_guard = atomic_add_return(-1, &mux->map_guard);
if (!map_guard)
- release_mem_region(uport->mapbase, dec_kn_slot_size);
+ release_mem_region(uport->mapbase, DZ_IO_SIZE);
}
static int dz_map_port(struct uart_port *uport)
{
if (!uport->membase)
- uport->membase = ioremap(uport->mapbase,
- dec_kn_slot_size);
+ uport->membase = ioremap(uport->mapbase, DZ_IO_SIZE);
if (!uport->membase) {
printk(KERN_ERR "dz: Cannot map MMIO\n");
return -ENOMEM;
@@ -704,8 +699,7 @@ static int dz_request_port(struct uart_p
map_guard = atomic_add_return(1, &mux->map_guard);
if (map_guard == 1) {
- if (!request_mem_region(uport->mapbase, dec_kn_slot_size,
- "dz")) {
+ if (!request_mem_region(uport->mapbase, DZ_IO_SIZE, "dz")) {
atomic_add(-1, &mux->map_guard);
printk(KERN_ERR
"dz: Unable to reserve MMIO resource\n");
@@ -716,7 +710,7 @@ static int dz_request_port(struct uart_p
if (ret) {
map_guard = atomic_add_return(-1, &mux->map_guard);
if (!map_guard)
- release_mem_region(uport->mapbase, dec_kn_slot_size);
+ release_mem_region(uport->mapbase, DZ_IO_SIZE);
return ret;
}
return 0;
@@ -768,20 +762,15 @@ static const struct uart_ops dz_ops = {
.verify_port = dz_verify_port,
};
-static void __init dz_init_ports(void)
+static int __init dz_probe(struct platform_device *pdev)
{
- static int first = 1;
- unsigned long base;
+ struct resource *mem_resource, *irq_resource;
int line;
- if (!first)
- return;
- first = 0;
-
- if (mips_machtype == MACH_DS23100 || mips_machtype == MACH_DS5100)
- base = dec_kn_slot_base + KN01_DZ11;
- else
- base = dec_kn_slot_base + KN02_DZ11;
+ mem_resource = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ irq_resource = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+ if (!mem_resource || !irq_resource)
+ return -ENODEV;
for (line = 0; line < DZ_NB_PORT; line++) {
struct dz_port *dport = &dz_mux.dport[line];
@@ -789,14 +778,33 @@ static void __init dz_init_ports(void)
dport->mux = &dz_mux;
- uport->irq = dec_interrupt[DEC_IRQ_DZ11];
+ uport->dev = &pdev->dev;
+ uport->irq = irq_resource->start;
uport->fifosize = 1;
uport->iotype = UPIO_MEM;
uport->flags = UPF_BOOT_AUTOCONF;
uport->ops = &dz_ops;
uport->line = line;
- uport->mapbase = base;
+ uport->mapbase = mem_resource->start;
uport->has_sysrq = IS_ENABLED(CONFIG_SERIAL_DZ_CONSOLE);
+
+ if (uart_add_one_port(&dz_reg, uport))
+ uport->dev = NULL;
+ }
+
+ return 0;
+}
+
+static void __exit dz_remove(struct platform_device *pdev)
+{
+ int line;
+
+ for (line = DZ_NB_PORT - 1; line >= 0; line--) {
+ struct dz_port *dport = &dz_mux.dport[line];
+ struct uart_port *uport = &dport->port;
+
+ if (uport->dev)
+ uart_remove_one_port(&dz_reg, uport);
}
}
@@ -879,21 +887,14 @@ static int __init dz_console_setup(struc
int bits = 8;
int parity = 'n';
int flow = 'n';
- int ret;
-
- ret = dz_map_port(uport);
- if (ret)
- return ret;
-
- dz_reset(dport);
+ if (!dport->mux)
+ return -ENODEV;
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
-
- return uart_set_options(&dport->port, co, baud, parity, bits, flow);
+ return uart_set_options(uport, co, baud, parity, bits, flow);
}
-static struct uart_driver dz_reg;
static struct console dz_console = {
.name = "ttyS",
.write = dz_console_print,
@@ -904,18 +905,6 @@ static struct console dz_console = {
.data = &dz_reg,
};
-static int __init dz_serial_console_init(void)
-{
- if (!IOASIC) {
- dz_init_ports();
- register_console(&dz_console);
- return 0;
- } else
- return -ENXIO;
-}
-
-console_initcall(dz_serial_console_init);
-
#define SERIAL_DZ_CONSOLE &dz_console
#else
#define SERIAL_DZ_CONSOLE NULL
@@ -931,25 +920,32 @@ static struct uart_driver dz_reg = {
.cons = SERIAL_DZ_CONSOLE,
};
+static struct platform_driver dz_driver = {
+ .remove = __exit_p(dz_remove),
+ .driver = { .name = "dz" },
+};
+
static int __init dz_init(void)
{
- int ret, i;
-
- if (IOASIC)
- return -ENXIO;
+ int ret;
printk("%s%s\n", dz_name, dz_version);
- dz_init_ports();
-
ret = uart_register_driver(&dz_reg);
if (ret)
return ret;
+ ret = platform_driver_probe(&dz_driver, dz_probe);
+ if (ret)
+ uart_unregister_driver(&dz_reg);
- for (i = 0; i < DZ_NB_PORT; i++)
- uart_add_one_port(&dz_reg, &dz_mux.dport[i].port);
+ return ret;
+}
- return 0;
+static void __exit dz_exit(void)
+{
+ platform_driver_unregister(&dz_driver);
+ uart_unregister_driver(&dz_reg);
}
module_init(dz_init);
+module_exit(dz_exit);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 269/315] drm/amdkfd: Check for pdd drm file first in CRIU restore path
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 268/315] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 270/315] drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO Greg Kroah-Hartman
` (47 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Francis, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Francis <David.Francis@amd.com>
commit 6842b6a4b72da9b2906ffc5ca9d846ace2c54c14 upstream.
CRIU restore ioctls are meant to be called by CRIU with no
existing drm file. There's an error path
for if the drm file unexpectedly exists. It was positioned so
it was missing a fput(drm_file).
Do that check earlier, as soon as we have the pdd.
Signed-off-by: David Francis <David.Francis@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2bab781dac78916c5cc8de76345a4102449267d7)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -2253,6 +2253,11 @@ static int criu_restore_devices(struct k
ret = -EINVAL;
goto exit;
}
+
+ if (pdd->drm_file) {
+ ret = -EINVAL;
+ goto exit;
+ }
pdd->user_gpu_id = device_buckets[i].user_gpu_id;
drm_file = fget(device_buckets[i].drm_fd);
@@ -2262,11 +2267,6 @@ static int criu_restore_devices(struct k
ret = -EINVAL;
goto exit;
}
-
- if (pdd->drm_file) {
- ret = -EINVAL;
- goto exit;
- }
/* create the vm using render nodes for kfd pdd */
if (kfd_process_device_init_vm(pdd, drm_file)) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 259/307] serial: zs: Fix bootconsole handover lockup
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 258/307] serial: dz: Convert to use a platform device Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 260/307] serial: zs: Switch to using channel reset Greg Kroah-Hartman
` (50 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 6c05cf72e13314ce9b770b5951695dc5a2152920 upstream.
Calling zs_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by zs_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix zs_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means zs_pm() serves no purpose anymore, so drop it.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062308040.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 29 ++++++++---------------------
1 file changed, 8 insertions(+), 21 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -105,18 +105,24 @@ struct zs_parms {
static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+/*
+ * Set parameters in WR5, WR12, WR13 such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to hang (TxENAB) or produce rubbish (Tx8, B9600).
+ */
static u8 zs_init_regs[ZS_NUM_REGS] __initdata = {
0, /* write 0 */
PAR_SPEC, /* write 1 */
0, /* write 2 */
0, /* write 3 */
X16CLK | SB1, /* write 4 */
- 0, /* write 5 */
+ Tx8 | TxENAB, /* write 5 */
0, 0, 0, /* write 6, 7, 8 */
MIE | DLC | NV, /* write 9 */
NRZ, /* write 10 */
TCBR | RCBR, /* write 11 */
- 0, 0, /* BRG time constant, write 12 + 13 */
+ 0x16, 0x00, /* BRG time constant, write 12 + 13 */
BRSRC | BRENABL, /* write 14 */
0, /* write 15 */
};
@@ -956,23 +962,6 @@ static void zs_set_termios(struct uart_p
spin_unlock_irqrestore(&scc->zlock, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void zs_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct zs_port *zport = to_zport(uport);
-
- if (state < 3)
- zport->regs[5] |= TxENAB;
- else
- zport->regs[5] &= ~TxENAB;
- write_zsreg(zport, R5, zport->regs[5]);
-}
-
static const char *zs_type(struct uart_port *uport)
{
@@ -1055,7 +1044,6 @@ static const struct uart_ops zs_ops = {
.startup = zs_startup,
.shutdown = zs_shutdown,
.set_termios = zs_set_termios,
- .pm = zs_pm,
.type = zs_type,
.release_port = zs_release_port,
.request_port = zs_request_port,
@@ -1210,7 +1198,6 @@ static int __init zs_console_setup(struc
return ret;
zs_reset(zport);
- zs_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 270/315] drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 269/315] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 271/315] drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx Greg Kroah-Hartman
` (46 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 2e7f55eb408c3f72ee1957a0d0ad11d8648a6379 upstream.
The AMDGPU_GEM_OP_GET_MAPPING_INFO branch of amdgpu_gem_op_ioctl()
holds three cleanup-tracked resources before calling kvcalloc():
the drm_gem_object reference from drm_gem_object_lookup(), the
drm_exec lock on the looked-up GEM via drm_exec_lock_obj(), and
the drm_exec lock on the per-process VM root page directory via
amdgpu_vm_lock_pd(). All three are released by the out_exec
label that every other error path in this function jumps to.
The kvcalloc() failure path returns -ENOMEM directly, skipping
out_exec and leaking all three.
The leaked per-process VM root PD dma_resv lock is the
load-bearing leak: any subsequent operation on the same VM
(further GEM ops, command-submission, eviction, TTM shrinker
callbacks) blocks on the held lock. DRM_IOCTL_AMDGPU_GEM_OP is
DRM_AUTH | DRM_RENDER_ALLOW, so this is an unprivileged-local
denial of service against the caller's GPU context, reachable
by any process with /dev/dri/renderD* access.
Route the failure through out_exec so drm_exec_fini() and
drm_gem_object_put() run.
Reproduced on stock 7.0.0-10, Ryzen 7 5700U / Radeon Vega
(Lucienne): the failing ioctl returns -ENOMEM and a second
GET_MAPPING_INFO on the same fd then blocks in
drm_exec_lock_obj() on the leaked dma_resv. SIGKILL on the
caller does not reap the task; the fd-release path during
process exit goes through amdgpu_gem_object_close() ->
drm_exec_prepare_obj() on the same lock, leaving the task in D
state until the box is rebooted. The patched kernel was not
rebuilt and re-tested on this hardware; the fix is mechanical.
Tested on a single Lucienne / Vega box only.
Ziyi Guo posted an independent INT_MAX-bound check for
args->num_entries in the same branch [1]; the two patches are
complementary and can land in either order.
Fixes: 4d82724f7f2b ("drm/amdgpu: Add mapping info option for GEM_OP ioctl")
Link: https://lore.kernel.org/all/20260208000255.4073363-1-n7l8m4@u.northwestern.edu/ # [1]
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b69d3256d79de15f54c322986ff4da68f1d65b0a)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -1075,8 +1075,10 @@ int amdgpu_gem_op_ioctl(struct drm_devic
* be retried.
*/
vm_entries = kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL);
- if (!vm_entries)
- return -ENOMEM;
+ if (!vm_entries) {
+ r = -ENOMEM;
+ goto out_exec;
+ }
amdgpu_vm_bo_va_for_each_valid_mapping(bo_va, mapping) {
if (num_mappings < args->num_entries) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 260/307] serial: zs: Switch to using channel reset
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 259/307] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 261/307] serial: zs: Convert to use a platform device Greg Kroah-Hartman
` (49 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 8572955630f30948837088aa98bcbe0532d1ceac upstream.
Switch the driver to using the channel reset rather than hardware reset,
simplifying handling by removing an interference between channels that
causes the other channel to become uninitialised afterwards.
There is little difference between the two kinds of reset in terms of
register settings that result, and we initialise the whole register set
right away anyway. However this prevents a hang from happening should
the console output handler in the firmware try to access the other port
whose transmitter has been disabled and line parameters messed up.
For example this will happen if the keyboard port (port A) is chosen for
the system console, unusually but not insanely for a headless system, as
the port is wired to a standard DA-15 connector and an adapter can be
easily made. Or with the next change in place this would happen for the
regular console port (port B), since the keyboard port (port A) will be
initialised first.
Just remove the unnecessary complication then, a channel reset is good
enough. We still need the initialisation marker, now per channel rather
than per SCC, as for the console port zs_reset() will be called twice:
once early on via zs_serial_console_init() for the console setup only,
and then again via zs_config_port() as the port is associated with a TTY
device.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062323430.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 7 ++++---
drivers/tty/serial/zs.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -832,21 +832,22 @@ static void zs_shutdown(struct uart_port
static void zs_reset(struct zs_port *zport)
{
+ struct zs_port *zport_a = &zport->scc->zport[ZS_CHAN_A];
struct zs_scc *scc = zport->scc;
int irq;
unsigned long flags;
spin_lock_irqsave(&scc->zlock, flags);
irq = !irqs_disabled_flags(flags);
- if (!scc->initialised) {
+ if (!zport->initialised) {
/* Reset the pointer first, just in case... */
read_zsreg(zport, R0);
/* And let the current transmission finish. */
zs_line_drain(zport, irq);
- write_zsreg(zport, R9, FHWRES);
+ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
udelay(10);
write_zsreg(zport, R9, 0);
- scc->initialised = 1;
+ zport->initialised = 1;
}
load_zsregs(zport, zport->regs, irq);
spin_unlock_irqrestore(&scc->zlock, flags);
--- a/drivers/tty/serial/zs.h
+++ b/drivers/tty/serial/zs.h
@@ -22,6 +22,7 @@
struct zs_port {
struct zs_scc *scc; /* Containing SCC. */
struct uart_port port; /* Underlying UART. */
+ int initialised; /* For the console port. */
int clk_mode; /* May be 1, 16, 32, or 64. */
@@ -41,7 +42,6 @@ struct zs_scc {
struct zs_port zport[2];
spinlock_t zlock;
atomic_t irq_guard;
- int initialised;
};
#endif /* __KERNEL__ */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 271/315] drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 270/315] drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 272/315] drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO Greg Kroah-Hartman
` (45 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Vitaly Prosyak,
Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit 1c824497d8acd3187d585d6187cedc1897dcc871 upstream.
Otherwise we don't invalidate page tables on next CS.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Tested-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b6444d1bcbc34f6f2a31a3aab3059be082f3683e)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 +++++--
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c
@@ -78,6 +78,7 @@ static bool amdgpu_hmm_invalidate_gfx(st
mmu_interval_set_seq(mni, cur_seq);
+ amdgpu_vm_bo_invalidate(bo, false);
r = dma_resv_wait_timeout(bo->tbo.base.resv, DMA_RESV_USAGE_BOOKKEEP,
false, MAX_SCHEDULE_TIMEOUT);
mutex_unlock(&adev->notifier_lock);
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1610,6 +1610,7 @@ int amdgpu_vm_handle_moved(struct amdgpu
{
struct amdgpu_bo_va *bo_va;
struct dma_resv *resv;
+ struct amdgpu_bo *bo;
bool clear, unlock;
int r;
@@ -1629,11 +1630,13 @@ int amdgpu_vm_handle_moved(struct amdgpu
while (!list_empty(&vm->invalidated)) {
bo_va = list_first_entry(&vm->invalidated, struct amdgpu_bo_va,
base.vm_status);
- resv = bo_va->base.bo->tbo.base.resv;
+ bo = bo_va->base.bo;
+ resv = bo->tbo.base.resv;
spin_unlock(&vm->status_lock);
/* Try to reserve the BO to avoid clearing its ptes */
- if (!adev->debug_vm && dma_resv_trylock(resv)) {
+ if (!adev->debug_vm && !amdgpu_ttm_tt_get_usermm(bo->tbo.ttm) &&
+ dma_resv_trylock(resv)) {
clear = false;
unlock = true;
/* The caller is already holding the reservation lock */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 261/307] serial: zs: Convert to use a platform device
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 260/307] serial: zs: Switch to using channel reset Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 262/307] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
` (48 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7cac59d08a73cb866ec51a483a6f3fe0f531947c upstream.
Prevent a crash from happening as the first serial port is initialised:
Console: switching to mono frame buffer device 160x64
fb0: PMAG-AA frame buffer device at tc0
DECstation Z85C30 serial driver version 0.10
CPU 0 Unable to handle kernel paging request at virtual address 0000002c, epc == 803ab00c, ra == 803aafe0
Oops[#1]:
CPU: 0 PID: 1 Comm: swapper Not tainted 6.4.0-rc3-00031-g84a9582fd203-dirty #57
$ 0 : 00000000 10012c00 803aaeb0 00000000
$ 4 : 80e12f60 80e12f50 80e12f58 81000030
$ 8 : 00000000 805ff37c 00000000 33433538
$12 : 65732030 00000006 80c2915d 6c616972
$16 : 80e12f00 807b7630 00000000 00000000
$20 : 00000004 00000348 000001a0 807623b8
$24 : 00000018 00000000
$28 : 80c24000 80c25d60 8078b148 803aafe0
Hi : 00000000
Lo : 00000000
epc : 803ab00c serial_base_ctrl_add+0x78/0xf4
ra : 803aafe0 serial_base_ctrl_add+0x4c/0xf4
Status: 10012c03 KERNEL EXL IE
Cause : 00000008 (ExcCode 02)
BadVA : 0000002c
PrId : 00000440 (R4400SC)
Modules linked in:
Process swapper (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=00000000)
Stack : 80760000 00000cc0 00400044 00400040 803aa02c 80d61ab8 00000000 807b7630
80760000 807623b8 807b7628 803aa644 80386998 00000000 80e17780 80220f68
80e17780 80d61ab8 80c17d80 80e17780 80e17780 8063c798 80e17780 80383fa0
00000010 80e17780 00000000 80386998 807a0000 00000000 00400040 8038f848
807623b8 80d61ab8 00000004 80e17780 00000000 803a68e4 80c25e2c 803bb884
...
Call Trace:
[<803ab00c>] serial_base_ctrl_add+0x78/0xf4
[<803aa644>] serial_core_register_port+0x174/0x69c
[<8077e9ac>] zs_init+0xc8/0xfc
[<800404d4>] do_one_initcall+0x40/0x2ac
[<8076cecc>] kernel_init_freeable+0x1e4/0x270
[<80605bec>] kernel_init+0x20/0x108
[<800431e8>] ret_from_kernel_thread+0x14/0x1c
Code: 2442aeb0 ae120024 ae0200d0 <8c67002c> 50e00001 8c670000 3c06806e 3c05806e afb30010
---[ end trace 0000000000000000 ]---
(report at the offending commit) -- where a pointer is dereferenced that
has been derived from a null pointer to the port's parent device.
Since no device is available with legacy probing and it's not anymore a
preferable way to discover devices anyway, switch the driver to using a
platform device and use it as the port's parent device. Update resource
handling accordingly and only request the actual span of addresses used
within the slot, which will have had its resource already requested by
generic platform device code.
Use platform_driver_probe() not just because SCC devices are fixed with
solder on board and not straightforward to remove, but foremost because
the associated TTY's major device number is the same as used by the dz
driver and the first driver to claim it will prevent the other one from
using it. Either one DZ device or some SCC devices will be present in a
given system but never both at a time, and therefore we want the major
device number to be claimed by the first driver to actually successfully
bind to its device and platform_driver_probe() is a way to fulfil that.
An unfortunate consequence of the switch to a platform device is we now
hand the console over from the bootconsole much later in the bootstrap.
The firmware console handler appears good enough though to work so late
and in particular with interrupts enabled.
Since there is one way only remaining to reach zs_reset() now, remove
the port initialisation marker as no longer needed and go through the
channel reset unconditionally.
Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # needs to use .remove_new for <= 6.10
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062328480.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/platform.c | 60 ++++++++++++++
drivers/tty/serial/zs.c | 190 +++++++++++++++++------------------------------
drivers/tty/serial/zs.h | 1
3 files changed, 128 insertions(+), 123 deletions(-)
--- a/arch/mips/dec/platform.c
+++ b/arch/mips/dec/platform.c
@@ -13,6 +13,7 @@
#include <asm/bootinfo.h>
#include <asm/dec/interrupts.h>
+#include <asm/dec/ioasic_addrs.h>
#include <asm/dec/kn01.h>
#include <asm/dec/kn02.h>
#include <asm/dec/system.h>
@@ -53,10 +54,37 @@ static struct platform_device *dec_dz_de
&dec_dz_device,
};
+static struct resource dec_zs_resources[][2] = {
+ {
+ { .name = "scc0", .flags = IORESOURCE_MEM, },
+ { .name = "scc0", .flags = IORESOURCE_IRQ, },
+ },
+ {
+ { .name = "scc1", .flags = IORESOURCE_MEM, },
+ { .name = "scc1", .flags = IORESOURCE_IRQ, },
+ },
+};
+
+static struct platform_device dec_zs_device[] = {
+ {
+ .name = "zs",
+ .id = 0,
+ .resource = dec_zs_resources[0],
+ .num_resources = ARRAY_SIZE(dec_zs_resources[0]),
+ },
+ {
+ .name = "zs",
+ .id = 1,
+ .resource = dec_zs_resources[1],
+ .num_resources = ARRAY_SIZE(dec_zs_resources[1]),
+ },
+};
+
static int __init dec_add_devices(void)
{
- int ret1, ret2;
- int num_dz;
+ struct platform_device *dec_zs_devices[ARRAY_SIZE(dec_zs_device)];
+ int ret1, ret2, ret3;
+ int num_dz, num_zs;
int irq, i;
dec_rtc_resources[0].start = RTC_PORT(0);
@@ -84,10 +112,36 @@ static int __init dec_add_devices(void)
}
num_dz = i;
+ i = 0;
+ irq = dec_interrupt[DEC_IRQ_SCC0];
+ if (irq >= 0) {
+ resource_size_t base = dec_kn_slot_base + IOASIC_SCC0;
+
+ dec_zs_device[i].resource[0].start = base;
+ dec_zs_device[i].resource[0].end = base + dec_kn_slot_size - 1;
+ dec_zs_device[i].resource[1].start = irq;
+ dec_zs_device[i].resource[1].end = irq;
+ dec_zs_devices[i] = &dec_zs_device[i];
+ i++;
+ }
+ irq = dec_interrupt[DEC_IRQ_SCC1];
+ if (irq >= 0) {
+ resource_size_t base = dec_kn_slot_base + IOASIC_SCC1;
+
+ dec_zs_device[i].resource[0].start = base;
+ dec_zs_device[i].resource[0].end = base + dec_kn_slot_size - 1;
+ dec_zs_device[i].resource[1].start = irq;
+ dec_zs_device[i].resource[1].end = irq;
+ dec_zs_devices[i] = &dec_zs_device[i];
+ i++;
+ }
+ num_zs = i;
+
ret1 = platform_device_register(&dec_rtc_device);
ret2 = IS_ENABLED(CONFIG_32BIT) ?
platform_add_devices(dec_dz_devices, num_dz) : 0;
- return ret1 ? ret1 : ret2;
+ ret3 = platform_add_devices(dec_zs_devices, num_zs);
+ return ret1 ? ret1 : ret2 ? ret2 : ret3;
}
device_initcall(dec_add_devices);
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -56,6 +56,7 @@
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/major.h>
+#include <linux/platform_device.h>
#include <linux/serial.h>
#include <linux/serial_core.h>
#include <linux/spinlock.h>
@@ -66,10 +67,6 @@
#include <linux/atomic.h>
-#include <asm/dec/interrupts.h>
-#include <asm/dec/ioasic_addrs.h>
-#include <asm/dec/system.h>
-
#include "zs.h"
@@ -79,7 +76,7 @@ MODULE_LICENSE("GPL");
static char zs_name[] __initdata = "DECstation Z85C30 serial driver version ";
-static char zs_version[] __initdata = "0.10";
+static char zs_version[] __initdata = "0.11";
/*
* It would be nice to dynamically allocate everything that
@@ -98,12 +95,8 @@ static char zs_version[] __initdata = "0
#define to_zport(uport) container_of(uport, struct zs_port, port)
-struct zs_parms {
- resource_size_t scc[ZS_NUM_SCCS];
- int irq[ZS_NUM_SCCS];
-};
-
static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+static struct uart_driver zs_reg;
/*
* Set parameters in WR5, WR12, WR13 such as not to interfere
@@ -839,16 +832,15 @@ static void zs_reset(struct zs_port *zpo
spin_lock_irqsave(&scc->zlock, flags);
irq = !irqs_disabled_flags(flags);
- if (!zport->initialised) {
- /* Reset the pointer first, just in case... */
- read_zsreg(zport, R0);
- /* And let the current transmission finish. */
- zs_line_drain(zport, irq);
- write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
- udelay(10);
- write_zsreg(zport, R9, 0);
- zport->initialised = 1;
- }
+
+ /* Reset the pointer first, just in case... */
+ read_zsreg(zport, R0);
+ /* And let the current transmission finish. */
+ zs_line_drain(zport, irq);
+ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
+ udelay(10);
+ write_zsreg(zport, R9, 0);
+
load_zsregs(zport, zport->regs, irq);
spin_unlock_irqrestore(&scc->zlock, flags);
}
@@ -1055,63 +1047,62 @@ static const struct uart_ops zs_ops = {
/*
* Initialize Z85C30 port structures.
*/
-static int __init zs_probe_sccs(void)
+static int __init zs_probe(struct platform_device *pdev)
{
- static int probed;
- struct zs_parms zs_parms;
- int chip, side, irq;
- int n_chips = 0;
+ struct resource *mem_resource, *irq_resource;
+ int chip, side;
int i;
- if (probed)
- return 0;
+ mem_resource = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ irq_resource = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+ if (!mem_resource || !irq_resource)
+ return -ENODEV;
+
+ chip = pdev->id;
+ spin_lock_init(&zs_sccs[chip].zlock);
+ for (side = 0; side < ZS_NUM_CHAN; side++) {
+ struct zs_port *zport = &zs_sccs[chip].zport[side];
+ struct uart_port *uport = &zport->port;
- irq = dec_interrupt[DEC_IRQ_SCC0];
- if (irq >= 0) {
- zs_parms.scc[n_chips] = IOASIC_SCC0;
- zs_parms.irq[n_chips] = dec_interrupt[DEC_IRQ_SCC0];
- n_chips++;
- }
- irq = dec_interrupt[DEC_IRQ_SCC1];
- if (irq >= 0) {
- zs_parms.scc[n_chips] = IOASIC_SCC1;
- zs_parms.irq[n_chips] = dec_interrupt[DEC_IRQ_SCC1];
- n_chips++;
- }
- if (!n_chips)
- return -ENXIO;
-
- probed = 1;
-
- for (chip = 0; chip < n_chips; chip++) {
- spin_lock_init(&zs_sccs[chip].zlock);
- for (side = 0; side < ZS_NUM_CHAN; side++) {
- struct zs_port *zport = &zs_sccs[chip].zport[side];
- struct uart_port *uport = &zport->port;
-
- zport->scc = &zs_sccs[chip];
- zport->clk_mode = 16;
-
- uport->has_sysrq = IS_ENABLED(CONFIG_SERIAL_ZS_CONSOLE);
- uport->irq = zs_parms.irq[chip];
- uport->uartclk = ZS_CLOCK;
- uport->fifosize = 1;
- uport->iotype = UPIO_MEM;
- uport->flags = UPF_BOOT_AUTOCONF;
- uport->ops = &zs_ops;
- uport->line = chip * ZS_NUM_CHAN + side;
- uport->mapbase = dec_kn_slot_base +
- zs_parms.scc[chip] +
- (side ^ ZS_CHAN_B) * ZS_CHAN_IO_SIZE;
+ zport->scc = &zs_sccs[chip];
+ zport->clk_mode = 16;
- for (i = 0; i < ZS_NUM_REGS; i++)
- zport->regs[i] = zs_init_regs[i];
- }
+ uport->dev = &pdev->dev;
+ uport->has_sysrq = IS_ENABLED(CONFIG_SERIAL_ZS_CONSOLE);
+ uport->irq = irq_resource->start;
+ uport->uartclk = ZS_CLOCK;
+ uport->fifosize = 1;
+ uport->iotype = UPIO_MEM;
+ uport->flags = UPF_BOOT_AUTOCONF;
+ uport->ops = &zs_ops;
+ uport->line = chip * ZS_NUM_CHAN + side;
+ uport->mapbase = mem_resource->start +
+ (side ^ ZS_CHAN_B) * ZS_CHAN_IO_SIZE;
+
+ for (i = 0; i < ZS_NUM_REGS; i++)
+ zport->regs[i] = zs_init_regs[i];
+
+ if (uart_add_one_port(&zs_reg, uport))
+ uport->dev = NULL;
}
return 0;
}
+static void __exit zs_remove(struct platform_device *pdev)
+{
+ int chip, side;
+
+ chip = pdev->id;
+ for (side = ZS_NUM_CHAN - 1; side >= 0; side--) {
+ struct zs_port *zport = &zs_sccs[chip].zport[side];
+ struct uart_port *uport = &zport->port;
+
+ if (uport->dev)
+ uart_remove_one_port(&zs_reg, uport);
+ }
+}
+
#ifdef CONFIG_SERIAL_ZS_CONSOLE
static void zs_console_putchar(struct uart_port *uport, unsigned char ch)
@@ -1192,20 +1183,14 @@ static int __init zs_console_setup(struc
int bits = 8;
int parity = 'n';
int flow = 'n';
- int ret;
-
- ret = zs_map_port(uport);
- if (ret)
- return ret;
-
- zs_reset(zport);
+ if (!zport->scc)
+ return -ENODEV;
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
return uart_set_options(uport, co, baud, parity, bits, flow);
}
-static struct uart_driver zs_reg;
static struct console zs_console = {
.name = "ttyS",
.write = zs_console_write,
@@ -1216,23 +1201,6 @@ static struct console zs_console = {
.data = &zs_reg,
};
-/*
- * Register console.
- */
-static int __init zs_serial_console_init(void)
-{
- int ret;
-
- ret = zs_probe_sccs();
- if (ret)
- return ret;
- register_console(&zs_console);
-
- return 0;
-}
-
-console_initcall(zs_serial_console_init);
-
#define SERIAL_ZS_CONSOLE &zs_console
#else
#define SERIAL_ZS_CONSOLE NULL
@@ -1248,47 +1216,31 @@ static struct uart_driver zs_reg = {
.cons = SERIAL_ZS_CONSOLE,
};
+static struct platform_driver zs_driver = {
+ .remove = __exit_p(zs_remove),
+ .driver = { .name = "zs" },
+};
+
/* zs_init inits the driver. */
static int __init zs_init(void)
{
- int i, ret;
+ int ret;
pr_info("%s%s\n", zs_name, zs_version);
- /* Find out how many Z85C30 SCCs we have. */
- ret = zs_probe_sccs();
- if (ret)
- return ret;
-
ret = uart_register_driver(&zs_reg);
if (ret)
return ret;
+ ret = platform_driver_probe(&zs_driver, zs_probe);
+ if (ret)
+ uart_unregister_driver(&zs_reg);
- for (i = 0; i < ZS_NUM_SCCS * ZS_NUM_CHAN; i++) {
- struct zs_scc *scc = &zs_sccs[i / ZS_NUM_CHAN];
- struct zs_port *zport = &scc->zport[i % ZS_NUM_CHAN];
- struct uart_port *uport = &zport->port;
-
- if (zport->scc)
- uart_add_one_port(&zs_reg, uport);
- }
-
- return 0;
+ return ret;
}
static void __exit zs_exit(void)
{
- int i;
-
- for (i = ZS_NUM_SCCS * ZS_NUM_CHAN - 1; i >= 0; i--) {
- struct zs_scc *scc = &zs_sccs[i / ZS_NUM_CHAN];
- struct zs_port *zport = &scc->zport[i % ZS_NUM_CHAN];
- struct uart_port *uport = &zport->port;
-
- if (zport->scc)
- uart_remove_one_port(&zs_reg, uport);
- }
-
+ platform_driver_unregister(&zs_driver);
uart_unregister_driver(&zs_reg);
}
--- a/drivers/tty/serial/zs.h
+++ b/drivers/tty/serial/zs.h
@@ -22,7 +22,6 @@
struct zs_port {
struct zs_scc *scc; /* Containing SCC. */
struct uart_port port; /* Underlying UART. */
- int initialised; /* For the console port. */
int clk_mode; /* May be 1, 16, 32, or 64. */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 272/315] drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 271/315] drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 273/315] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
` (44 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyi Guo, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
commit a1ba4594232c87c3b8defd6f89a2e40f8b08395d upstream.
kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL) at
amdgpu_gem.c:1050 uses the user-supplied num_entries directly without
any upper bounds check. Since num_entries is a __u32 and
sizeof(drm_amdgpu_gem_vm_entry) is 32 bytes, a large num_entries
produces an allocation exceeding INT_MAX, triggering
WARNING in __kvmalloc_node_noprof(), causing a kernel WARNING,
TAINT_WARN, and panic on CONFIG_PANIC_ON_WARN=y systems.
Add a size bounds check before we invoke the kvzalloc() to
reject oversized num_entries early with -EINVAL.
Fixes: 4d82724f7f2b ("drm/amdgpu: Add mapping info option for GEM_OP ioctl")
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1fe7bf5457f6efd7be60b17e23163ba54341d73d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -1074,6 +1074,11 @@ int amdgpu_gem_op_ioctl(struct drm_devic
* If that number is larger than the size of the array, the ioctl must
* be retried.
*/
+ if (args->num_entries > INT_MAX / sizeof(*vm_entries)) {
+ r = -EINVAL;
+ goto out_exec;
+ }
+
vm_entries = kvcalloc(args->num_entries, sizeof(*vm_entries), GFP_KERNEL);
if (!vm_entries) {
r = -ENOMEM;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 262/307] USB: serial: cypress_m8: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 261/307] serial: zs: Convert to use a platform device Greg Kroah-Hartman
@ 2026-06-07 10:00 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 263/307] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
` (47 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e1a9d791fd66ab2431b9e6f6f835823809869047 upstream.
Make sure that the interrupt-out endpoint max packet size is at least
eight bytes to avoid user-controlled slab corruption or NULL-pointer
dereference should a malicious device report a smaller size.
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
[ johan: adjust context for 6.18 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/cypress_m8.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index eb47f35aab0ced..905f6a560e0455 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -445,6 +445,14 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
return -ENODEV;
}
+ /*
+ * The buffer must be large enough for the one or two-byte header (and
+ * following data), but assume anything smaller than eight bytes is
+ * broken.
+ */
+ if (port->interrupt_out_size < 8)
+ return -EINVAL;
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 273/315] serial: dz: Fix bootconsole message clobbering at chip reset
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.18 272/315] drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 274/315] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
` (43 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit ca904f4b42355287bc5ce8b7550ebe909cda4c2c upstream.
In the DZ interface as implemented by the DC7085 gate array the serial
transmitters are double buffered, meaning that at the time a transmitter
is ready to accept the next character there is one in the transmit shift
register still being sent to the line. Issuing a master clear at this
time causes this character to be lost, so wait an extra amount of time
sufficient for the transmit shift register to drain at 9600bps, which is
the baud rate setting used by the firmware console.
Mind the specified 1.4us TRDY recovery time in the course and continue
using iob() as the completion barrier, since the platforms involved use
a write buffer that can delay and combine writes, and reorder them with
respect to reads regardless of the MMIO locations accessed and we still
lack a platform-independent handler for that.
When called from dz_serial_console_init() this is too early for fsleep()
to work and even before lpj has been calculated and therefore the delay
is actually not sufficient for the transmitter to drain and is merely a
placeholder now. This will be addressed in a follow-up change.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062259080.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/dz.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -542,10 +542,31 @@ static int dz_encode_baud_rate(unsigned
static void dz_reset(struct dz_port *dport)
{
struct dz_mux *mux = dport->mux;
+ unsigned short tcr;
+ int loops = 10000;
if (mux->initialised)
return;
+ tcr = dz_in(dport, DZ_TCR);
+
+ /* Do not disturb any ongoing transmissions. */
+ if (dz_in(dport, DZ_CSR) & DZ_MSE) {
+ unsigned short csr, mask;
+
+ mask = tcr;
+ while ((mask & DZ_LNENB) && loops--) {
+ csr = dz_in(dport, DZ_CSR);
+ if (!(csr & DZ_TRDY))
+ continue;
+ mask &= ~(1 << ((csr & DZ_TLINE) >> 8));
+ dz_out(dport, DZ_TCR, mask);
+ iob();
+ udelay(2); /* 1.4us TRDY recovery. */
+ }
+ udelay(1200); /* Transmitter drain. */
+ }
+
dz_out(dport, DZ_CSR, DZ_CLR);
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 263/307] USB: serial: digi_acceleport: fix memory corruption with small endpoints
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-06-07 10:00 ` [PATCH 6.12 262/307] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 264/307] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
` (46 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit cb3560e8eab1dfa1cac1ed52631adf8ec6ff2cd5 upstream.
Add the missing bulk-out buffer size sanity checks to avoid
out-of-bounds memory accesses or slab corruption should a malicious
device report smaller buffers than expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/digi_acceleport.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
index a064859654121d..a876d6629b65d1 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1229,15 +1229,34 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
static int digi_startup(struct usb_serial *serial)
{
struct digi_serial *serial_priv;
+ int oob_port_num;
int ret;
+ int i;
+
+ /*
+ * The port bulk-out buffers must be large enough for header and
+ * buffered data.
+ */
+ for (i = 0; i < serial->type->num_ports; i++) {
+ if (serial->port[i]->bulk_out_size < DIGI_OUT_BUF_SIZE + 2)
+ return -EINVAL;
+ }
+
+ /*
+ * The OOB port bulk-out buffer must be large enough for the two
+ * commands in digi_set_modem_signals().
+ */
+ oob_port_num = serial->type->num_ports;
+ if (serial->port[oob_port_num]->bulk_out_size < 8)
+ return -EINVAL;
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)
return -ENOMEM;
spin_lock_init(&serial_priv->ds_serial_lock);
- serial_priv->ds_oob_port_num = serial->type->num_ports;
- serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
+ serial_priv->ds_oob_port_num = oob_port_num;
+ serial_priv->ds_oob_port = serial->port[oob_port_num];
ret = digi_port_init(serial_priv->ds_oob_port,
serial_priv->ds_oob_port_num);
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 274/315] serial: dz: Fix bootconsole handover lockup
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 273/315] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 275/315] serial: dz: Convert to use a platform device Greg Kroah-Hartman
` (42 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7f127b2208e5e2b817243cad41fe4211a6d5a7a3 upstream.
Calling dz_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by dz_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix dz_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means dz_pm() serves no purpose anymore, so drop it.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062302010.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/dz.c | 36 ++++++++++++------------------------
1 file changed, 12 insertions(+), 24 deletions(-)
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -571,6 +571,18 @@ static void dz_reset(struct dz_port *dpo
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
+ /*
+ * Set parameters across all lines such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to produce rubbish.
+ */
+ for (int line = 0; line < DZ_NB_PORT; line++)
+ dz_out(dport, DZ_LPR, DZ_B9600 | DZ_CS8 | line);
+
+ /* Re-enable transmission for the initial PROM-based console. */
+ dz_out(dport, DZ_TCR, tcr);
+
/* Enable scanning. */
dz_out(dport, DZ_CSR, DZ_MSE);
@@ -654,26 +666,6 @@ static void dz_set_termios(struct uart_p
uart_port_unlock_irqrestore(&dport->port, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void dz_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct dz_port *dport = to_dport(uport);
- unsigned long flags;
-
- uart_port_lock_irqsave(&dport->port, &flags);
- if (state < 3)
- dz_start_tx(&dport->port);
- else
- dz_stop_tx(&dport->port);
- uart_port_unlock_irqrestore(&dport->port, flags);
-}
-
-
static const char *dz_type(struct uart_port *uport)
{
return "DZ";
@@ -769,7 +761,6 @@ static const struct uart_ops dz_ops = {
.startup = dz_startup,
.shutdown = dz_shutdown,
.set_termios = dz_set_termios,
- .pm = dz_pm,
.type = dz_type,
.release_port = dz_release_port,
.request_port = dz_request_port,
@@ -894,10 +885,7 @@ static int __init dz_console_setup(struc
if (ret)
return ret;
- spin_lock_init(&dport->port.lock); /* For dz_pm(). */
-
dz_reset(dport);
- dz_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 264/307] xhci: tegra: Fix ghost USB device on dual-role port unplug
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 263/307] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 265/307] iommu: Skip PASID validation for devices without PASID capability Greg Kroah-Hartman
` (45 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei-Cheng Chen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei-Cheng Chen <weichengc@nvidia.com>
[ Upstream commit 5a4c828b8b29b47534814ade26d9aee09d5101fc ]
When a USB device is unplugged from the dual-role port, the device-mode
path in tegra_xhci_id_work() explicitly clears both SS and HS port power
via direct hub_control ClearPortFeature(POWER) calls. This preempts the
xHCI controller's normal disconnect processing -- PORT_CSC is never
generated, the USB core never sees the disconnect, and the device remains
in its internal tree as a ghost visible in lsusb.
Add an otg_set_port_power flag to control whether the dual-role switch
path performs explicit port power management. SoCs that need it
(Tegra124 / Tegra210 / Tegra186) set the flag; later SoCs (Tegra194 and
beyond) rely on the PHY mode change to handle disconnect naturally and
skip all port power calls.
Within the port power path, otg_reset_sspi additionally gates the SSPI
reset sequence on host-mode entry for SoCs that require it.
Flags set per SoC:
Tegra124, Tegra186 -> otg_set_port_power
Tegra210 -> otg_set_port_power, otg_reset_sspi
Tegra194 and later -> (none)
[ Backport to 6.12.y: keep the host-mode snapshot in the existing
tegra->lock section, retain pm_runtime_mark_last_busy() in the host
port-power path, and resolve context around the SoC ops/Tegra234
entries. ]
Fixes: f836e7843036 ("usb: xhci-tegra: Add OTG support")
Cc: stable@vger.kernel.org
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Link: https://patch.msgid.link/20260505112630.217704-1-weichengc@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-tegra.c | 79 ++++++++++++++++++++---------------
1 file changed, 45 insertions(+), 34 deletions(-)
diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
index 89b3079194d7b3..2eb1aa25be1d37 100644
--- a/drivers/usb/host/xhci-tegra.c
+++ b/drivers/usb/host/xhci-tegra.c
@@ -243,6 +243,7 @@ struct tegra_xusb_soc {
bool has_ipfs;
bool lpm_support;
bool otg_reset_sspi;
+ bool otg_set_port_power;
bool has_bar2;
};
@@ -1346,14 +1347,17 @@ static void tegra_xhci_id_work(struct work_struct *work)
struct tegra_xusb_mbox_msg msg;
struct phy *phy = tegra_xusb_get_phy(tegra, "usb2",
tegra->otg_usb2_port);
+ bool host_mode;
u32 status;
int ret;
- dev_dbg(tegra->dev, "host mode %s\n", tegra->host_mode ? "on" : "off");
-
mutex_lock(&tegra->lock);
- if (tegra->host_mode)
+ host_mode = tegra->host_mode;
+
+ dev_dbg(tegra->dev, "host mode %s\n", host_mode ? "on" : "off");
+
+ if (host_mode)
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_HOST);
else
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_NONE);
@@ -1364,42 +1368,44 @@ static void tegra_xhci_id_work(struct work_struct *work)
tegra->otg_usb2_port);
pm_runtime_get_sync(tegra->dev);
- if (tegra->host_mode) {
- /* switch to host mode */
- if (tegra->otg_usb3_port >= 0) {
- if (tegra->soc->otg_reset_sspi) {
- /* set PP=0 */
- tegra_xhci_hc_driver.hub_control(
- xhci->shared_hcd, GetPortStatus,
- 0, tegra->otg_usb3_port+1,
- (char *) &status, sizeof(status));
- if (status & USB_SS_PORT_STAT_POWER)
- tegra_xhci_set_port_power(tegra, false,
- false);
-
- /* reset OTG port SSPI */
- msg.cmd = MBOX_CMD_RESET_SSPI;
- msg.data = tegra->otg_usb3_port+1;
-
- ret = tegra_xusb_mbox_send(tegra, &msg);
- if (ret < 0) {
- dev_info(tegra->dev,
- "failed to RESET_SSPI %d\n",
- ret);
+ if (tegra->soc->otg_set_port_power) {
+ if (host_mode) {
+ /* switch to host mode */
+ if (tegra->otg_usb3_port >= 0) {
+ if (tegra->soc->otg_reset_sspi) {
+ /* set PP=0 */
+ tegra_xhci_hc_driver.hub_control(
+ xhci->shared_hcd, GetPortStatus,
+ 0, tegra->otg_usb3_port+1,
+ (char *) &status, sizeof(status));
+ if (status & USB_SS_PORT_STAT_POWER)
+ tegra_xhci_set_port_power(tegra, false,
+ false);
+
+ /* reset OTG port SSPI */
+ msg.cmd = MBOX_CMD_RESET_SSPI;
+ msg.data = tegra->otg_usb3_port+1;
+
+ ret = tegra_xusb_mbox_send(tegra, &msg);
+ if (ret < 0) {
+ dev_info(tegra->dev,
+ "failed to RESET_SSPI %d\n",
+ ret);
+ }
}
- }
- tegra_xhci_set_port_power(tegra, false, true);
- }
+ tegra_xhci_set_port_power(tegra, false, true);
+ }
- tegra_xhci_set_port_power(tegra, true, true);
- pm_runtime_mark_last_busy(tegra->dev);
+ tegra_xhci_set_port_power(tegra, true, true);
+ pm_runtime_mark_last_busy(tegra->dev);
- } else {
- if (tegra->otg_usb3_port >= 0)
- tegra_xhci_set_port_power(tegra, false, false);
+ } else {
+ if (tegra->otg_usb3_port >= 0)
+ tegra_xhci_set_port_power(tegra, false, false);
- tegra_xhci_set_port_power(tegra, true, false);
+ tegra_xhci_set_port_power(tegra, true, false);
+ }
}
pm_runtime_put_autosuspend(tegra->dev);
}
@@ -2497,6 +2503,7 @@ static const struct tegra_xusb_soc tegra124_soc = {
.scale_ss_clock = true,
.has_ipfs = true,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0xe4,
@@ -2535,6 +2542,7 @@ static const struct tegra_xusb_soc tegra210_soc = {
.scale_ss_clock = false,
.has_ipfs = true,
.otg_reset_sspi = true,
+ .otg_set_port_power = true,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0xe4,
@@ -2578,6 +2586,7 @@ static const struct tegra_xusb_soc tegra186_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0xe4,
@@ -2611,6 +2620,7 @@ static const struct tegra_xusb_soc tegra194_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = false,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0x68,
@@ -2643,6 +2653,7 @@ static const struct tegra_xusb_soc tegra234_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = false,
.ops = &tegra234_ops,
.mbox = {
.cmd = XUSB_BAR2_ARU_MBOX_CMD,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 275/315] serial: dz: Convert to use a platform device
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 274/315] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 276/315] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
` (41 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 5d7a49d60b8fda66da60e240fd7315232fa1754f upstream.
Prevent a crash from happening as the first serial port is initialised:
Console: switching to colour frame buffer device 160x64
tgafb: SFB+ detected, rev=0x02
fb0: Digital ZLX-E1 frame buffer device at 0x1e000000
DECstation DZ serial driver version 1.04
CPU 0 Unable to handle kernel paging request at virtual address 000000bc, epc == 8048b3a4, ra == 80470a78
Oops[#1]:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0-dirty #35 NONE
$ 0 : 00000000 1000ac00 00000004 804707ac
$ 4 : 00000000 80e20850 80e20858 81000030
$ 8 : 00000000 8072c81c 00000008 fefefeff
$12 : 6c616972 00000006 80c5917f 69726420
$16 : 80e20800 00000000 808f8968 80e20800
$20 : 00000000 807f5a90 808b0094 808d3bc8
$24 : 00000018 80479030
$28 : 80c2e000 80c2fd70 00000069 80470a78
Hi : 00000004
Lo : 00000000
epc : 8048b3a4 __dev_fwnode+0x0/0xc
ra : 80470a78 serial_base_ctrl_add+0xa0/0x168
Status: 1000ac04 IEp
Cause : 30000008 (ExcCode 02)
BadVA : 000000bc
PrId : 00000220 (R3000)
Modules linked in:
Process swapper/0 (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=00000000)
Stack : 00400044 00400040 8046f4cc 00000000 808a6148 808a0000 808f8968 8086983c
808e0000 8046fc84 1000ac01 00000028 80e20700 802ba3f8 80e20700 80d34a94
80c1b900 80e20700 80e20700 80e20700 80e20700 80444650 00000000 00000000
00000000 807f5a90 808b0094 80447080 00400040 808e0000 80d34a94 808a6148
80d34a94 00000004 80e20700 00000000 8076974c 80469810 80c2fe3c 1000ac01
...
Call Trace:
[<8048b3a4>] __dev_fwnode+0x0/0xc
[<80470a78>] serial_base_ctrl_add+0xa0/0x168
[<8046fc84>] serial_core_register_port+0x1c8/0x974
[<808c6af0>] dz_init+0x74/0xc8
[<800470e0>] do_one_initcall+0x44/0x2d4
[<808b111c>] kernel_init_freeable+0x258/0x308
[<8072e434>] kernel_init+0x20/0x114
[<80049cd0>] ret_from_kernel_thread+0x14/0x1c
Code: 27bd0018 03e00008 2402ffea <8c8200bc> 03e00008 00000000 27bdffc0 afbe0038 afb30024
---[ end trace 0000000000000000 ]---
-- where a pointer is dereferenced that has been derived from a null
pointer to the port's parent device.
Since no device is available with legacy probing and it's not anymore a
preferable way to discover devices anyway, switch the driver to using a
platform device and use it as the port's parent device. Update resource
handling accordingly and only request the actual span of addresses used
within the slot, which will have had its resource already requested by
generic platform device code.
Use platform_driver_probe() not just because the DZ device is fixed with
solder on board and not straightforward to remove, but foremost because
the associated TTY's major device number is the same as used by the zs
driver and the first driver to claim it will prevent the other one from
using it. Either one DZ device or some SCC devices will be present in a
given system but never both at a time, and therefore we want the major
device number to be claimed by the first driver to actually successfully
bind to its device and platform_driver_probe() is a way to fulfil that.
An unfortunate consequence of the switch to a platform device is we now
hand the console over from the bootconsole much later in the bootstrap.
The firmware console handler appears good enough though to work so late
and in particular with interrupts enabled.
Conversely only starting the console port so late lets the reset code
fully utilise our delay handlers, so switch from udelay() to fsleep()
for transmitter draining so as to avoid busy-waiting for an excessive
amount of time.
Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # needs to use .remove_new for <= 6.10
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062326540.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/platform.c | 55 +++++++++++++++++++++-
drivers/tty/serial/dz.c | 116 ++++++++++++++++++++++-------------------------
2 files changed, 110 insertions(+), 61 deletions(-)
--- a/arch/mips/dec/platform.c
+++ b/arch/mips/dec/platform.c
@@ -10,6 +10,13 @@
#include <linux/mc146818rtc.h>
#include <linux/platform_device.h>
+#include <asm/bootinfo.h>
+
+#include <asm/dec/interrupts.h>
+#include <asm/dec/kn01.h>
+#include <asm/dec/kn02.h>
+#include <asm/dec/system.h>
+
static struct resource dec_rtc_resources[] = {
{
.name = "rtc",
@@ -30,11 +37,57 @@ static struct platform_device dec_rtc_de
.num_resources = ARRAY_SIZE(dec_rtc_resources),
};
+static struct resource dec_dz_resources[] = {
+ { .name = "dz", .flags = IORESOURCE_MEM, },
+ { .name = "dz", .flags = IORESOURCE_IRQ, },
+};
+
+static struct platform_device dec_dz_device = {
+ .name = "dz",
+ .id = PLATFORM_DEVID_NONE,
+ .resource = dec_dz_resources,
+ .num_resources = ARRAY_SIZE(dec_dz_resources),
+};
+
+static struct platform_device *dec_dz_devices[] __initdata = {
+ &dec_dz_device,
+};
+
static int __init dec_add_devices(void)
{
+ int ret1, ret2;
+ int num_dz;
+ int irq, i;
+
dec_rtc_resources[0].start = RTC_PORT(0);
dec_rtc_resources[0].end = RTC_PORT(0) + dec_kn_slot_size - 1;
- return platform_device_register(&dec_rtc_device);
+
+ i = 0;
+ irq = dec_interrupt[DEC_IRQ_DZ11];
+ if (IS_ENABLED(CONFIG_32BIT) && irq >= 0) {
+ resource_size_t base;
+
+ switch (mips_machtype) {
+ case MACH_DS23100:
+ case MACH_DS5100:
+ base = dec_kn_slot_base + KN01_DZ11;
+ break;
+ default:
+ base = dec_kn_slot_base + KN02_DZ11;
+ break;
+ }
+ dec_dz_device.resource[0].start = base;
+ dec_dz_device.resource[0].end = base + dec_kn_slot_size - 1;
+ dec_dz_device.resource[1].start = irq;
+ dec_dz_device.resource[1].end = irq;
+ i++;
+ }
+ num_dz = i;
+
+ ret1 = platform_device_register(&dec_rtc_device);
+ ret2 = IS_ENABLED(CONFIG_32BIT) ?
+ platform_add_devices(dec_dz_devices, num_dz) : 0;
+ return ret1 ? ret1 : ret2;
}
device_initcall(dec_add_devices);
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -40,6 +40,7 @@
#include <linux/kernel.h>
#include <linux/major.h>
#include <linux/module.h>
+#include <linux/platform_device.h>
#include <linux/serial.h>
#include <linux/serial_core.h>
#include <linux/sysrq.h>
@@ -48,14 +49,6 @@
#include <linux/atomic.h>
#include <linux/io.h>
-#include <asm/bootinfo.h>
-
-#include <asm/dec/interrupts.h>
-#include <asm/dec/kn01.h>
-#include <asm/dec/kn02.h>
-#include <asm/dec/machtype.h>
-#include <asm/dec/prom.h>
-#include <asm/dec/system.h>
#include "dz.h"
@@ -65,7 +58,9 @@ MODULE_LICENSE("GPL");
static char dz_name[] __initdata = "DECstation DZ serial driver version ";
-static char dz_version[] __initdata = "1.04";
+static char dz_version[] __initdata = "1.05";
+
+#define DZ_IO_SIZE 0x20 /* IOMEM space size. */
struct dz_port {
struct dz_mux *mux;
@@ -81,6 +76,7 @@ struct dz_mux {
};
static struct dz_mux dz_mux;
+static struct uart_driver dz_reg;
static inline struct dz_port *to_dport(struct uart_port *uport)
{
@@ -564,7 +560,7 @@ static void dz_reset(struct dz_port *dpo
iob();
udelay(2); /* 1.4us TRDY recovery. */
}
- udelay(1200); /* Transmitter drain. */
+ fsleep(1200); /* Transmitter drain. */
}
dz_out(dport, DZ_CSR, DZ_CLR);
@@ -681,14 +677,13 @@ static void dz_release_port(struct uart_
map_guard = atomic_add_return(-1, &mux->map_guard);
if (!map_guard)
- release_mem_region(uport->mapbase, dec_kn_slot_size);
+ release_mem_region(uport->mapbase, DZ_IO_SIZE);
}
static int dz_map_port(struct uart_port *uport)
{
if (!uport->membase)
- uport->membase = ioremap(uport->mapbase,
- dec_kn_slot_size);
+ uport->membase = ioremap(uport->mapbase, DZ_IO_SIZE);
if (!uport->membase) {
printk(KERN_ERR "dz: Cannot map MMIO\n");
return -ENOMEM;
@@ -704,8 +699,7 @@ static int dz_request_port(struct uart_p
map_guard = atomic_add_return(1, &mux->map_guard);
if (map_guard == 1) {
- if (!request_mem_region(uport->mapbase, dec_kn_slot_size,
- "dz")) {
+ if (!request_mem_region(uport->mapbase, DZ_IO_SIZE, "dz")) {
atomic_add(-1, &mux->map_guard);
printk(KERN_ERR
"dz: Unable to reserve MMIO resource\n");
@@ -716,7 +710,7 @@ static int dz_request_port(struct uart_p
if (ret) {
map_guard = atomic_add_return(-1, &mux->map_guard);
if (!map_guard)
- release_mem_region(uport->mapbase, dec_kn_slot_size);
+ release_mem_region(uport->mapbase, DZ_IO_SIZE);
return ret;
}
return 0;
@@ -768,20 +762,15 @@ static const struct uart_ops dz_ops = {
.verify_port = dz_verify_port,
};
-static void __init dz_init_ports(void)
+static int __init dz_probe(struct platform_device *pdev)
{
- static int first = 1;
- unsigned long base;
+ struct resource *mem_resource, *irq_resource;
int line;
- if (!first)
- return;
- first = 0;
-
- if (mips_machtype == MACH_DS23100 || mips_machtype == MACH_DS5100)
- base = dec_kn_slot_base + KN01_DZ11;
- else
- base = dec_kn_slot_base + KN02_DZ11;
+ mem_resource = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ irq_resource = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+ if (!mem_resource || !irq_resource)
+ return -ENODEV;
for (line = 0; line < DZ_NB_PORT; line++) {
struct dz_port *dport = &dz_mux.dport[line];
@@ -789,14 +778,33 @@ static void __init dz_init_ports(void)
dport->mux = &dz_mux;
- uport->irq = dec_interrupt[DEC_IRQ_DZ11];
+ uport->dev = &pdev->dev;
+ uport->irq = irq_resource->start;
uport->fifosize = 1;
uport->iotype = UPIO_MEM;
uport->flags = UPF_BOOT_AUTOCONF;
uport->ops = &dz_ops;
uport->line = line;
- uport->mapbase = base;
+ uport->mapbase = mem_resource->start;
uport->has_sysrq = IS_ENABLED(CONFIG_SERIAL_DZ_CONSOLE);
+
+ if (uart_add_one_port(&dz_reg, uport))
+ uport->dev = NULL;
+ }
+
+ return 0;
+}
+
+static void __exit dz_remove(struct platform_device *pdev)
+{
+ int line;
+
+ for (line = DZ_NB_PORT - 1; line >= 0; line--) {
+ struct dz_port *dport = &dz_mux.dport[line];
+ struct uart_port *uport = &dport->port;
+
+ if (uport->dev)
+ uart_remove_one_port(&dz_reg, uport);
}
}
@@ -879,21 +887,14 @@ static int __init dz_console_setup(struc
int bits = 8;
int parity = 'n';
int flow = 'n';
- int ret;
-
- ret = dz_map_port(uport);
- if (ret)
- return ret;
-
- dz_reset(dport);
+ if (!dport->mux)
+ return -ENODEV;
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
-
- return uart_set_options(&dport->port, co, baud, parity, bits, flow);
+ return uart_set_options(uport, co, baud, parity, bits, flow);
}
-static struct uart_driver dz_reg;
static struct console dz_console = {
.name = "ttyS",
.write = dz_console_print,
@@ -904,18 +905,6 @@ static struct console dz_console = {
.data = &dz_reg,
};
-static int __init dz_serial_console_init(void)
-{
- if (!IOASIC) {
- dz_init_ports();
- register_console(&dz_console);
- return 0;
- } else
- return -ENXIO;
-}
-
-console_initcall(dz_serial_console_init);
-
#define SERIAL_DZ_CONSOLE &dz_console
#else
#define SERIAL_DZ_CONSOLE NULL
@@ -931,25 +920,32 @@ static struct uart_driver dz_reg = {
.cons = SERIAL_DZ_CONSOLE,
};
+static struct platform_driver dz_driver = {
+ .remove = __exit_p(dz_remove),
+ .driver = { .name = "dz" },
+};
+
static int __init dz_init(void)
{
- int ret, i;
-
- if (IOASIC)
- return -ENXIO;
+ int ret;
printk("%s%s\n", dz_name, dz_version);
- dz_init_ports();
-
ret = uart_register_driver(&dz_reg);
if (ret)
return ret;
+ ret = platform_driver_probe(&dz_driver, dz_probe);
+ if (ret)
+ uart_unregister_driver(&dz_reg);
- for (i = 0; i < DZ_NB_PORT; i++)
- uart_add_one_port(&dz_reg, &dz_mux.dport[i].port);
+ return ret;
+}
- return 0;
+static void __exit dz_exit(void)
+{
+ platform_driver_unregister(&dz_driver);
+ uart_unregister_driver(&dz_reg);
}
module_init(dz_init);
+module_exit(dz_exit);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 265/307] iommu: Skip PASID validation for devices without PASID capability
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 264/307] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 266/307] x86/boot: Disable stack protector for early boot code Greg Kroah-Hartman
` (44 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tushar Dave, Lu Baolu, Vasant Hegde,
Joerg Roedel, Dmitrii Chervov, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tushar Dave <tdave@nvidia.com>
[ Upstream commit b3f6fcd8404f9f92262303369bb877ec5d188a81 ]
Generally PASID support requires ACS settings that usually create
single device groups, but there are some niche cases where we can get
multi-device groups and still have working PASID support. The primary
issue is that PCI switches are not required to treat PASID tagged TLPs
specially so appropriate ACS settings are required to route all TLPs to
the host bridge if PASID is going to work properly.
pci_enable_pasid() does check that each device that will use PASID has
the proper ACS settings to achieve this routing.
However, no-PASID devices can be combined with PASID capable devices
within the same topology using non-uniform ACS settings. In this case
the no-PASID devices may not have strict route to host ACS flags and
end up being grouped with the PASID devices.
This configuration fails to allow use of the PASID within the iommu
core code which wrongly checks if the no-PASID device supports PASID.
Fix this by ignoring no-PASID devices during the PASID validation. They
will never issue a PASID TLP anyhow so they can be ignored.
Fixes: c404f55c26fc ("iommu: Validate the PASID in iommu_attach_device_pasid()")
Cc: stable@vger.kernel.org
Signed-off-by: Tushar Dave <tdave@nvidia.com>
Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Link: https://lore.kernel.org/r/20250520011937.3230557-1-tdave@nvidia.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
[ Refactored to apply cleanly without support attaching PASID to the blocked domain ]
Signed-off-by: Dmitrii Chervov <fary.ru@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommu.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 0ad55649e2d007..62e1d637250318 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -3341,9 +3341,11 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain,
int ret;
for_each_group_device(group, device) {
- ret = domain->ops->set_dev_pasid(domain, device->dev, pasid);
- if (ret)
- goto err_revert;
+ if (device->dev->iommu->max_pasids > 0) {
+ ret = domain->ops->set_dev_pasid(domain, device->dev, pasid);
+ if (ret)
+ goto err_revert;
+ }
}
return 0;
@@ -3355,7 +3357,8 @@ static int __iommu_set_group_pasid(struct iommu_domain *domain,
if (device == last_gdev)
break;
- ops->remove_dev_pasid(device->dev, pasid, domain);
+ if (device->dev->iommu->max_pasids > 0)
+ ops->remove_dev_pasid(device->dev, pasid, domain);
}
return ret;
}
@@ -3368,8 +3371,10 @@ static void __iommu_remove_group_pasid(struct iommu_group *group,
const struct iommu_ops *ops;
for_each_group_device(group, device) {
- ops = dev_iommu_ops(device->dev);
- ops->remove_dev_pasid(device->dev, pasid, domain);
+ if (device->dev->iommu->max_pasids > 0) {
+ ops = dev_iommu_ops(device->dev);
+ ops->remove_dev_pasid(device->dev, pasid, domain);
+ }
}
}
@@ -3403,7 +3408,13 @@ int iommu_attach_device_pasid(struct iommu_domain *domain,
mutex_lock(&group->mutex);
for_each_group_device(group, device) {
- if (pasid >= device->dev->iommu->max_pasids) {
+ /*
+ * Skip PASID validation for devices without PASID support
+ * (max_pasids = 0). These devices cannot issue transactions
+ * with PASID, so they don't affect group's PASID usage.
+ */
+ if ((device->dev->iommu->max_pasids > 0) &&
+ (pasid >= device->dev->iommu->max_pasids)) {
ret = -EINVAL;
goto out_unlock;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 276/315] serial: zs: Fix bootconsole handover lockup
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 275/315] serial: dz: Convert to use a platform device Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 277/315] serial: zs: Switch to using channel reset Greg Kroah-Hartman
` (40 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 6c05cf72e13314ce9b770b5951695dc5a2152920 upstream.
Calling zs_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by zs_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix zs_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means zs_pm() serves no purpose anymore, so drop it.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062308040.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 29 ++++++++---------------------
1 file changed, 8 insertions(+), 21 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -105,18 +105,24 @@ struct zs_parms {
static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+/*
+ * Set parameters in WR5, WR12, WR13 such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to hang (TxENAB) or produce rubbish (Tx8, B9600).
+ */
static u8 zs_init_regs[ZS_NUM_REGS] __initdata = {
0, /* write 0 */
PAR_SPEC, /* write 1 */
0, /* write 2 */
0, /* write 3 */
X16CLK | SB1, /* write 4 */
- 0, /* write 5 */
+ Tx8 | TxENAB, /* write 5 */
0, 0, 0, /* write 6, 7, 8 */
MIE | DLC | NV, /* write 9 */
NRZ, /* write 10 */
TCBR | RCBR, /* write 11 */
- 0, 0, /* BRG time constant, write 12 + 13 */
+ 0x16, 0x00, /* BRG time constant, write 12 + 13 */
BRSRC | BRENABL, /* write 14 */
0, /* write 15 */
};
@@ -956,23 +962,6 @@ static void zs_set_termios(struct uart_p
spin_unlock_irqrestore(&scc->zlock, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void zs_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct zs_port *zport = to_zport(uport);
-
- if (state < 3)
- zport->regs[5] |= TxENAB;
- else
- zport->regs[5] &= ~TxENAB;
- write_zsreg(zport, R5, zport->regs[5]);
-}
-
static const char *zs_type(struct uart_port *uport)
{
@@ -1055,7 +1044,6 @@ static const struct uart_ops zs_ops = {
.startup = zs_startup,
.shutdown = zs_shutdown,
.set_termios = zs_set_termios,
- .pm = zs_pm,
.type = zs_type,
.release_port = zs_release_port,
.request_port = zs_request_port,
@@ -1210,7 +1198,6 @@ static int __init zs_console_setup(struc
return ret;
zs_reset(zport);
- zs_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 266/307] x86/boot: Disable stack protector for early boot code
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 265/307] iommu: Skip PASID validation for devices without PASID capability Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 267/307] x86/kexec: Disable KCOV instrumentation after load_segments() Greg Kroah-Hartman
` (43 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Gerst, Ingo Molnar,
Ard Biesheuvel, Linus Torvalds, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Gerst <brgerst@gmail.com>
[ Upstream commit a9a76b38aaf577887103e3ebb41d70e6aa5a4b19 ]
On 64-bit, this will prevent crashes when the canary access is changed
from %gs:40 to %gs:__stack_chk_guard(%rip). RIP-relative addresses from
the identity-mapped early boot code will target the wrong address with
zero-based percpu. KASLR could then shift that address to an unmapped
page causing a crash on boot.
This early boot code runs well before user-space is active and does not
need stack protector enabled.
Signed-off-by: Brian Gerst <brgerst@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20250123190747.745588-4-brgerst@gmail.com
Stable-dep-of: 917e3ad3321e ("x86/kexec: Disable KCOV instrumentation after load_segments()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index f7918980667a33..f42c0903ef86d4 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -44,6 +44,8 @@ KCOV_INSTRUMENT_unwind_orc.o := n
KCOV_INSTRUMENT_unwind_frame.o := n
KCOV_INSTRUMENT_unwind_guess.o := n
+CFLAGS_head32.o := -fno-stack-protector
+CFLAGS_head64.o := -fno-stack-protector
CFLAGS_irq.o := -I $(src)/../include/asm/trace
obj-y += head_$(BITS).o
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 277/315] serial: zs: Switch to using channel reset
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 276/315] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 278/315] serial: zs: Convert to use a platform device Greg Kroah-Hartman
` (39 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 8572955630f30948837088aa98bcbe0532d1ceac upstream.
Switch the driver to using the channel reset rather than hardware reset,
simplifying handling by removing an interference between channels that
causes the other channel to become uninitialised afterwards.
There is little difference between the two kinds of reset in terms of
register settings that result, and we initialise the whole register set
right away anyway. However this prevents a hang from happening should
the console output handler in the firmware try to access the other port
whose transmitter has been disabled and line parameters messed up.
For example this will happen if the keyboard port (port A) is chosen for
the system console, unusually but not insanely for a headless system, as
the port is wired to a standard DA-15 connector and an adapter can be
easily made. Or with the next change in place this would happen for the
regular console port (port B), since the keyboard port (port A) will be
initialised first.
Just remove the unnecessary complication then, a channel reset is good
enough. We still need the initialisation marker, now per channel rather
than per SCC, as for the console port zs_reset() will be called twice:
once early on via zs_serial_console_init() for the console setup only,
and then again via zs_config_port() as the port is associated with a TTY
device.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062323430.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 7 ++++---
drivers/tty/serial/zs.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -832,21 +832,22 @@ static void zs_shutdown(struct uart_port
static void zs_reset(struct zs_port *zport)
{
+ struct zs_port *zport_a = &zport->scc->zport[ZS_CHAN_A];
struct zs_scc *scc = zport->scc;
int irq;
unsigned long flags;
spin_lock_irqsave(&scc->zlock, flags);
irq = !irqs_disabled_flags(flags);
- if (!scc->initialised) {
+ if (!zport->initialised) {
/* Reset the pointer first, just in case... */
read_zsreg(zport, R0);
/* And let the current transmission finish. */
zs_line_drain(zport, irq);
- write_zsreg(zport, R9, FHWRES);
+ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
udelay(10);
write_zsreg(zport, R9, 0);
- scc->initialised = 1;
+ zport->initialised = 1;
}
load_zsregs(zport, zport->regs, irq);
spin_unlock_irqrestore(&scc->zlock, flags);
--- a/drivers/tty/serial/zs.h
+++ b/drivers/tty/serial/zs.h
@@ -22,6 +22,7 @@
struct zs_port {
struct zs_scc *scc; /* Containing SCC. */
struct uart_port port; /* Underlying UART. */
+ int initialised; /* For the console port. */
int clk_mode; /* May be 1, 16, 32, or 64. */
@@ -41,7 +42,6 @@ struct zs_scc {
struct zs_port zport[2];
spinlock_t zlock;
atomic_t irq_guard;
- int initialised;
};
#endif /* __KERNEL__ */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 267/307] x86/kexec: Disable KCOV instrumentation after load_segments()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 266/307] x86/boot: Disable stack protector for early boot code Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 268/307] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg Greg Kroah-Hartman
` (42 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Nogikh,
Borislav Petkov (AMD), Dmitry Vyukov, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Nogikh <nogikh@google.com>
[ Upstream commit 917e3ad3321e75ca0223d5ccf26ceda116aa51e1 ]
The load_segments() function changes segment registers, invalidating GS base
(which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any
subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins
crashing the kernel in an endless loop.
To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented
kernel:
$ kexec -l /boot/otherKernel
$ kexec -e
The real-world context for this problem is enabling crash dump collection in
syzkaller. For this, the tool loads a panic kernel before fuzzing and then
calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC
and CONFIG_KCOV to be enabled simultaneously.
Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())
is also undesirable as it would introduce an extra performance overhead.
Disabling instrumentation for the individual functions would be too fragile,
so disable KCOV instrumentation for the entire machine_kexec_64.c and
physaddr.c. If coverage-guided fuzzing ever needs these components in the
future, other approaches should be considered.
The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported
there.
[ bp: Space out comment for better readability. ]
Fixes: 0d345996e4cb ("x86/kernel: increase kcov coverage under arch/x86/kernel folder")
Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260325154825.551191-1-nogikh@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/Makefile | 14 ++++++++++++++
arch/x86/mm/Makefile | 2 ++
2 files changed, 16 insertions(+)
diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
index f42c0903ef86d4..5f58b5a38cac17 100644
--- a/arch/x86/kernel/Makefile
+++ b/arch/x86/kernel/Makefile
@@ -44,6 +44,20 @@ KCOV_INSTRUMENT_unwind_orc.o := n
KCOV_INSTRUMENT_unwind_frame.o := n
KCOV_INSTRUMENT_unwind_guess.o := n
+# Disable KCOV to prevent crashes during kexec: load_segments() invalidates
+# the GS base, which KCOV relies on for per-CPU data.
+#
+# As KCOV and KEXEC compatibility should be preserved (e.g. syzkaller is
+# using it to collect crash dumps during kernel fuzzing), disabling
+# KCOV for KEXEC kernels is not an option. Selectively disabling KCOV
+# instrumentation for individual affected functions can be fragile, while
+# adding more checks to KCOV would slow it down.
+#
+# As a compromise solution, disable KCOV instrumentation for the whole
+# source code file. If its coverage is ever needed, other approaches
+# should be considered.
+KCOV_INSTRUMENT_machine_kexec_64.o := n
+
CFLAGS_head32.o := -fno-stack-protector
CFLAGS_head64.o := -fno-stack-protector
CFLAGS_irq.o := -I $(src)/../include/asm/trace
diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
index 690fbf48e8538b..60a53baa042793 100644
--- a/arch/x86/mm/Makefile
+++ b/arch/x86/mm/Makefile
@@ -5,6 +5,8 @@ KCOV_INSTRUMENT_mem_encrypt.o := n
KCOV_INSTRUMENT_mem_encrypt_amd.o := n
KCOV_INSTRUMENT_mem_encrypt_identity.o := n
KCOV_INSTRUMENT_pgprot.o := n
+# See the "Disable KCOV" comment in arch/x86/kernel/Makefile.
+KCOV_INSTRUMENT_physaddr.o := n
KASAN_SANITIZE_mem_encrypt.o := n
KASAN_SANITIZE_mem_encrypt_amd.o := n
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.18 278/315] serial: zs: Convert to use a platform device
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 277/315] serial: zs: Switch to using channel reset Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 279/315] serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave) Greg Kroah-Hartman
` (38 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7cac59d08a73cb866ec51a483a6f3fe0f531947c upstream.
Prevent a crash from happening as the first serial port is initialised:
Console: switching to mono frame buffer device 160x64
fb0: PMAG-AA frame buffer device at tc0
DECstation Z85C30 serial driver version 0.10
CPU 0 Unable to handle kernel paging request at virtual address 0000002c, epc == 803ab00c, ra == 803aafe0
Oops[#1]:
CPU: 0 PID: 1 Comm: swapper Not tainted 6.4.0-rc3-00031-g84a9582fd203-dirty #57
$ 0 : 00000000 10012c00 803aaeb0 00000000
$ 4 : 80e12f60 80e12f50 80e12f58 81000030
$ 8 : 00000000 805ff37c 00000000 33433538
$12 : 65732030 00000006 80c2915d 6c616972
$16 : 80e12f00 807b7630 00000000 00000000
$20 : 00000004 00000348 000001a0 807623b8
$24 : 00000018 00000000
$28 : 80c24000 80c25d60 8078b148 803aafe0
Hi : 00000000
Lo : 00000000
epc : 803ab00c serial_base_ctrl_add+0x78/0xf4
ra : 803aafe0 serial_base_ctrl_add+0x4c/0xf4
Status: 10012c03 KERNEL EXL IE
Cause : 00000008 (ExcCode 02)
BadVA : 0000002c
PrId : 00000440 (R4400SC)
Modules linked in:
Process swapper (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=00000000)
Stack : 80760000 00000cc0 00400044 00400040 803aa02c 80d61ab8 00000000 807b7630
80760000 807623b8 807b7628 803aa644 80386998 00000000 80e17780 80220f68
80e17780 80d61ab8 80c17d80 80e17780 80e17780 8063c798 80e17780 80383fa0
00000010 80e17780 00000000 80386998 807a0000 00000000 00400040 8038f848
807623b8 80d61ab8 00000004 80e17780 00000000 803a68e4 80c25e2c 803bb884
...
Call Trace:
[<803ab00c>] serial_base_ctrl_add+0x78/0xf4
[<803aa644>] serial_core_register_port+0x174/0x69c
[<8077e9ac>] zs_init+0xc8/0xfc
[<800404d4>] do_one_initcall+0x40/0x2ac
[<8076cecc>] kernel_init_freeable+0x1e4/0x270
[<80605bec>] kernel_init+0x20/0x108
[<800431e8>] ret_from_kernel_thread+0x14/0x1c
Code: 2442aeb0 ae120024 ae0200d0 <8c67002c> 50e00001 8c670000 3c06806e 3c05806e afb30010
---[ end trace 0000000000000000 ]---
(report at the offending commit) -- where a pointer is dereferenced that
has been derived from a null pointer to the port's parent device.
Since no device is available with legacy probing and it's not anymore a
preferable way to discover devices anyway, switch the driver to using a
platform device and use it as the port's parent device. Update resource
handling accordingly and only request the actual span of addresses used
within the slot, which will have had its resource already requested by
generic platform device code.
Use platform_driver_probe() not just because SCC devices are fixed with
solder on board and not straightforward to remove, but foremost because
the associated TTY's major device number is the same as used by the dz
driver and the first driver to claim it will prevent the other one from
using it. Either one DZ device or some SCC devices will be present in a
given system but never both at a time, and therefore we want the major
device number to be claimed by the first driver to actually successfully
bind to its device and platform_driver_probe() is a way to fulfil that.
An unfortunate consequence of the switch to a platform device is we now
hand the console over from the bootconsole much later in the bootstrap.
The firmware console handler appears good enough though to work so late
and in particular with interrupts enabled.
Since there is one way only remaining to reach zs_reset() now, remove
the port initialisation marker as no longer needed and go through the
channel reset unconditionally.
Fixes: 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # needs to use .remove_new for <= 6.10
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062328480.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/platform.c | 60 ++++++++++++++
drivers/tty/serial/zs.c | 190 +++++++++++++++++------------------------------
drivers/tty/serial/zs.h | 1
3 files changed, 128 insertions(+), 123 deletions(-)
--- a/arch/mips/dec/platform.c
+++ b/arch/mips/dec/platform.c
@@ -13,6 +13,7 @@
#include <asm/bootinfo.h>
#include <asm/dec/interrupts.h>
+#include <asm/dec/ioasic_addrs.h>
#include <asm/dec/kn01.h>
#include <asm/dec/kn02.h>
#include <asm/dec/system.h>
@@ -53,10 +54,37 @@ static struct platform_device *dec_dz_de
&dec_dz_device,
};
+static struct resource dec_zs_resources[][2] = {
+ {
+ { .name = "scc0", .flags = IORESOURCE_MEM, },
+ { .name = "scc0", .flags = IORESOURCE_IRQ, },
+ },
+ {
+ { .name = "scc1", .flags = IORESOURCE_MEM, },
+ { .name = "scc1", .flags = IORESOURCE_IRQ, },
+ },
+};
+
+static struct platform_device dec_zs_device[] = {
+ {
+ .name = "zs",
+ .id = 0,
+ .resource = dec_zs_resources[0],
+ .num_resources = ARRAY_SIZE(dec_zs_resources[0]),
+ },
+ {
+ .name = "zs",
+ .id = 1,
+ .resource = dec_zs_resources[1],
+ .num_resources = ARRAY_SIZE(dec_zs_resources[1]),
+ },
+};
+
static int __init dec_add_devices(void)
{
- int ret1, ret2;
- int num_dz;
+ struct platform_device *dec_zs_devices[ARRAY_SIZE(dec_zs_device)];
+ int ret1, ret2, ret3;
+ int num_dz, num_zs;
int irq, i;
dec_rtc_resources[0].start = RTC_PORT(0);
@@ -84,10 +112,36 @@ static int __init dec_add_devices(void)
}
num_dz = i;
+ i = 0;
+ irq = dec_interrupt[DEC_IRQ_SCC0];
+ if (irq >= 0) {
+ resource_size_t base = dec_kn_slot_base + IOASIC_SCC0;
+
+ dec_zs_device[i].resource[0].start = base;
+ dec_zs_device[i].resource[0].end = base + dec_kn_slot_size - 1;
+ dec_zs_device[i].resource[1].start = irq;
+ dec_zs_device[i].resource[1].end = irq;
+ dec_zs_devices[i] = &dec_zs_device[i];
+ i++;
+ }
+ irq = dec_interrupt[DEC_IRQ_SCC1];
+ if (irq >= 0) {
+ resource_size_t base = dec_kn_slot_base + IOASIC_SCC1;
+
+ dec_zs_device[i].resource[0].start = base;
+ dec_zs_device[i].resource[0].end = base + dec_kn_slot_size - 1;
+ dec_zs_device[i].resource[1].start = irq;
+ dec_zs_device[i].resource[1].end = irq;
+ dec_zs_devices[i] = &dec_zs_device[i];
+ i++;
+ }
+ num_zs = i;
+
ret1 = platform_device_register(&dec_rtc_device);
ret2 = IS_ENABLED(CONFIG_32BIT) ?
platform_add_devices(dec_dz_devices, num_dz) : 0;
- return ret1 ? ret1 : ret2;
+ ret3 = platform_add_devices(dec_zs_devices, num_zs);
+ return ret1 ? ret1 : ret2 ? ret2 : ret3;
}
device_initcall(dec_add_devices);
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -56,6 +56,7 @@
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/major.h>
+#include <linux/platform_device.h>
#include <linux/serial.h>
#include <linux/serial_core.h>
#include <linux/spinlock.h>
@@ -66,10 +67,6 @@
#include <linux/atomic.h>
-#include <asm/dec/interrupts.h>
-#include <asm/dec/ioasic_addrs.h>
-#include <asm/dec/system.h>
-
#include "zs.h"
@@ -79,7 +76,7 @@ MODULE_LICENSE("GPL");
static char zs_name[] __initdata = "DECstation Z85C30 serial driver version ";
-static char zs_version[] __initdata = "0.10";
+static char zs_version[] __initdata = "0.11";
/*
* It would be nice to dynamically allocate everything that
@@ -98,12 +95,8 @@ static char zs_version[] __initdata = "0
#define to_zport(uport) container_of(uport, struct zs_port, port)
-struct zs_parms {
- resource_size_t scc[ZS_NUM_SCCS];
- int irq[ZS_NUM_SCCS];
-};
-
static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+static struct uart_driver zs_reg;
/*
* Set parameters in WR5, WR12, WR13 such as not to interfere
@@ -839,16 +832,15 @@ static void zs_reset(struct zs_port *zpo
spin_lock_irqsave(&scc->zlock, flags);
irq = !irqs_disabled_flags(flags);
- if (!zport->initialised) {
- /* Reset the pointer first, just in case... */
- read_zsreg(zport, R0);
- /* And let the current transmission finish. */
- zs_line_drain(zport, irq);
- write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
- udelay(10);
- write_zsreg(zport, R9, 0);
- zport->initialised = 1;
- }
+
+ /* Reset the pointer first, just in case... */
+ read_zsreg(zport, R0);
+ /* And let the current transmission finish. */
+ zs_line_drain(zport, irq);
+ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
+ udelay(10);
+ write_zsreg(zport, R9, 0);
+
load_zsregs(zport, zport->regs, irq);
spin_unlock_irqrestore(&scc->zlock, flags);
}
@@ -1055,63 +1047,62 @@ static const struct uart_ops zs_ops = {
/*
* Initialize Z85C30 port structures.
*/
-static int __init zs_probe_sccs(void)
+static int __init zs_probe(struct platform_device *pdev)
{
- static int probed;
- struct zs_parms zs_parms;
- int chip, side, irq;
- int n_chips = 0;
+ struct resource *mem_resource, *irq_resource;
+ int chip, side;
int i;
- if (probed)
- return 0;
+ mem_resource = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ irq_resource = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+ if (!mem_resource || !irq_resource)
+ return -ENODEV;
+
+ chip = pdev->id;
+ spin_lock_init(&zs_sccs[chip].zlock);
+ for (side = 0; side < ZS_NUM_CHAN; side++) {
+ struct zs_port *zport = &zs_sccs[chip].zport[side];
+ struct uart_port *uport = &zport->port;
- irq = dec_interrupt[DEC_IRQ_SCC0];
- if (irq >= 0) {
- zs_parms.scc[n_chips] = IOASIC_SCC0;
- zs_parms.irq[n_chips] = dec_interrupt[DEC_IRQ_SCC0];
- n_chips++;
- }
- irq = dec_interrupt[DEC_IRQ_SCC1];
- if (irq >= 0) {
- zs_parms.scc[n_chips] = IOASIC_SCC1;
- zs_parms.irq[n_chips] = dec_interrupt[DEC_IRQ_SCC1];
- n_chips++;
- }
- if (!n_chips)
- return -ENXIO;
-
- probed = 1;
-
- for (chip = 0; chip < n_chips; chip++) {
- spin_lock_init(&zs_sccs[chip].zlock);
- for (side = 0; side < ZS_NUM_CHAN; side++) {
- struct zs_port *zport = &zs_sccs[chip].zport[side];
- struct uart_port *uport = &zport->port;
-
- zport->scc = &zs_sccs[chip];
- zport->clk_mode = 16;
-
- uport->has_sysrq = IS_ENABLED(CONFIG_SERIAL_ZS_CONSOLE);
- uport->irq = zs_parms.irq[chip];
- uport->uartclk = ZS_CLOCK;
- uport->fifosize = 1;
- uport->iotype = UPIO_MEM;
- uport->flags = UPF_BOOT_AUTOCONF;
- uport->ops = &zs_ops;
- uport->line = chip * ZS_NUM_CHAN + side;
- uport->mapbase = dec_kn_slot_base +
- zs_parms.scc[chip] +
- (side ^ ZS_CHAN_B) * ZS_CHAN_IO_SIZE;
+ zport->scc = &zs_sccs[chip];
+ zport->clk_mode = 16;
- for (i = 0; i < ZS_NUM_REGS; i++)
- zport->regs[i] = zs_init_regs[i];
- }
+ uport->dev = &pdev->dev;
+ uport->has_sysrq = IS_ENABLED(CONFIG_SERIAL_ZS_CONSOLE);
+ uport->irq = irq_resource->start;
+ uport->uartclk = ZS_CLOCK;
+ uport->fifosize = 1;
+ uport->iotype = UPIO_MEM;
+ uport->flags = UPF_BOOT_AUTOCONF;
+ uport->ops = &zs_ops;
+ uport->line = chip * ZS_NUM_CHAN + side;
+ uport->mapbase = mem_resource->start +
+ (side ^ ZS_CHAN_B) * ZS_CHAN_IO_SIZE;
+
+ for (i = 0; i < ZS_NUM_REGS; i++)
+ zport->regs[i] = zs_init_regs[i];
+
+ if (uart_add_one_port(&zs_reg, uport))
+ uport->dev = NULL;
}
return 0;
}
+static void __exit zs_remove(struct platform_device *pdev)
+{
+ int chip, side;
+
+ chip = pdev->id;
+ for (side = ZS_NUM_CHAN - 1; side >= 0; side--) {
+ struct zs_port *zport = &zs_sccs[chip].zport[side];
+ struct uart_port *uport = &zport->port;
+
+ if (uport->dev)
+ uart_remove_one_port(&zs_reg, uport);
+ }
+}
+
#ifdef CONFIG_SERIAL_ZS_CONSOLE
static void zs_console_putchar(struct uart_port *uport, unsigned char ch)
@@ -1192,20 +1183,14 @@ static int __init zs_console_setup(struc
int bits = 8;
int parity = 'n';
int flow = 'n';
- int ret;
-
- ret = zs_map_port(uport);
- if (ret)
- return ret;
-
- zs_reset(zport);
+ if (!zport->scc)
+ return -ENODEV;
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
return uart_set_options(uport, co, baud, parity, bits, flow);
}
-static struct uart_driver zs_reg;
static struct console zs_console = {
.name = "ttyS",
.write = zs_console_write,
@@ -1216,23 +1201,6 @@ static struct console zs_console = {
.data = &zs_reg,
};
-/*
- * Register console.
- */
-static int __init zs_serial_console_init(void)
-{
- int ret;
-
- ret = zs_probe_sccs();
- if (ret)
- return ret;
- register_console(&zs_console);
-
- return 0;
-}
-
-console_initcall(zs_serial_console_init);
-
#define SERIAL_ZS_CONSOLE &zs_console
#else
#define SERIAL_ZS_CONSOLE NULL
@@ -1248,47 +1216,31 @@ static struct uart_driver zs_reg = {
.cons = SERIAL_ZS_CONSOLE,
};
+static struct platform_driver zs_driver = {
+ .remove = __exit_p(zs_remove),
+ .driver = { .name = "zs" },
+};
+
/* zs_init inits the driver. */
static int __init zs_init(void)
{
- int i, ret;
+ int ret;
pr_info("%s%s\n", zs_name, zs_version);
- /* Find out how many Z85C30 SCCs we have. */
- ret = zs_probe_sccs();
- if (ret)
- return ret;
-
ret = uart_register_driver(&zs_reg);
if (ret)
return ret;
+ ret = platform_driver_probe(&zs_driver, zs_probe);
+ if (ret)
+ uart_unregister_driver(&zs_reg);
- for (i = 0; i < ZS_NUM_SCCS * ZS_NUM_CHAN; i++) {
- struct zs_scc *scc = &zs_sccs[i / ZS_NUM_CHAN];
- struct zs_port *zport = &scc->zport[i % ZS_NUM_CHAN];
- struct uart_port *uport = &zport->port;
-
- if (zport->scc)
- uart_add_one_port(&zs_reg, uport);
- }
-
- return 0;
+ return ret;
}
static void __exit zs_exit(void)
{
- int i;
-
- for (i = ZS_NUM_SCCS * ZS_NUM_CHAN - 1; i >= 0; i--) {
- struct zs_scc *scc = &zs_sccs[i / ZS_NUM_CHAN];
- struct zs_port *zport = &scc->zport[i % ZS_NUM_CHAN];
- struct uart_port *uport = &zport->port;
-
- if (zport->scc)
- uart_remove_one_port(&zs_reg, uport);
- }
-
+ platform_driver_unregister(&zs_driver);
uart_unregister_driver(&zs_reg);
}
--- a/drivers/tty/serial/zs.h
+++ b/drivers/tty/serial/zs.h
@@ -22,7 +22,6 @@
struct zs_port {
struct zs_scc *scc; /* Containing SCC. */
struct uart_port port; /* Underlying UART. */
- int initialised; /* For the console port. */
int clk_mode; /* May be 1, 16, 32, or 64. */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 268/307] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 267/307] x86/kexec: Disable KCOV instrumentation after load_segments() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 269/307] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer Greg Kroah-Hartman
` (41 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, David Howells,
Simon Horman, Jiayuan Chen, linux-afs, Jeffrey Altman,
Marc Dionne, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit d2bc90cf6c75cb96d2ce549be6c35efa3099d25b ]
This improves the fix for CVE-2026-43500.
Fix the pagecache corruption from in-place decryption of a DATA packet
transmitted locally by splice() by getting rid of the packet sharing in the
I/O thread and unconditionally extracting the packet content into a bounce
buffer in which the buffer is decrypted. recvmsg() (or the kernel
equivalent) then copies the data from the bounce buffer to the destination
buffer. The sk_buff then remains unmodified.
This has an additional advantage in that the packet is then arranged in the
buffer with the correct alignment required for the crypto algorithms to
process directly. The performance of the crypto does seem to be a little
faster and, surprisingly, the unencrypted performance doesn't seem to
change much - possibly due to removing complexity from the I/O thread.
Yet another advantage is that the I/O thread doesn't have to copy packets
which would slow down packet distribution, ACK generation, etc..
The buffer belongs to the call and is allocated initially at 2K,
sufficiently large to hold a whole jumbo subpacket, but the buffer will be
increased in size if needed. However, to take this work, MSG_PEEK may
cause a later packet to be decrypted into the buffer, in which case the
earlier one will need re-decrypting for a subsequent recvmsg().
Note that rx_pkt_offset may legitimately see 0 as a valid offset now, so
switch to using USHRT_MAX to indicate an invalid offset.
Note also that I would generally prefer to replace the buffers of the
current sk_buff with a new kmalloc'd buffer of the right size, ditching the
old data and frags as this makes the handling of MSG_PEEK easier and
removes the re-decryption issue, but this looks like quite a complicated
thing to achieve. skb_morph() looks half way to what I want, but I don't
want to have to allocate a new sk_buff.
Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: linux-afs@lists.infradead.org
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
Link: https://patch.msgid.link/20260515230516.2718212-3-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 8bfab4b6ffc2 ("rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/ar-internal.h | 7 ++-
net/rxrpc/call_event.c | 27 +--------------
net/rxrpc/call_object.c | 2 +
net/rxrpc/insecure.c | 3 -
net/rxrpc/recvmsg.c | 68 ++++++++++++++++++++++++++++++-------
net/rxrpc/rxkad.c | 86 +++++++++++++++++-------------------------------
6 files changed, 96 insertions(+), 97 deletions(-)
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -203,8 +203,6 @@ struct rxrpc_skb_priv {
struct {
u16 offset; /* Offset of data */
u16 len; /* Length of data */
- u8 flags;
-#define RXRPC_RX_VERIFIED 0x01
};
struct {
rxrpc_seq_t first_ack; /* First packet in acks table */
@@ -686,6 +684,11 @@ struct rxrpc_call {
/* Received data tracking */
struct sk_buff_head recvmsg_queue; /* Queue of packets ready for recvmsg() */
struct sk_buff_head rx_oos_queue; /* Queue of out of sequence packets */
+ void *rx_dec_buffer; /* Decryption buffer */
+ unsigned short rx_dec_bsize; /* rx_dec_buffer size */
+ unsigned short rx_dec_offset; /* Decrypted packet data offset */
+ unsigned short rx_dec_len; /* Decrypted packet data len */
+ rxrpc_seq_t rx_dec_seq; /* Packet in decryption buffer */
rxrpc_seq_t rx_highest_seq; /* Higest sequence number received */
rxrpc_seq_t rx_consumed; /* Highest packet consumed */
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -342,31 +342,8 @@ bool rxrpc_input_call_event(struct rxrpc
if (skb && skb->mark == RXRPC_SKB_MARK_ERROR)
goto out;
- if (skb) {
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-
- if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
- sp->hdr.securityIndex != 0 &&
- (skb_cloned(skb) ||
- skb_has_frag_list(skb) ||
- skb_has_shared_frag(skb))) {
- /* Unshare the packet so that it can be modified for
- * in-place decryption.
- */
- struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
-
- if (nskb) {
- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
- rxrpc_input_call_packet(call, nskb);
- rxrpc_free_skb(nskb, rxrpc_skb_put_input);
- } else {
- /* OOM - Drop the packet. */
- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
- }
- } else {
- rxrpc_input_call_packet(call, skb);
- }
- }
+ if (skb)
+ rxrpc_input_call_packet(call, skb);
/* If we see our async-event poke, check for timeout trippage. */
now = ktime_get_real();
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -154,6 +154,7 @@ struct rxrpc_call *rxrpc_alloc_call(stru
spin_lock_init(&call->tx_lock);
refcount_set(&call->ref, 1);
call->debug_id = debug_id;
+ call->rx_pkt_offset = USHRT_MAX;
call->tx_total_len = -1;
call->next_rx_timo = 20 * HZ;
call->next_req_timo = 1 * HZ;
@@ -535,6 +536,7 @@ static void rxrpc_cleanup_ring(struct rx
{
rxrpc_purge_queue(&call->recvmsg_queue);
rxrpc_purge_queue(&call->rx_oos_queue);
+ kfree(call->rx_dec_buffer);
}
/*
--- a/net/rxrpc/insecure.c
+++ b/net/rxrpc/insecure.c
@@ -29,9 +29,6 @@ static int none_secure_packet(struct rxr
static int none_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
{
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-
- sp->flags |= RXRPC_RX_VERIFIED;
return 0;
}
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -143,15 +143,52 @@ static void rxrpc_rotate_rx_window(struc
}
/*
- * Decrypt and verify a DATA packet.
+ * Decrypt and verify a DATA packet. The content of the packet is pulled out
+ * into a flat buffer rather than decrypting in place in the skbuff. This also
+ * has the advantage of aligning the buffer correctly for the crypto routines.
+ *
+ * We keep track of the sequence number of the packet currently decrypted into
+ * the buffer in ->rx_dec_seq. If MSG_PEEK is used and steps onto a new
+ * packet, subsequent recvmsg() calls will have to go back and re-decrypt the
+ * current packet.
*/
static int rxrpc_verify_data(struct rxrpc_call *call, struct sk_buff *skb)
{
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+ int ret;
- if (sp->flags & RXRPC_RX_VERIFIED)
- return 0;
- return call->security->verify_packet(call, skb);
+ if (sp->len > call->rx_dec_bsize) {
+ /* Make sure we can hold a 1412-byte jumbo subpacket and make
+ * sure that the buffer size is aligned to a crypto blocksize.
+ */
+ size_t size = clamp(round_up(sp->len, 32), 2048, 65535);
+ void *buffer = krealloc(call->rx_dec_buffer, size, GFP_NOFS);
+
+ if (!buffer)
+ return -ENOMEM;
+ call->rx_dec_buffer = buffer;
+ call->rx_dec_bsize = size;
+ }
+
+ ret = -EFAULT;
+ if (skb_copy_bits(skb, sp->offset, call->rx_dec_buffer, sp->len) < 0)
+ goto err;
+
+ call->rx_dec_offset = 0;
+ call->rx_dec_len = sp->len;
+ call->rx_dec_seq = sp->hdr.seq;
+ ret = call->security->verify_packet(call, skb);
+ if (ret < 0)
+ goto err;
+ return 0;
+
+err:
+ kfree(call->rx_dec_buffer);
+ call->rx_dec_buffer = NULL;
+ call->rx_dec_bsize = 0;
+ call->rx_dec_offset = 0;
+ call->rx_dec_len = 0;
+ return ret;
}
/*
@@ -202,17 +239,22 @@ static int rxrpc_recvmsg_data(struct soc
if (msg)
sock_recv_timestamp(msg, sock->sk, skb);
- if (rx_pkt_offset == 0) {
+ if (call->rx_dec_seq != sp->hdr.seq ||
+ !call->rx_dec_buffer) {
ret2 = rxrpc_verify_data(call, skb);
trace_rxrpc_recvdata(call, rxrpc_recvmsg_next, seq,
- sp->offset, sp->len, ret2);
+ call->rx_dec_offset,
+ call->rx_dec_len, ret2);
if (ret2 < 0) {
kdebug("verify = %d", ret2);
ret = ret2;
goto out;
}
- rx_pkt_offset = sp->offset;
- rx_pkt_len = sp->len;
+ }
+
+ if (rx_pkt_offset == USHRT_MAX) {
+ rx_pkt_offset = call->rx_dec_offset;
+ rx_pkt_len = call->rx_dec_len;
} else {
trace_rxrpc_recvdata(call, rxrpc_recvmsg_cont, seq,
rx_pkt_offset, rx_pkt_len, 0);
@@ -224,10 +266,10 @@ static int rxrpc_recvmsg_data(struct soc
if (copy > remain)
copy = remain;
if (copy > 0) {
- ret2 = skb_copy_datagram_iter(skb, rx_pkt_offset, iter,
- copy);
- if (ret2 < 0) {
- ret = ret2;
+ ret2 = copy_to_iter(call->rx_dec_buffer + rx_pkt_offset,
+ copy, iter);
+ if (ret2 != copy) {
+ ret = -EFAULT;
goto out;
}
@@ -248,7 +290,7 @@ static int rxrpc_recvmsg_data(struct soc
/* The whole packet has been transferred. */
if (sp->hdr.flags & RXRPC_LAST_PACKET)
ret = 1;
- rx_pkt_offset = 0;
+ rx_pkt_offset = USHRT_MAX;
rx_pkt_len = 0;
skb = skb_peek_next(skb, &call->recvmsg_queue);
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -414,27 +414,25 @@ static int rxkad_verify_packet_1(struct
rxrpc_seq_t seq,
struct skcipher_request *req)
{
- struct rxkad_level1_hdr sechdr;
+ struct rxkad_level1_hdr *sechdr;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_crypt iv;
- struct scatterlist sg[16];
- u32 data_size, buf;
+ struct scatterlist sg[1];
+ void *data = call->rx_dec_buffer;
+ u32 len = sp->len, data_size, buf;
u16 check;
int ret;
_enter("");
- if (sp->len < 8)
+ if (len < 8)
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_1_short_header);
/* Decrypt the skbuff in-place. TODO: We really want to decrypt
* directly into the target buffer.
*/
- sg_init_table(sg, ARRAY_SIZE(sg));
- ret = skb_to_sgvec(skb, sg, sp->offset, 8);
- if (unlikely(ret < 0))
- return ret;
+ sg_init_one(sg, data, len);
/* start the decryption afresh */
memset(&iv, 0, sizeof(iv));
@@ -448,13 +446,11 @@ static int rxkad_verify_packet_1(struct
return ret;
/* Extract the decrypted packet length */
- if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
- rxkad_abort_1_short_encdata);
- sp->offset += sizeof(sechdr);
- sp->len -= sizeof(sechdr);
+ sechdr = data;
+ call->rx_dec_offset = sizeof(*sechdr);
+ len -= sizeof(*sechdr);
- buf = ntohl(sechdr.data_size);
+ buf = ntohl(sechdr->data_size);
data_size = buf & 0xffff;
check = buf >> 16;
@@ -463,10 +459,10 @@ static int rxkad_verify_packet_1(struct
if (check != 0)
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_1_short_check);
- if (data_size > sp->len)
+ if (data_size > len)
return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
rxkad_abort_1_short_data);
- sp->len = data_size;
+ call->rx_dec_len = data_size;
_leave(" = 0 [dlen=%x]", data_size);
return 0;
@@ -480,43 +476,28 @@ static int rxkad_verify_packet_2(struct
struct skcipher_request *req)
{
const struct rxrpc_key_token *token;
- struct rxkad_level2_hdr sechdr;
+ struct rxkad_level2_hdr *sechdr;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_crypt iv;
- struct scatterlist _sg[4], *sg;
- u32 data_size, buf;
+ struct scatterlist sg[1];
+ void *data = call->rx_dec_buffer;
+ u32 len = sp->len, data_size, buf;
u16 check;
- int nsg, ret;
+ int ret;
- _enter(",{%d}", sp->len);
+ _enter(",{%d}", len);
- if (sp->len < 8)
+ if (len < 8)
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_2_short_header);
/* Don't let the crypto algo see a misaligned length. */
- sp->len = round_down(sp->len, 8);
+ len = round_down(len, 8);
- /* Decrypt the skbuff in-place. TODO: We really want to decrypt
- * directly into the target buffer.
+ /* Decrypt in place in the call's decryption buffer. TODO: We really
+ * want to decrypt directly into the target buffer.
*/
- sg = _sg;
- nsg = skb_shinfo(skb)->nr_frags + 1;
- if (nsg <= 4) {
- nsg = 4;
- } else {
- sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
- if (!sg)
- return -ENOMEM;
- }
-
- sg_init_table(sg, nsg);
- ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
- if (unlikely(ret < 0)) {
- if (sg != _sg)
- kfree(sg);
- return ret;
- }
+ sg_init_one(sg, data, len);
/* decrypt from the session key */
token = call->conn->key->payload.data[0];
@@ -524,11 +505,9 @@ static int rxkad_verify_packet_2(struct
skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
skcipher_request_set_callback(req, 0, NULL, NULL);
- skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
+ skcipher_request_set_crypt(req, sg, sg, len, iv.x);
ret = crypto_skcipher_decrypt(req);
skcipher_request_zero(req);
- if (sg != _sg)
- kfree(sg);
if (ret < 0) {
if (ret == -ENOMEM)
return ret;
@@ -537,13 +516,11 @@ static int rxkad_verify_packet_2(struct
}
/* Extract the decrypted packet length */
- if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
- rxkad_abort_2_short_len);
- sp->offset += sizeof(sechdr);
- sp->len -= sizeof(sechdr);
+ sechdr = data;
+ call->rx_dec_offset = sizeof(*sechdr);
+ len -= sizeof(*sechdr);
- buf = ntohl(sechdr.data_size);
+ buf = ntohl(sechdr->data_size);
data_size = buf & 0xffff;
check = buf >> 16;
@@ -553,17 +530,18 @@ static int rxkad_verify_packet_2(struct
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_2_short_check);
- if (data_size > sp->len)
+ if (data_size > len)
return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
rxkad_abort_2_short_data);
- sp->len = data_size;
+ call->rx_dec_len = data_size;
_leave(" = 0 [dlen=%x]", data_size);
return 0;
}
/*
- * Verify the security on a received packet and the subpackets therein.
+ * Verify the security on a received (sub)packet. If the packet needs
+ * modifying (e.g. decrypting), it must be copied.
*/
static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
{
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 279/315] serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 278/315] serial: zs: Convert to use a platform device Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 280/315] serial: 8250: dispatch SysRq character in serial8250_handle_irq() Greg Kroah-Hartman
` (37 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jacques Nilo, Ilpo Järvinen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacques Nilo <jnilo@free.fr>
commit c3cce2e67bb22a223f5b8ef05db0fcde70994068 upstream.
uart_handle_break() and uart_prepare_sysrq_char() (in
include/linux/serial_core.h) capture a SysRq character into
port->sysrq_ch while the port lock is held and rely on the unlock
helper -- uart_unlock_and_check_sysrq_irqrestore() -- to dispatch the
captured character to handle_sysrq() on scope exit.
The existing guard(uart_port_lock_irqsave) cannot be used by IRQ
handlers that process RX, because its destructor calls plain
uart_port_unlock_irqrestore() and silently drops port->sysrq_ch.
Add a dedicated guard(uart_port_lock_check_sysrq_irqsave) variant
whose destructor is the sysrq-aware unlock helper. The lock side is
identical to uart_port_lock_irqsave -- only the unlock-time behaviour
differs. Callers that may capture SysRq characters must use
guard(uart_port_lock_check_sysrq_irqsave); the existing
guard(uart_port_lock_irqsave) keeps its current plain-unlock semantics
for the many callers that do not process RX.
The new macro is placed after the CONFIG_MAGIC_SYSRQ_SERIAL block so
both definitions of uart_unlock_and_check_sysrq_irqrestore() (sysrq
enabled and disabled) are visible at expansion time. When
CONFIG_MAGIC_SYSRQ_SERIAL=n the destructor degenerates to plain
uart_port_unlock_irqrestore(), so there is no overhead.
No functional change on its own; users are converted in the following
patches.
Cc: stable@vger.kernel.org
Signed-off-by: Jacques Nilo <jnilo@free.fr>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://patch.msgid.link/3849af4bc55d5d2a424fa850844e94d641b2f8a6.1778675349.git.jnilo@free.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/serial_core.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/include/linux/serial_core.h
+++ b/include/linux/serial_core.h
@@ -1275,6 +1275,18 @@ static inline void uart_unlock_and_check
#endif /* CONFIG_MAGIC_SYSRQ_SERIAL */
/*
+ * Variant of guard(uart_port_lock_irqsave) for IRQ handlers that may capture
+ * a SysRq character via uart_prepare_sysrq_char(). The destructor uses the
+ * sysrq-aware unlock helper so that a captured port->sysrq_ch is dispatched
+ * to handle_sysrq() on scope exit. The plain guard variant silently drops
+ * sysrq_ch and must not be used by callers that process RX.
+ */
+DEFINE_LOCK_GUARD_1(uart_port_lock_check_sysrq_irqsave, struct uart_port,
+ uart_port_lock_irqsave(_T->lock, &_T->flags),
+ uart_unlock_and_check_sysrq_irqrestore(_T->lock, _T->flags),
+ unsigned long flags);
+
+/*
* We do the SysRQ and SAK checking like this...
*/
static inline int uart_handle_break(struct uart_port *port)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 269/307] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 268/307] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 270/307] serdev: Provide a bustype shutdown function Greg Kroah-Hartman
` (40 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, David Howells,
Simon Horman, Jiayuan Chen, linux-afs, stable, Jeffrey Altman,
Marc Dionne, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 8bfab4b6ffc2fe92da86300728fc8c3c7ebffb56 ]
This improves the fix for CVE-2026-43500.
Fix the verification of RESPONSE packets to avoid the problem of
overwriting a RESPONSE packet sent via splice to a local address by
extracting the contents of the UDP packet into a kmalloc'd linear buffer
rather than decrypting the data in place in the sk_buff (which may corrupt
the original buffer).
Fixes: 24481a7f5733 ("rxrpc: Fix conn-level packet handling to unshare RESPONSE packets")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
Link: https://patch.msgid.link/20260515230516.2718212-4-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/ar-internal.h | 5 +++--
net/rxrpc/conn_event.c | 30 ++++++++++++------------------
net/rxrpc/insecure.c | 5 +++--
net/rxrpc/rxkad.c | 29 ++++++++++-------------------
4 files changed, 28 insertions(+), 41 deletions(-)
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -270,8 +270,9 @@ struct rxrpc_security {
struct sk_buff *);
/* verify a response */
- int (*verify_response)(struct rxrpc_connection *,
- struct sk_buff *);
+ int (*verify_response)(struct rxrpc_connection *conn,
+ struct sk_buff *response_skb,
+ void *response, unsigned int len);
/* clear connection security */
void (*clear)(struct rxrpc_connection *);
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -229,28 +229,22 @@ static void rxrpc_call_is_secure(struct
static int rxrpc_verify_response(struct rxrpc_connection *conn,
struct sk_buff *skb)
{
+ unsigned int len = skb->len - sizeof(struct rxrpc_wire_header);
+ void *buffer;
int ret;
- if (skb_cloned(skb) || skb_has_frag_list(skb) ||
- skb_has_shared_frag(skb)) {
- /* Copy the packet if shared so that we can do in-place
- * decryption.
- */
- struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+ buffer = kmalloc(len, GFP_NOFS);
+ if (!buffer)
+ return -ENOMEM;
- if (nskb) {
- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
- ret = conn->security->verify_response(conn, nskb);
- rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
- } else {
- /* OOM - Drop the packet. */
- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
- ret = -ENOMEM;
- }
- } else {
- ret = conn->security->verify_response(conn, skb);
- }
+ ret = skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), buffer, len);
+ if (ret < 0)
+ goto out;
+ ret = conn->security->verify_response(conn, skb, buffer, len);
+
+out:
+ kfree(buffer);
return ret;
}
--- a/net/rxrpc/insecure.c
+++ b/net/rxrpc/insecure.c
@@ -44,9 +44,10 @@ static int none_respond_to_challenge(str
}
static int none_verify_response(struct rxrpc_connection *conn,
- struct sk_buff *skb)
+ struct sk_buff *response_skb,
+ void *response, unsigned int len)
{
- return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
+ return rxrpc_abort_conn(conn, response_skb, RX_PROTOCOL_ERROR, -EPROTO,
rxrpc_eproto_rxnull_response);
}
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -875,7 +875,6 @@ static int rxkad_decrypt_ticket(struct r
*_expiry = 0;
ASSERT(server_key->payload.data[0] != NULL);
- ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
@@ -1024,14 +1023,15 @@ unlock:
* verify a response
*/
static int rxkad_verify_response(struct rxrpc_connection *conn,
- struct sk_buff *skb)
+ struct sk_buff *skb,
+ void *buffer, unsigned int len)
{
struct rxkad_response *response;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_crypt session_key;
struct key *server_key;
time64_t expiry;
- void *ticket = NULL;
+ void *ticket;
u32 version, kvno, ticket_len, level;
__be32 csum;
int ret, i;
@@ -1054,13 +1054,8 @@ static int rxkad_verify_response(struct
}
}
- ret = -ENOMEM;
- response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
- if (!response)
- goto error;
-
- if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
- response, sizeof(*response)) < 0) {
+ response = buffer;
+ if (len < sizeof(*response)) {
ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
rxkad_abort_resp_short);
goto error;
@@ -1072,6 +1067,9 @@ static int rxkad_verify_response(struct
trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
+ buffer += sizeof(*response);
+ len -= sizeof(*response);
+
if (version != RXKAD_VERSION) {
ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
rxkad_abort_resp_version);
@@ -1091,13 +1089,8 @@ static int rxkad_verify_response(struct
}
/* extract the kerberos ticket and decrypt and decode it */
- ret = -ENOMEM;
- ticket = kmalloc(ticket_len, GFP_NOFS);
- if (!ticket)
- goto error;
-
- if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
- ticket, ticket_len) < 0) {
+ ticket = buffer;
+ if (ticket_len > len) {
ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
rxkad_abort_resp_short_tkt);
goto error;
@@ -1177,8 +1170,6 @@ static int rxkad_verify_response(struct
ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
error:
- kfree(ticket);
- kfree(response);
key_put(server_key);
_leave(" = %d", ret);
return ret;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 280/315] serial: 8250: dispatch SysRq character in serial8250_handle_irq()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 279/315] serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave) Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 281/315] serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq() Greg Kroah-Hartman
` (36 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Jacques Nilo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacques Nilo <jnilo@free.fr>
commit 71f42b2149a1307a97165b409493665579462ea0 upstream.
serial8250_handle_irq() captures a SysRq character into port->sysrq_ch
inside serial8250_handle_irq_locked() via uart_prepare_sysrq_char()
(reached from serial8250_read_char()). Dispatch of that captured
character to handle_sysrq() is expected to happen at port-unlock time,
through uart_unlock_and_check_sysrq[_irqrestore]().
After commit 8324a54f604d ("serial: 8250: Add
serial8250_handle_irq_locked()") the function was reduced to a wrapper
that takes the port lock via guard(uart_port_lock_irqsave) whose
destructor is plain uart_port_unlock_irqrestore(). The sysrq-aware
unlock helper is no longer called, so port->sysrq_ch is captured but
never dispatched: BREAK + SysRq key is consumed silently.
This was the very condition Johan Hovold's 853a9ae29e978 ("serial:
8250: fix handle_irq locking", 2021) introduced
uart_unlock_and_check_sysrq_irqrestore() to address.
Switch to the new guard(uart_port_lock_check_sysrq_irqsave), whose
destructor is the sysrq-aware unlock helper, restoring the pre-split
behaviour. Update the Context: comment on serial8250_handle_irq_locked()
so future HW-specific 8250 wrappers know to use the same guard or the
explicit sysrq-aware unlock.
Verified on RTL8196E with CONFIG_MAGIC_SYSRQ_SERIAL=y: BREAK + 'h' on
the console UART produces the SysRq help dump in dmesg and the brk
counter in /proc/tty/driver/serial increments correctly.
Fixes: 8324a54f604d ("serial: 8250: Add serial8250_handle_irq_locked()")
Cc: stable@vger.kernel.org
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Jacques Nilo <jnilo@free.fr>
Link: https://patch.msgid.link/52692ae6c3501f7940347cef364ad7fcacaab7e5.1778675349.git.jnilo@free.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
index af78cc02f38e..c66ba714caa5 100644
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -1784,7 +1784,10 @@ static bool handle_rx_dma(struct uart_8250_port *up, unsigned int iir)
}
/*
- * Context: port's lock must be held by the caller.
+ * Context: port's lock must be held by the caller. The caller must
+ * release it via guard(uart_port_lock_check_sysrq_irqsave) or
+ * uart_unlock_and_check_sysrq_irqrestore(), which captures SysRq
+ * character on unlock.
*/
void serial8250_handle_irq_locked(struct uart_port *port, unsigned int iir)
{
@@ -1837,7 +1840,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
if (iir & UART_IIR_NO_INT)
return 0;
- guard(uart_port_lock_irqsave)(port);
+ guard(uart_port_lock_check_sysrq_irqsave)(port);
serial8250_handle_irq_locked(port, iir);
return 1;
--
2.54.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 270/307] serdev: Provide a bustype shutdown function
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 269/307] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 271/307] Bluetooth: hci_qca: Migrate to serdev specific " Greg Kroah-Hartman
` (39 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 6d71c62b13c33ea858ab298fe20beaec5736edc7 ]
To prepare serdev driver to migrate away from struct device_driver::shutdown
(and then eventually remove that callback) create a serdev driver shutdown
callback and migration code to keep the existing behaviour. Note this
introduces a warning for each driver at register time that isn't converted
yet to that callback.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/ab518883e3ed0976a19cb5b5b5faf42bd3a655b7.1765526117.git.u.kleine-koenig@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 375ba7484132 ("Bluetooth: hci_qca: Convert timeout from jiffies to ms")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serdev/core.c | 21 +++++++++++++++++++++
include/linux/serdev.h | 1 +
2 files changed, 22 insertions(+)
--- a/drivers/tty/serdev/core.c
+++ b/drivers/tty/serdev/core.c
@@ -431,11 +431,21 @@ static void serdev_drv_remove(struct dev
dev_pm_domain_detach(dev, true);
}
+static void serdev_drv_shutdown(struct device *dev)
+{
+ const struct serdev_device_driver *sdrv =
+ to_serdev_device_driver(dev->driver);
+
+ if (dev->driver && sdrv->shutdown)
+ sdrv->shutdown(to_serdev_device(dev));
+}
+
static const struct bus_type serdev_bus_type = {
.name = "serial",
.match = serdev_device_match,
.probe = serdev_drv_probe,
.remove = serdev_drv_remove,
+ .shutdown = serdev_drv_shutdown,
};
/**
@@ -832,6 +842,14 @@ void serdev_controller_remove(struct ser
}
EXPORT_SYMBOL_GPL(serdev_controller_remove);
+static void serdev_legacy_shutdown(struct serdev_device *serdev)
+{
+ struct device *dev = &serdev->dev;
+ struct device_driver *driver = dev->driver;
+
+ driver->shutdown(dev);
+}
+
/**
* __serdev_device_driver_register() - Register client driver with serdev core
* @sdrv: client driver to be associated with client-device.
@@ -848,6 +866,9 @@ int __serdev_device_driver_register(stru
/* force drivers to async probe so I/O is possible in probe */
sdrv->driver.probe_type = PROBE_PREFER_ASYNCHRONOUS;
+ if (!sdrv->shutdown && sdrv->driver.shutdown)
+ sdrv->shutdown = serdev_legacy_shutdown;
+
return driver_register(&sdrv->driver);
}
EXPORT_SYMBOL_GPL(__serdev_device_driver_register);
--- a/include/linux/serdev.h
+++ b/include/linux/serdev.h
@@ -65,6 +65,7 @@ struct serdev_device_driver {
struct device_driver driver;
int (*probe)(struct serdev_device *);
void (*remove)(struct serdev_device *);
+ void (*shutdown)(struct serdev_device *);
};
static inline struct serdev_device_driver *to_serdev_device_driver(struct device_driver *d)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 281/315] serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 280/315] serial: 8250: dispatch SysRq character in serial8250_handle_irq() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 282/315] platform/x86/intel/vsec: Refactor base_addr handling Greg Kroah-Hartman
` (35 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Jacques Nilo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacques Nilo <jnilo@free.fr>
commit 2e211723953f7740e54b53f3d3a0d5e351a5e223 upstream.
dw8250_handle_irq() calls serial8250_handle_irq_locked() with the port
lock held via guard(uart_port_lock_irqsave). The guard destructor is
plain uart_port_unlock_irqrestore(), so a SysRq character captured into
port->sysrq_ch by uart_prepare_sysrq_char() is dropped without ever
being dispatched to handle_sysrq().
This is the same regression pattern as in serial8250_handle_irq(),
introduced when 883c5a2bc934 ("serial: 8250_dw: Rework
dw8250_handle_irq() locking and IIR handling") moved the function to
the guard()-based locking scheme without using the sysrq-aware unlock
helper.
Switch to guard(uart_port_lock_check_sysrq_irqsave) so that captured
sysrq_ch is dispatched on scope exit, matching the fix in
serial8250_handle_irq().
Fixes: 883c5a2bc934 ("serial: 8250_dw: Rework dw8250_handle_irq() locking and IIR handling")
Cc: stable@vger.kernel.org
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Jacques Nilo <jnilo@free.fr>
Link: https://patch.msgid.link/ed56fcaf4af24e4ed011a7bce206e0182acb761c.1778675349.git.jnilo@free.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_dw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c
index 94beadb4024d..2af0c4d0ad82 100644
--- a/drivers/tty/serial/8250/8250_dw.c
+++ b/drivers/tty/serial/8250/8250_dw.c
@@ -427,7 +427,7 @@ static int dw8250_handle_irq(struct uart_port *p)
unsigned int quirks = d->pdata->quirks;
unsigned int status;
- guard(uart_port_lock_irqsave)(p);
+ guard(uart_port_lock_check_sysrq_irqsave)(p);
switch (FIELD_GET(DW_UART_IIR_IID, iir)) {
case UART_IIR_NO_INT:
--
2.54.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 271/307] Bluetooth: hci_qca: Migrate to serdev specific shutdown function
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 270/307] serdev: Provide a bustype shutdown function Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 272/307] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
` (38 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 12a6a5726c515455935982429ac35dee2307233d ]
This saves a cast in the driver. The motivation is stop using the callback
.shutdown in qca_serdev_driver.driver to make it possible to drop that.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/261a3384e25c4837d4efee87958805f15d7d4e3c.1765526117.git.u.kleine-koenig@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 375ba7484132 ("Bluetooth: hci_qca: Convert timeout from jiffies to ms")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -2516,11 +2516,10 @@ static void qca_serdev_remove(struct ser
hci_uart_unregister_device(&qcadev->serdev_hu);
}
-static void qca_serdev_shutdown(struct device *dev)
+static void qca_serdev_shutdown(struct serdev_device *serdev)
{
int ret;
int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
- struct serdev_device *serdev = to_serdev_device(dev);
struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
struct hci_uart *hu = &qcadev->serdev_hu;
struct hci_dev *hdev = hu->hdev;
@@ -2741,11 +2740,11 @@ static void hciqca_coredump(struct devic
static struct serdev_device_driver qca_serdev_driver = {
.probe = qca_serdev_probe,
.remove = qca_serdev_remove,
+ .shutdown = qca_serdev_shutdown,
.driver = {
.name = "hci_uart_qca",
.of_match_table = of_match_ptr(qca_bluetooth_of_match),
.acpi_match_table = ACPI_PTR(qca_bluetooth_acpi_match),
- .shutdown = qca_serdev_shutdown,
.pm = &qca_pm_ops,
#ifdef CONFIG_DEV_COREDUMP
.coredump = hciqca_coredump,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 282/315] platform/x86/intel/vsec: Refactor base_addr handling
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 281/315] serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 283/315] platform/x86/intel/vsec: Make driver_data info const Greg Kroah-Hartman
` (34 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David E. Box, Michael J. Ruhl,
Ilpo Järvinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: "David E. Box" <david.e.box@linux.intel.com>
[ Upstream commit 904b333fc51cc045941df9656302449a0fc9978e ]
The base_addr field in intel_vsec_platform_info was originally added to
support devices that emulate PCI VSEC capabilities in MMIO. Previously,
the code would check at registration time whether base_addr was set,
falling back to the PCI BAR if not.
Refactor this by making base_addr an explicit function parameter. This
clarifies ownership of the value and removes conditional logic from
intel_vsec_add_dev(). It also enables making intel_vsec_platform_info
const in a later patch, since the function no longer needs to write to
info->base_addr.
No functional change intended.
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Link: https://patch.msgid.link/20260313015202.3660072-2-david.e.box@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Stable-dep-of: 348ccc754d89 ("platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -271,14 +271,13 @@ EXPORT_SYMBOL_NS_GPL(intel_vsec_add_aux,
static int intel_vsec_add_dev(struct pci_dev *pdev, struct intel_vsec_header *header,
struct intel_vsec_platform_info *info,
- unsigned long cap_id)
+ unsigned long cap_id, u64 base_addr)
{
struct intel_vsec_device __free(kfree) *intel_vsec_dev = NULL;
struct resource __free(kfree) *res = NULL;
struct resource *tmp;
struct device *parent;
unsigned long quirks = info->quirks;
- u64 base_addr;
int i;
if (info->parent)
@@ -310,11 +309,6 @@ static int intel_vsec_add_dev(struct pci
if (quirks & VSEC_QUIRK_TABLE_SHIFT)
header->offset >>= TABLE_OFFSET_SHIFT;
- if (info->base_addr)
- base_addr = info->base_addr;
- else
- base_addr = pdev->resource[header->tbir].start;
-
/*
* The DVSEC/VSEC contains the starting offset and count for a block of
* discovery tables. Create a resource array of these tables to the
@@ -412,7 +406,8 @@ static int get_cap_id(u32 header_id, uns
static int intel_vsec_register_device(struct pci_dev *pdev,
struct intel_vsec_header *header,
- struct intel_vsec_platform_info *info)
+ struct intel_vsec_platform_info *info,
+ u64 base_addr)
{
const struct vsec_feature_dependency *consumer_deps;
struct vsec_priv *priv;
@@ -428,7 +423,7 @@ static int intel_vsec_register_device(st
* For others using the exported APIs, add the device directly.
*/
if (!pci_match_id(intel_vsec_pci_ids, pdev))
- return intel_vsec_add_dev(pdev, header, info, cap_id);
+ return intel_vsec_add_dev(pdev, header, info, cap_id, base_addr);
priv = pci_get_drvdata(pdev);
if (priv->state[cap_id] == STATE_REGISTERED ||
@@ -444,7 +439,7 @@ static int intel_vsec_register_device(st
consumer_deps = get_consumer_dependencies(priv, cap_id);
if (!consumer_deps || suppliers_ready(priv, consumer_deps, cap_id)) {
- ret = intel_vsec_add_dev(pdev, header, info, cap_id);
+ ret = intel_vsec_add_dev(pdev, header, info, cap_id, base_addr);
if (ret)
priv->state[cap_id] = STATE_SKIP;
else
@@ -464,7 +459,7 @@ static bool intel_vsec_walk_header(struc
int ret;
for ( ; *header; header++) {
- ret = intel_vsec_register_device(pdev, *header, info);
+ ret = intel_vsec_register_device(pdev, *header, info, info->base_addr);
if (!ret)
have_devices = true;
}
@@ -512,7 +507,8 @@ static bool intel_vsec_walk_dvsec(struct
pci_read_config_dword(pdev, pos + PCI_DVSEC_HEADER2, &hdr);
header.id = PCI_DVSEC_HEADER2_ID(hdr);
- ret = intel_vsec_register_device(pdev, &header, info);
+ ret = intel_vsec_register_device(pdev, &header, info,
+ pci_resource_start(pdev, header.tbir));
if (ret)
continue;
@@ -557,7 +553,8 @@ static bool intel_vsec_walk_vsec(struct
header.tbir = INTEL_DVSEC_TABLE_BAR(table);
header.offset = INTEL_DVSEC_TABLE_OFFSET(table);
- ret = intel_vsec_register_device(pdev, &header, info);
+ ret = intel_vsec_register_device(pdev, &header, info,
+ pci_resource_start(pdev, header.tbir));
if (ret)
continue;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 272/307] Bluetooth: hci_qca: Convert timeout from jiffies to ms
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 271/307] Bluetooth: hci_qca: Migrate to serdev specific " Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 273/307] ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes Greg Kroah-Hartman
` (37 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Bartosz Golaszewski,
Shuai Zhang, Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
[ Upstream commit 375ba7484132662a4a8c7547d088fb6275c00282 ]
Since the timer uses jiffies as its unit rather than ms, the timeout value
must be converted from ms to jiffies when configuring the timer. Otherwise,
the intended 8s timeout is incorrectly set to approximately 33s.
To improve readability, embed msecs_to_jiffies() directly in the macro
definitions and drop the _MS suffix from macros that now yield jiffies
values: MEMDUMP_TIMEOUT, FW_DOWNLOAD_TIMEOUT, IBS_DISABLE_SSR_TIMEOUT,
CMD_TRANS_TIMEOUT, and IBS_BTSOC_TX_IDLE_TIMEOUT.
IBS_WAKE_RETRANS_TIMEOUT_MS and IBS_HOST_TX_IDLE_TIMEOUT_MS are
intentionally left unchanged. Their values are stored in the struct fields
wake_retrans and tx_idle_delay, which hold ms values at runtime and can be
modified via debugfs. The msecs_to_jiffies() conversion happens at each
call site against the field value, so it cannot be embedded in the macro.
Wake timer depends on commit c347ca17d62a
Cc: stable@vger.kernel.org
Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 33 ++++++++++++++++-----------------
1 file changed, 16 insertions(+), 17 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -47,13 +47,12 @@
#define HCI_MAX_IBS_SIZE 10
#define IBS_WAKE_RETRANS_TIMEOUT_MS 100
-#define IBS_BTSOC_TX_IDLE_TIMEOUT_MS 200
+#define IBS_BTSOC_TX_IDLE_TIMEOUT msecs_to_jiffies(200)
#define IBS_HOST_TX_IDLE_TIMEOUT_MS 2000
-#define CMD_TRANS_TIMEOUT_MS 100
-#define MEMDUMP_TIMEOUT_MS 8000
-#define IBS_DISABLE_SSR_TIMEOUT_MS \
- (MEMDUMP_TIMEOUT_MS + FW_DOWNLOAD_TIMEOUT_MS)
-#define FW_DOWNLOAD_TIMEOUT_MS 3000
+#define CMD_TRANS_TIMEOUT msecs_to_jiffies(100)
+#define MEMDUMP_TIMEOUT msecs_to_jiffies(8000)
+#define FW_DOWNLOAD_TIMEOUT msecs_to_jiffies(3000)
+#define IBS_DISABLE_SSR_TIMEOUT (MEMDUMP_TIMEOUT + FW_DOWNLOAD_TIMEOUT)
/* susclk rate */
#define SUSCLK_RATE_32KHZ 32768
@@ -1078,7 +1077,7 @@ static void qca_controller_memdump(struc
queue_delayed_work(qca->workqueue,
&qca->ctrl_memdump_timeout,
- msecs_to_jiffies(MEMDUMP_TIMEOUT_MS));
+ MEMDUMP_TIMEOUT);
skb_pull(skb, sizeof(qca_memdump->ram_dump_size));
qca_memdump->current_seq_no = 0;
qca_memdump->received_dump = 0;
@@ -1350,7 +1349,7 @@ static int qca_set_baudrate(struct hci_d
if (hu->serdev)
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
/* Give the controller time to process the request */
switch (qca_soc_type(hu)) {
@@ -1381,8 +1380,8 @@ static inline void host_set_baudrate(str
static int qca_send_power_pulse(struct hci_uart *hu, bool on)
{
+ int timeout = CMD_TRANS_TIMEOUT;
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
u8 cmd = on ? QCA_WCN3990_POWERON_PULSE : QCA_WCN3990_POWEROFF_PULSE;
/* These power pulses are single byte command which are sent
@@ -1584,7 +1583,7 @@ static void qca_wait_for_dump_collection
struct qca_data *qca = hu->priv;
wait_on_bit_timeout(&qca->flags, QCA_MEMDUMP_COLLECTION,
- TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT_MS);
+ TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT);
clear_bit(QCA_MEMDUMP_COLLECTION, &qca->flags);
}
@@ -2519,7 +2518,7 @@ static void qca_serdev_remove(struct ser
static void qca_serdev_shutdown(struct serdev_device *serdev)
{
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
+ int timeout = CMD_TRANS_TIMEOUT;
struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
struct hci_uart *hu = &qcadev->serdev_hu;
struct hci_dev *hdev = hu->hdev;
@@ -2576,7 +2575,7 @@ static int __maybe_unused qca_suspend(st
bool tx_pending = false;
int ret = 0;
u8 cmd;
- u32 wait_timeout = 0;
+ unsigned long wait_timeout = 0;
set_bit(QCA_SUSPENDING, &qca->flags);
@@ -2597,15 +2596,15 @@ static int __maybe_unused qca_suspend(st
if (test_bit(QCA_IBS_DISABLED, &qca->flags) ||
test_bit(QCA_SSR_TRIGGERED, &qca->flags)) {
wait_timeout = test_bit(QCA_SSR_TRIGGERED, &qca->flags) ?
- IBS_DISABLE_SSR_TIMEOUT_MS :
- FW_DOWNLOAD_TIMEOUT_MS;
+ IBS_DISABLE_SSR_TIMEOUT :
+ FW_DOWNLOAD_TIMEOUT;
/* QCA_IBS_DISABLED flag is set to true, During FW download
* and during memory dump collection. It is reset to false,
* After FW download complete.
*/
wait_on_bit_timeout(&qca->flags, QCA_IBS_DISABLED,
- TASK_UNINTERRUPTIBLE, msecs_to_jiffies(wait_timeout));
+ TASK_UNINTERRUPTIBLE, wait_timeout);
if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
bt_dev_err(hu->hdev, "SSR or FW download time out");
@@ -2657,7 +2656,7 @@ static int __maybe_unused qca_suspend(st
if (tx_pending) {
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
serial_clock_vote(HCI_IBS_TX_VOTE_CLOCK_OFF, hu);
}
@@ -2666,7 +2665,7 @@ static int __maybe_unused qca_suspend(st
*/
ret = wait_event_interruptible_timeout(qca->suspend_wait_q,
qca->rx_ibs_state == HCI_IBS_RX_ASLEEP,
- msecs_to_jiffies(IBS_BTSOC_TX_IDLE_TIMEOUT_MS));
+ IBS_BTSOC_TX_IDLE_TIMEOUT);
if (ret == 0) {
ret = -ETIMEDOUT;
goto error;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 283/315] platform/x86/intel/vsec: Make driver_data info const
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 282/315] platform/x86/intel/vsec: Refactor base_addr handling Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 284/315] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
` (33 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David E. Box, Michael J. Ruhl,
Ilpo Järvinen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: "David E. Box" <david.e.box@linux.intel.com>
[ Upstream commit 9577c74c96f88d807d1ba005adbf5952e7127e55 ]
Treat PCI id->driver_data (intel_vsec_platform_info) as read-only by making
vsec_priv->info a const pointer and updating all function signatures to
accept const intel_vsec_platform_info *.
This improves const-correctness and clarifies that the platform info data
from the driver_data table is not meant to be modified at runtime.
No functional changes intended.
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Link: https://patch.msgid.link/20260313015202.3660072-3-david.e.box@linux.intel.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Stable-dep-of: 348ccc754d89 ("platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 20 ++++++++++----------
include/linux/intel_vsec.h | 4 ++--
2 files changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -42,7 +42,7 @@ enum vsec_device_state {
};
struct vsec_priv {
- struct intel_vsec_platform_info *info;
+ const struct intel_vsec_platform_info *info;
struct device *suppliers[VSEC_FEATURE_COUNT];
struct oobmsm_plat_info plat_info;
enum vsec_device_state state[VSEC_FEATURE_COUNT];
@@ -270,7 +270,7 @@ cleanup_aux:
EXPORT_SYMBOL_NS_GPL(intel_vsec_add_aux, "INTEL_VSEC");
static int intel_vsec_add_dev(struct pci_dev *pdev, struct intel_vsec_header *header,
- struct intel_vsec_platform_info *info,
+ const struct intel_vsec_platform_info *info,
unsigned long cap_id, u64 base_addr)
{
struct intel_vsec_device __free(kfree) *intel_vsec_dev = NULL;
@@ -406,7 +406,7 @@ static int get_cap_id(u32 header_id, uns
static int intel_vsec_register_device(struct pci_dev *pdev,
struct intel_vsec_header *header,
- struct intel_vsec_platform_info *info,
+ const struct intel_vsec_platform_info *info,
u64 base_addr)
{
const struct vsec_feature_dependency *consumer_deps;
@@ -452,7 +452,7 @@ static int intel_vsec_register_device(st
}
static bool intel_vsec_walk_header(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
struct intel_vsec_header **header = info->headers;
bool have_devices = false;
@@ -468,7 +468,7 @@ static bool intel_vsec_walk_header(struc
}
static bool intel_vsec_walk_dvsec(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
bool have_devices = false;
int pos = 0;
@@ -519,7 +519,7 @@ static bool intel_vsec_walk_dvsec(struct
}
static bool intel_vsec_walk_vsec(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
bool have_devices = false;
int pos = 0;
@@ -565,7 +565,7 @@ static bool intel_vsec_walk_vsec(struct
}
int intel_vsec_register(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
if (!pdev || !info || !info->headers)
return -EINVAL;
@@ -578,7 +578,7 @@ int intel_vsec_register(struct pci_dev *
EXPORT_SYMBOL_NS_GPL(intel_vsec_register, "INTEL_VSEC");
static bool intel_vsec_get_features(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
bool found = false;
@@ -622,7 +622,7 @@ static void intel_vsec_skip_missing_depe
static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
- struct intel_vsec_platform_info *info;
+ const struct intel_vsec_platform_info *info;
struct vsec_priv *priv;
int num_caps, ret;
int run_once = 0;
@@ -633,7 +633,7 @@ static int intel_vsec_pci_probe(struct p
return ret;
pci_save_state(pdev);
- info = (struct intel_vsec_platform_info *)id->driver_data;
+ info = (const struct intel_vsec_platform_info *)id->driver_data;
if (!info)
return -EINVAL;
--- a/include/linux/intel_vsec.h
+++ b/include/linux/intel_vsec.h
@@ -199,13 +199,13 @@ static inline struct intel_vsec_device *
#if IS_ENABLED(CONFIG_INTEL_VSEC)
int intel_vsec_register(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info);
+ const struct intel_vsec_platform_info *info);
int intel_vsec_set_mapping(struct oobmsm_plat_info *plat_info,
struct intel_vsec_device *vsec_dev);
struct oobmsm_plat_info *intel_vsec_get_mapping(struct pci_dev *pdev);
#else
static inline int intel_vsec_register(struct pci_dev *pdev,
- struct intel_vsec_platform_info *info)
+ const struct intel_vsec_platform_info *info)
{
return -ENODEV;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 273/307] ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 272/307] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 274/307] ALSA: scarlett2: Allow flash writes ending at segment boundary Greg Kroah-Hartman
` (36 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Geoffrey D. Bennett" <g@b4.vu>
[ Upstream commit 74641bfcbf4e698b770b1b62a74e73934843e90e ]
When writing to flash, return ENOSPC instead of EINVAL if the requested
write would exceed the size of the flash segment.
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/3a4af07b0329bed5ffb6994594e4f7bd202aad0f.1727971672.git.g@b4.vu
Stable-dep-of: a69b677e47a8 ("ALSA: scarlett2: Allow flash writes ending at segment boundary")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -9550,7 +9550,7 @@ static long scarlett2_hwdep_write(struct
SCARLETT2_FLASH_BLOCK_SIZE;
if (count < 0 || *offset < 0 || *offset + count >= flash_size)
- return -EINVAL;
+ return -ENOSPC;
if (!count)
return 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 284/315] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 283/315] platform/x86/intel/vsec: Make driver_data info const Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 285/315] x86/mm: Disable broadcast TLB flush when PCID is disabled Greg Kroah-Hartman
` (32 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Ilpo Järvinen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit 348ccc754d8939e21ca5956ff45720b81d6e407f ]
After a PCIe Uncorrectable Error has been reported by a device with
Intel Vendor Specific Extended Capabilities and has been recovered
through a Secondary Bus Reset, its driver calls intel_vsec_pci_probe()
to rescan and reinitialize VSECs.
intel_vsec_pci_probe() invokes pcim_enable_device() and thereby adds
another devm action which calls pcim_disable_device() on driver unbind.
So once the driver unbinds, pcim_disable_device() will be called as many
times as an Uncorrectable Error occurred, plus one. This will lead to
an enable_cnt imbalance on driver unbind.
Additionally, since commit dc957ab6aa05 ("platform/x86/intel/vsec: Add
private data for per-device data"), a devm_kzalloc() allocation is
leaked on every Uncorrectable Error.
Avoid by splitting the VSEC rescan out of intel_vsec_pci_probe() into a
separate helper and calling that on PCIe error recovery.
Fixes: 936874b77dd0 ("platform/x86/intel/vsec: Add PCI error recovery support to Intel PMT")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v6.0+
Link: https://patch.msgid.link/bd594d09fa866dc51dddc9a447c3b23f9b1402cc.1778736835.git.lukas@wunner.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 54 +++++++++++++++++++++-----------------
1 file changed, 30 insertions(+), 24 deletions(-)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -620,29 +620,13 @@ static void intel_vsec_skip_missing_depe
}
}
-static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+static int intel_vsec_pci_init(struct pci_dev *pdev)
{
- const struct intel_vsec_platform_info *info;
- struct vsec_priv *priv;
- int num_caps, ret;
+ struct vsec_priv *priv = pci_get_drvdata(pdev);
+ const struct intel_vsec_platform_info *info = priv->info;
int run_once = 0;
bool found_any = false;
-
- ret = pcim_enable_device(pdev);
- if (ret)
- return ret;
-
- pci_save_state(pdev);
- info = (const struct intel_vsec_platform_info *)id->driver_data;
- if (!info)
- return -EINVAL;
-
- priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
- if (!priv)
- return -ENOMEM;
-
- priv->info = info;
- pci_set_drvdata(pdev, priv);
+ int num_caps;
num_caps = hweight_long(info->caps);
while (num_caps--) {
@@ -663,6 +647,31 @@ static int intel_vsec_pci_probe(struct p
return 0;
}
+static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+{
+ const struct intel_vsec_platform_info *info;
+ struct vsec_priv *priv;
+ int ret;
+
+ ret = pcim_enable_device(pdev);
+ if (ret)
+ return ret;
+
+ pci_save_state(pdev);
+ info = (const struct intel_vsec_platform_info *)id->driver_data;
+ if (!info)
+ return -EINVAL;
+
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
+ priv->info = info;
+ pci_set_drvdata(pdev, priv);
+
+ return intel_vsec_pci_init(pdev);
+}
+
int intel_vsec_set_mapping(struct oobmsm_plat_info *plat_info,
struct intel_vsec_device *vsec_dev)
{
@@ -796,7 +805,6 @@ static pci_ers_result_t intel_vsec_pci_s
{
struct intel_vsec_device *intel_vsec_dev;
pci_ers_result_t status = PCI_ERS_RESULT_DISCONNECT;
- const struct pci_device_id *pci_dev_id;
unsigned long index;
dev_info(&pdev->dev, "Resetting PCI slot\n");
@@ -817,10 +825,8 @@ static pci_ers_result_t intel_vsec_pci_s
devm_release_action(&pdev->dev, intel_vsec_remove_aux,
&intel_vsec_dev->auxdev);
}
- pci_disable_device(pdev);
pci_restore_state(pdev);
- pci_dev_id = pci_match_id(intel_vsec_pci_ids, pdev);
- intel_vsec_pci_probe(pdev, pci_dev_id);
+ intel_vsec_pci_init(pdev);
out:
return status;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 274/307] ALSA: scarlett2: Allow flash writes ending at segment boundary
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 273/307] ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 275/307] mm/memory: fix spurious warning when unmapping device-private/exclusive pages Greg Kroah-Hartman
` (35 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Takashi Iwai,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit a69b677e47a80319ce148d61cc29a2b57006e78d ]
scarlett2_hwdep_write() rejects writes when offset + count is greater than
or equal to the selected flash segment size. That incorrectly treats a
write ending exactly at the end of the segment as out of space, although
the last byte written is still within the segment.
Split invalid argument checks from the segment-space check, keep
zero-length writes as no-ops, and compare count against the remaining
segment size. This permits exact-end writes and avoids relying on
offset + count before deciding whether the request is in bounds.
Fixes: 1abfbd3c9527 ("ALSA: scarlett2: Add support for uploading new firmware")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-alsa-scarlett2-flash-write-boundary-v1-1-b550480e92da@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett2.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -9549,12 +9549,15 @@ static long scarlett2_hwdep_write(struct
flash_size = private->flash_segment_blocks[segment_id] *
SCARLETT2_FLASH_BLOCK_SIZE;
- if (count < 0 || *offset < 0 || *offset + count >= flash_size)
- return -ENOSPC;
+ if (count < 0 || *offset < 0)
+ return -EINVAL;
if (!count)
return 0;
+ if (*offset >= flash_size || count > flash_size - *offset)
+ return -ENOSPC;
+
/* Limit the *req size to SCARLETT2_FLASH_RW_MAX */
if (count > max_data_size)
count = max_data_size;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 285/315] x86/mm: Disable broadcast TLB flush when PCID is disabled
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 284/315] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 286/315] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg Greg Kroah-Hartman
` (31 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Tom Lendacky,
Borislav Petkov (AMD), Rik van Riel, stable, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Lendacky <thomas.lendacky@amd.com>
[ Upstream commit 44126343d58c68adaa8343fbf1c07dd20078c35e ]
Booting with "nopcid" clears X86_FEATURE_PCID and keeps CR4.PCIDE from being
set to one. On AMD CPUs that support INVLPGB, broadcast TLB flushing remains
enabled.
There are two checks that decide whether the global ASID code runs,
mm_global_asid() and consider_global_asid(), that key off of the
X86_FEATURE_INVLPGB feature. Once an mm becomes active on more than three
CPUs, consider_global_asid() assigns it a global ASID, after which
flush_tlb_mm_range() takes the broadcast_tlb_flush() path using a non-zero
PCID. Issuing an INVLPGB with a non-zero PCID while CR4.PCIDE is not set
results in a #GP:
Oops: general protection fault, kernel NULL pointer dereference 0x1: 0000 [#1] SMP NOPTI
CPU: 158 UID: 0 PID: 3119 Comm: snap Not tainted 7.1.0-rc3 #1 PREEMPT(full)
Hardware name: ...
RIP: 0010:broadcast_tlb_flush
Code: ... 89 da 48 83 c8 07 <0f> 01 fe eb 08 cc cc cc ...
Call Trace:
<TASK>
flush_tlb_mm_range
ptep_clear_flush
wp_page_copy
? _raw_spin_unlock
__handle_mm_fault
handle_mm_fault
do_user_addr_fault
exc_page_fault
asm_exc_page_fault
All processors that support broadcast TLB invalidation also have PCID support,
so it is only the "nopcid" scenario that is of concern. In this situation just
disable the broadcast TLB support using the CPUID dependency support by making
X86_FEATURE_INVLPGB dependent on X86_FEATURE_PCID.
[ bp: Massage commit message. ]
Fixes: 4afeb0ed1753 ("x86/mm: Enable broadcast TLB invalidation for multi-threaded processes")
Suggested-by: Dave Hansen <dave.hansen@intel.com>
Assisted-by: Claude:claude-opus-4.7
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Rik van Riel <riel@surriel.com>
Cc: <stable@kernel.org>
Link: https://patch.msgid.link/b915acfd63e8b2a094fdeb8dc608738072518764.1779296450.git.thomas.lendacky@amd.com
[ adjusted insertion point to after X86_FEATURE_SPEC_CTRL_SSBD ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/cpuid-deps.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kernel/cpu/cpuid-deps.c
+++ b/arch/x86/kernel/cpu/cpuid-deps.c
@@ -89,6 +89,7 @@ static const struct cpuid_dep cpuid_deps
{ X86_FEATURE_SHSTK, X86_FEATURE_XSAVES },
{ X86_FEATURE_FRED, X86_FEATURE_LKGS },
{ X86_FEATURE_SPEC_CTRL_SSBD, X86_FEATURE_SPEC_CTRL },
+ { X86_FEATURE_INVLPGB, X86_FEATURE_PCID },
{}
};
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 275/307] mm/memory: fix spurious warning when unmapping device-private/exclusive pages
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 274/307] ALSA: scarlett2: Allow flash writes ending at segment boundary Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 276/307] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
` (34 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alistair Popple,
Arsen Arsenović, Balbir Singh, David Hildenbrand,
Jason Gunthorpe, John Hubbard, Leon Romanovsky, Liam R. Howlett,
Lorenzo Stoakes, Peter Xu, Matthew Brost, Michal Hocko,
Mike Rapoport, Shuah Khan, Suren Baghdasaryan,
Thomas Hellström, Vlastimil Babka, Andrew Morton,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alistair Popple <apopple@nvidia.com>
[ Upstream commit be3f38d05cc5a7c3f13e51994c5dd043ab604d28 ]
Device private and exclusive entries are only supported for anonymous
folios. This condition is tested in __migrate_device_pages() and
make_device_exclusive() using folio_test_anon(). However the unmap path
tests this assumption using vma_is_anonymous().
This is wrong because whilst anonymous VMAs can only contain folios where
folio_test_anon() is true the opposite relation does not hold. A folio
for which folio_test_anon() is true does not imply vma_is_anonymous() is
true. Such a condition can occur if for example a folio is part of a
private filebacked mapping.
In this case vma_is_anonymous() is false as the mapping is filebacked, but
folio_test_anon() may be true, thus permitting devices to migrate the
folio to device private memory. This can lead to the following spurious
warnings during process teardown:
[ 772.737706] ------------[ cut here ]------------
[ 772.739201] WARNING: mm/memory.c:1754 at unmap_page_range.cold+0x26/0x18a, CPU#17: hmm-tests/2041
[ 772.742050] Modules linked in: test_hmm nvidia_uvm(O) nvidia(O)
[ 772.743959] CPU: 17 UID: 0 PID: 2041 Comm: hmm-tests Tainted: G W O 7.0.0+ #387 PREEMPT(full)
[ 772.747104] Tainted: [W]=WARN, [O]=OOT_MODULE
[ 772.748509] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 772.752117] RIP: 0010:unmap_page_range.cold+0x26/0x18a
[ 772.753780] Code: 7e fe ff ff 48 89 4c 24 78 4c 89 44 24 38 e8 f2 ff b1 00 48 8b 4c 24 78 4c 8b 44 24 38 48 8b 44 24 18 48 83 78 48 00 74 04 90 <0f> 0b 90 48 89 ca b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 2a 80 3c 02
[ 772.759602] RSP: 0018:ffff888112607550 EFLAGS: 00010286
[ 772.761310] RAX: ffff88811bbf4dc0 RBX: dffffc0000000000 RCX: ffffea03e9bfffd8
[ 772.763583] RDX: 1ffff1102377e9c1 RSI: 0000000000000008 RDI: ffff88811bbf4e08
[ 772.765914] RBP: 0000000000000006 R08: ffff8881059f7448 R09: ffffed10224c0e68
[ 772.768184] R10: ffff888112607347 R11: 0000000000000001 R12: 0000000000000001
[ 772.770461] R13: ffffea03e9bfffc0 R14: ffff888112607908 R15: ffffea03e9bfffc0
[ 772.772782] FS: 00007f327caa2780(0000) GS:ffff888427b7d000(0000) knlGS:0000000000000000
[ 772.775328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 772.777187] CR2: 00007f327ca89000 CR3: 00000001994d5000 CR4: 00000000000006f0
[ 772.779135] Call Trace:
[ 772.779792] <TASK>
[ 772.780317] ? dmirror_interval_invalidate+0x1a3/0x290 [test_hmm]
[ 772.781873] ? vm_normal_page_pud+0x2b0/0x2b0
[ 772.782992] ? __rwlock_init+0x150/0x150
[ 772.784006] ? lock_release+0x216/0x2b0
[ 772.785008] ? __mmu_notifier_invalidate_range_start+0x505/0x6e0
[ 772.786522] ? lock_release+0x216/0x2b0
[ 772.787498] ? unmap_single_vma+0xb6/0x210
[ 772.788573] unmap_vmas+0x27d/0x520
[ 772.789506] ? unmap_single_vma+0x210/0x210
[ 772.790607] ? mas_update_gap.part.0+0x620/0x620
[ 772.791834] unmap_region+0x19e/0x350
[ 772.792769] ? remove_vma+0x130/0x130
[ 772.793684] ? mas_alloc_nodes+0x1f2/0x300
[ 772.794730] vms_complete_munmap_vmas+0x8c1/0xe20
[ 772.795926] ? unmap_region+0x350/0x350
[ 772.796917] do_vmi_align_munmap+0x36a/0x4e0
[ 772.798018] ? lock_release+0x216/0x2b0
[ 772.799024] ? vma_shrink+0x620/0x620
[ 772.799983] do_vmi_munmap+0x150/0x2c0
[ 772.800939] __vm_munmap+0x161/0x2c0
[ 772.801872] ? expand_downwards+0xd60/0xd60
[ 772.802948] ? clockevents_program_event+0x1ef/0x540
[ 772.804217] ? lock_release+0x216/0x2b0
[ 772.805158] __x64_sys_munmap+0x59/0x80
[ 772.805776] do_syscall_64+0xfc/0x670
[ 772.806336] ? irqentry_exit+0xda/0x580
[ 772.806976] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 772.807772] RIP: 0033:0x7f327cbb2717
[ 772.808323] Code: 73 01 c3 48 8b 0d f9 76 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c9 76 0d 00 f7 d8 64 89 01 48
[ 772.811337] RSP: 002b:00007ffde7f57d38 EFLAGS: 00000202 ORIG_RAX: 000000000000000b
[ 772.812564] RAX: ffffffffffffffda RBX: 00007f327cc9c000 RCX: 00007f327cbb2717
[ 772.813733] RDX: 0000000000000000 RSI: 0000000000400000 RDI: 00007f327c289000
[ 772.814867] RBP: 0000000000421360 R08: 000000000000001a R09: 0000000000000000
[ 772.815991] R10: 0000000000000003 R11: 0000000000000202 R12: 00007ffde7f57d74
[ 772.817121] R13: 00007f327c689010 R14: 0000000000100000 R15: 00007f327c289000
[ 772.818272] </TASK>
[ 772.818614] irq event stamp: 0
[ 772.819159] hardirqs last enabled at (0): [<0000000000000000>] 0x0
[ 772.820174] hardirqs last disabled at (0): [<ffffffff82a57ab3>] copy_process+0x19f3/0x6440
[ 772.821511] softirqs last enabled at (0): [<ffffffff82a57b00>] copy_process+0x1a40/0x6440
[ 772.822869] softirqs last disabled at (0): [<0000000000000000>] 0x0
[ 772.823871] ---[ end trace 0000000000000000 ]---
Fix this by using the same check for folio_test_anon() in
zap_nonpresent_ptes(). Also add a hmm-test case for this.
Link: https://lore.kernel.org/20260501065116.2057242-1-apopple@nvidia.com
Fixes: 999dad824c39 ("mm/shmem: persist uffd-wp bit across zapping for file-backed")
Signed-off-by: Alistair Popple <apopple@nvidia.com>
Reported-by: Arsen Arsenović <aarsenovic@baylibre.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Peter Xu <peterx@redhat.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ applied the change in `zap_pte_range()` instead of `zap_nonpresent_ptes()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 2 -
tools/testing/selftests/mm/hmm-tests.c | 50 +++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1639,7 +1639,7 @@ static unsigned long zap_pte_range(struc
* consider uffd-wp bit when zap. For more information,
* see zap_install_uffd_wp_if_needed().
*/
- WARN_ON_ONCE(!vma_is_anonymous(vma));
+ WARN_ON_ONCE(!folio_test_anon(folio));
rss[mm_counter(folio)]--;
if (is_device_private_entry(entry))
folio_remove_rmap_pte(folio, page, vma);
--- a/tools/testing/selftests/mm/hmm-tests.c
+++ b/tools/testing/selftests/mm/hmm-tests.c
@@ -999,6 +999,56 @@ TEST_F(hmm, migrate)
}
/*
+ * Migrate private file memory to device private memory.
+ */
+TEST_F(hmm, migrate_file_private)
+{
+ struct hmm_buffer *buffer;
+ unsigned long npages;
+ unsigned long size;
+ unsigned long i;
+ int *ptr;
+ int ret;
+ int fd;
+
+ npages = ALIGN(HMM_BUFFER_SIZE, self->page_size) >> self->page_shift;
+ ASSERT_NE(npages, 0);
+ size = npages << self->page_shift;
+
+ fd = hmm_create_file(size);
+ ASSERT_GE(fd, 0);
+
+ buffer = malloc(sizeof(*buffer));
+ ASSERT_NE(buffer, NULL);
+
+ buffer->fd = fd;
+ buffer->size = size;
+ buffer->mirror = malloc(size);
+ ASSERT_NE(buffer->mirror, NULL);
+
+ buffer->ptr = mmap(NULL, size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE,
+ buffer->fd, 0);
+ ASSERT_NE(buffer->ptr, MAP_FAILED);
+
+ /* Initialize buffer in system memory. */
+ for (i = 0, ptr = buffer->ptr; i < size / sizeof(*ptr); ++i)
+ ptr[i] = i;
+
+ /* Migrate memory to device. */
+ ret = hmm_migrate_sys_to_dev(self->fd, buffer, npages);
+ ASSERT_EQ(ret, 0);
+ ASSERT_EQ(buffer->cpages, npages);
+
+ /* Check what the device read. */
+ for (i = 0, ptr = buffer->mirror; i < size / sizeof(*ptr); ++i)
+ ASSERT_EQ(ptr[i], i);
+
+ hmm_buffer_free(buffer);
+}
+
+/*
* Migrate anonymous memory to device private memory and fault some of it back
* to system memory, then try migrating the resulting mix of system and device
* private memory to the device.
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 286/315] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 285/315] x86/mm: Disable broadcast TLB flush when PCID is disabled Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 287/315] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer Greg Kroah-Hartman
` (30 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, David Howells,
Simon Horman, Jiayuan Chen, linux-afs, Jeffrey Altman,
Marc Dionne, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit d2bc90cf6c75cb96d2ce549be6c35efa3099d25b ]
This improves the fix for CVE-2026-43500.
Fix the pagecache corruption from in-place decryption of a DATA packet
transmitted locally by splice() by getting rid of the packet sharing in the
I/O thread and unconditionally extracting the packet content into a bounce
buffer in which the buffer is decrypted. recvmsg() (or the kernel
equivalent) then copies the data from the bounce buffer to the destination
buffer. The sk_buff then remains unmodified.
This has an additional advantage in that the packet is then arranged in the
buffer with the correct alignment required for the crypto algorithms to
process directly. The performance of the crypto does seem to be a little
faster and, surprisingly, the unencrypted performance doesn't seem to
change much - possibly due to removing complexity from the I/O thread.
Yet another advantage is that the I/O thread doesn't have to copy packets
which would slow down packet distribution, ACK generation, etc..
The buffer belongs to the call and is allocated initially at 2K,
sufficiently large to hold a whole jumbo subpacket, but the buffer will be
increased in size if needed. However, to take this work, MSG_PEEK may
cause a later packet to be decrypted into the buffer, in which case the
earlier one will need re-decrypting for a subsequent recvmsg().
Note that rx_pkt_offset may legitimately see 0 as a valid offset now, so
switch to using USHRT_MAX to indicate an invalid offset.
Note also that I would generally prefer to replace the buffers of the
current sk_buff with a new kmalloc'd buffer of the right size, ditching the
old data and frags as this makes the handling of MSG_PEEK easier and
removes the re-decryption issue, but this looks like quite a complicated
thing to achieve. skb_morph() looks half way to what I want, but I don't
want to have to allocate a new sk_buff.
Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: linux-afs@lists.infradead.org
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
Link: https://patch.msgid.link/20260515230516.2718212-3-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 8bfab4b6ffc2 ("rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/ar-internal.h | 7 ++-
net/rxrpc/call_event.c | 22 ------------
net/rxrpc/call_object.c | 2 +
net/rxrpc/insecure.c | 3 -
net/rxrpc/recvmsg.c | 68 ++++++++++++++++++++++++++++++-------
net/rxrpc/rxgk.c | 51 +++++++++++++---------------
net/rxrpc/rxgk_common.h | 82 +++++++++++++++++++++++++++++++++++++++++++++
net/rxrpc/rxkad.c | 86 +++++++++++++++++-------------------------------
8 files changed, 201 insertions(+), 120 deletions(-)
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -213,8 +213,6 @@ struct rxrpc_skb_priv {
struct {
u16 offset; /* Offset of data */
u16 len; /* Length of data */
- u8 flags;
-#define RXRPC_RX_VERIFIED 0x01
};
struct {
rxrpc_seq_t first_ack; /* First packet in acks table */
@@ -774,6 +772,11 @@ struct rxrpc_call {
struct sk_buff_head recvmsg_queue; /* Queue of packets ready for recvmsg() */
struct sk_buff_head rx_queue; /* Queue of packets for this call to receive */
struct sk_buff_head rx_oos_queue; /* Queue of out of sequence packets */
+ void *rx_dec_buffer; /* Decryption buffer */
+ unsigned short rx_dec_bsize; /* rx_dec_buffer size */
+ unsigned short rx_dec_offset; /* Decrypted packet data offset */
+ unsigned short rx_dec_len; /* Decrypted packet data len */
+ rxrpc_seq_t rx_dec_seq; /* Packet in decryption buffer */
rxrpc_seq_t rx_highest_seq; /* Higest sequence number received */
rxrpc_seq_t rx_consumed; /* Highest packet consumed */
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -332,27 +332,7 @@ bool rxrpc_input_call_event(struct rxrpc
saw_ack |= sp->hdr.type == RXRPC_PACKET_TYPE_ACK;
- if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
- sp->hdr.securityIndex != 0 &&
- (skb_cloned(skb) ||
- skb_has_frag_list(skb) ||
- skb_has_shared_frag(skb))) {
- /* Unshare the packet so that it can be
- * modified by in-place decryption.
- */
- struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC);
-
- if (nskb) {
- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
- rxrpc_input_call_packet(call, nskb);
- rxrpc_free_skb(nskb, rxrpc_skb_put_call_rx);
- } else {
- /* OOM - Drop the packet. */
- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
- }
- } else {
- rxrpc_input_call_packet(call, skb);
- }
+ rxrpc_input_call_packet(call, skb);
rxrpc_free_skb(skb, rxrpc_skb_put_call_rx);
did_receive = true;
}
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -152,6 +152,7 @@ struct rxrpc_call *rxrpc_alloc_call(stru
spin_lock_init(&call->notify_lock);
refcount_set(&call->ref, 1);
call->debug_id = debug_id;
+ call->rx_pkt_offset = USHRT_MAX;
call->tx_total_len = -1;
call->tx_jumbo_max = 1;
call->next_rx_timo = 20 * HZ;
@@ -553,6 +554,7 @@ static void rxrpc_cleanup_rx_buffers(str
rxrpc_purge_queue(&call->recvmsg_queue);
rxrpc_purge_queue(&call->rx_queue);
rxrpc_purge_queue(&call->rx_oos_queue);
+ kfree(call->rx_dec_buffer);
}
/*
--- a/net/rxrpc/insecure.c
+++ b/net/rxrpc/insecure.c
@@ -32,9 +32,6 @@ static int none_secure_packet(struct rxr
static int none_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
{
- struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-
- sp->flags |= RXRPC_RX_VERIFIED;
return 0;
}
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -147,15 +147,52 @@ static void rxrpc_rotate_rx_window(struc
}
/*
- * Decrypt and verify a DATA packet.
+ * Decrypt and verify a DATA packet. The content of the packet is pulled out
+ * into a flat buffer rather than decrypting in place in the skbuff. This also
+ * has the advantage of aligning the buffer correctly for the crypto routines.
+ *
+ * We keep track of the sequence number of the packet currently decrypted into
+ * the buffer in ->rx_dec_seq. If MSG_PEEK is used and steps onto a new
+ * packet, subsequent recvmsg() calls will have to go back and re-decrypt the
+ * current packet.
*/
static int rxrpc_verify_data(struct rxrpc_call *call, struct sk_buff *skb)
{
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+ int ret;
- if (sp->flags & RXRPC_RX_VERIFIED)
- return 0;
- return call->security->verify_packet(call, skb);
+ if (sp->len > call->rx_dec_bsize) {
+ /* Make sure we can hold a 1412-byte jumbo subpacket and make
+ * sure that the buffer size is aligned to a crypto blocksize.
+ */
+ size_t size = clamp(round_up(sp->len, 32), 2048, 65535);
+ void *buffer = krealloc(call->rx_dec_buffer, size, GFP_NOFS);
+
+ if (!buffer)
+ return -ENOMEM;
+ call->rx_dec_buffer = buffer;
+ call->rx_dec_bsize = size;
+ }
+
+ ret = -EFAULT;
+ if (skb_copy_bits(skb, sp->offset, call->rx_dec_buffer, sp->len) < 0)
+ goto err;
+
+ call->rx_dec_offset = 0;
+ call->rx_dec_len = sp->len;
+ call->rx_dec_seq = sp->hdr.seq;
+ ret = call->security->verify_packet(call, skb);
+ if (ret < 0)
+ goto err;
+ return 0;
+
+err:
+ kfree(call->rx_dec_buffer);
+ call->rx_dec_buffer = NULL;
+ call->rx_dec_bsize = 0;
+ call->rx_dec_offset = 0;
+ call->rx_dec_len = 0;
+ return ret;
}
/*
@@ -283,16 +320,21 @@ static int rxrpc_recvmsg_data(struct soc
if (msg)
sock_recv_timestamp(msg, sock->sk, skb);
- if (rx_pkt_offset == 0) {
+ if (call->rx_dec_seq != sp->hdr.seq ||
+ !call->rx_dec_buffer) {
ret2 = rxrpc_verify_data(call, skb);
trace_rxrpc_recvdata(call, rxrpc_recvmsg_next, seq,
- sp->offset, sp->len, ret2);
+ call->rx_dec_offset,
+ call->rx_dec_len, ret2);
if (ret2 < 0) {
ret = ret2;
goto out;
}
- rx_pkt_offset = sp->offset;
- rx_pkt_len = sp->len;
+ }
+
+ if (rx_pkt_offset == USHRT_MAX) {
+ rx_pkt_offset = call->rx_dec_offset;
+ rx_pkt_len = call->rx_dec_len;
} else {
trace_rxrpc_recvdata(call, rxrpc_recvmsg_cont, seq,
rx_pkt_offset, rx_pkt_len, 0);
@@ -304,10 +346,10 @@ static int rxrpc_recvmsg_data(struct soc
if (copy > remain)
copy = remain;
if (copy > 0) {
- ret2 = skb_copy_datagram_iter(skb, rx_pkt_offset, iter,
- copy);
- if (ret2 < 0) {
- ret = ret2;
+ ret2 = copy_to_iter(call->rx_dec_buffer + rx_pkt_offset,
+ copy, iter);
+ if (ret2 != copy) {
+ ret = -EFAULT;
goto out;
}
@@ -328,7 +370,7 @@ static int rxrpc_recvmsg_data(struct soc
/* The whole packet has been transferred. */
if (sp->hdr.flags & RXRPC_LAST_PACKET)
ret = 1;
- rx_pkt_offset = 0;
+ rx_pkt_offset = USHRT_MAX;
rx_pkt_len = 0;
skb = skb_peek_next(skb, &call->recvmsg_queue);
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -473,8 +473,9 @@ static int rxgk_verify_packet_integrity(
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxgk_header *hdr;
struct krb5_buffer metadata;
- unsigned int offset = sp->offset, len = sp->len;
+ unsigned int len = call->rx_dec_len;
size_t data_offset = 0, data_len = len;
+ void *data = call->rx_dec_buffer, *p = data;
u32 ac = 0;
int ret = -ENOMEM;
@@ -500,16 +501,15 @@ static int rxgk_verify_packet_integrity(
metadata.len = sizeof(*hdr);
metadata.data = hdr;
- ret = rxgk_verify_mic_skb(gk->krb5, gk->rx_Kc, &metadata,
- skb, &offset, &len, &ac);
+ ret = rxgk_verify_mic(gk->krb5, gk->rx_Kc, &metadata, &p, &len, &ac);
kfree(hdr);
if (ret < 0) {
if (ret != -ENOMEM)
rxrpc_abort_eproto(call, skb, ac,
rxgk_abort_1_verify_mic_eproto);
} else {
- sp->offset = offset;
- sp->len = len;
+ call->rx_dec_offset = p - data;
+ call->rx_dec_len = len;
}
put_gk:
@@ -526,56 +526,53 @@ static int rxgk_verify_packet_encrypted(
struct sk_buff *skb)
{
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxgk_header hdr;
- unsigned int offset = sp->offset, len = sp->len;
+ struct rxgk_header *hdr;
+ unsigned int offset = 0, len = call->rx_dec_len;
+ void *data = call->rx_dec_buffer, *p = data;
int ret;
u32 ac = 0;
_enter("");
if (crypto_krb5_check_data_len(gk->krb5, KRB5_ENCRYPT_MODE,
- len, sizeof(hdr)) < 0) {
+ len, sizeof(*hdr)) < 0) {
ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT,
rxgk_abort_2_short_header);
goto error;
}
- ret = rxgk_decrypt_skb(gk->krb5, gk->rx_enc, skb, &offset, &len, &ac);
+ ret = rxgk_decrypt(gk->krb5, gk->rx_enc, &p, &len, &ac);
if (ret < 0) {
if (ret != -ENOMEM)
rxrpc_abort_eproto(call, skb, ac, rxgk_abort_2_decrypt_eproto);
goto error;
}
+ offset = p - data;
- if (len < sizeof(hdr)) {
+ if (len < sizeof(*hdr)) {
ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT,
rxgk_abort_2_short_header);
goto error;
}
/* Extract the header from the skb */
- ret = skb_copy_bits(skb, offset, &hdr, sizeof(hdr));
- if (ret < 0) {
- ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT,
- rxgk_abort_2_short_encdata);
- goto error;
- }
- offset += sizeof(hdr);
- len -= sizeof(hdr);
-
- if (ntohl(hdr.epoch) != call->conn->proto.epoch ||
- ntohl(hdr.cid) != call->cid ||
- ntohl(hdr.call_number) != call->call_id ||
- ntohl(hdr.seq) != sp->hdr.seq ||
- ntohl(hdr.sec_index) != call->security_ix ||
- ntohl(hdr.data_len) > len) {
+ hdr = data + offset;
+ offset += sizeof(*hdr);
+ len -= sizeof(*hdr);
+
+ if (ntohl(hdr->epoch) != call->conn->proto.epoch ||
+ ntohl(hdr->cid) != call->cid ||
+ ntohl(hdr->call_number) != call->call_id ||
+ ntohl(hdr->seq) != sp->hdr.seq ||
+ ntohl(hdr->sec_index) != call->security_ix ||
+ ntohl(hdr->data_len) > len) {
ret = rxrpc_abort_eproto(call, skb, RXGK_SEALEDINCON,
rxgk_abort_2_short_data);
goto error;
}
- sp->offset = offset;
- sp->len = ntohl(hdr.data_len);
+ call->rx_dec_offset = offset;
+ call->rx_dec_len = ntohl(hdr->data_len);
ret = 0;
error:
rxgk_put(gk);
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -106,6 +106,49 @@ int rxgk_decrypt_skb(const struct krb5_e
}
/*
+ * Apply decryption and checksumming functions a flat data buffer. The data
+ * point and length are updated to reflect the actual content of the encrypted
+ * region.
+ */
+static inline int rxgk_decrypt(const struct krb5_enctype *krb5,
+ struct crypto_aead *aead,
+ void **_data, unsigned int *_len,
+ int *_error_code)
+{
+ struct scatterlist sg[1];
+ size_t offset = 0, len = *_len;
+ int ret;
+
+ sg_init_one(sg, *_data, len);
+
+ ret = crypto_krb5_decrypt(krb5, aead, sg, 1, &offset, &len);
+ switch (ret) {
+ case 0:
+ if (offset & 3) {
+ *_error_code = RXGK_INCONSISTENCY;
+ ret = -EPROTO;
+ break;
+ }
+ *_data += offset;
+ *_len = len;
+ break;
+ case -EBADMSG: /* Checksum mismatch. */
+ case -EPROTO:
+ *_error_code = RXGK_SEALEDINCON;
+ break;
+ case -EMSGSIZE:
+ *_error_code = RXGK_PACKETSHORT;
+ break;
+ case -ENOPKG: /* Would prefer RXGK_BADETYPE, but not available for YFS. */
+ default:
+ *_error_code = RXGK_INCONSISTENCY;
+ break;
+ }
+
+ return ret;
+}
+
+/*
* Check the MIC on a region of an skbuff. The offset and length are updated
* to reflect the actual content of the secure region.
*/
@@ -134,6 +177,45 @@ int rxgk_verify_mic_skb(const struct krb
*_len = len;
break;
case -EBADMSG: /* Checksum mismatch */
+ case -EPROTO:
+ *_error_code = RXGK_SEALEDINCON;
+ break;
+ case -EMSGSIZE:
+ *_error_code = RXGK_PACKETSHORT;
+ break;
+ case -ENOPKG: /* Would prefer RXGK_BADETYPE, but not available for YFS. */
+ default:
+ *_error_code = RXGK_INCONSISTENCY;
+ break;
+ }
+
+ return ret;
+}
+
+/*
+ * Check the MIC on a flat buffer. The data pointer and length are updated to
+ * reflect the actual content of the secure region.
+ */
+static inline
+int rxgk_verify_mic(const struct krb5_enctype *krb5,
+ struct crypto_shash *shash,
+ const struct krb5_buffer *metadata,
+ void **_data, unsigned int *_len,
+ u32 *_error_code)
+{
+ struct scatterlist sg[1];
+ size_t offset = 0, len = *_len;
+ int ret;
+
+ sg_init_one(sg, *_data, len);
+
+ ret = crypto_krb5_verify_mic(krb5, shash, metadata, sg, 1, &offset, &len);
+ switch (ret) {
+ case 0:
+ *_data += offset;
+ *_len = len;
+ break;
+ case -EBADMSG: /* Checksum mismatch */
case -EPROTO:
*_error_code = RXGK_SEALEDINCON;
break;
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -430,27 +430,25 @@ static int rxkad_verify_packet_1(struct
rxrpc_seq_t seq,
struct skcipher_request *req)
{
- struct rxkad_level1_hdr sechdr;
+ struct rxkad_level1_hdr *sechdr;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_crypt iv;
- struct scatterlist sg[16];
- u32 data_size, buf;
+ struct scatterlist sg[1];
+ void *data = call->rx_dec_buffer;
+ u32 len = sp->len, data_size, buf;
u16 check;
int ret;
_enter("");
- if (sp->len < 8)
+ if (len < 8)
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_1_short_header);
/* Decrypt the skbuff in-place. TODO: We really want to decrypt
* directly into the target buffer.
*/
- sg_init_table(sg, ARRAY_SIZE(sg));
- ret = skb_to_sgvec(skb, sg, sp->offset, 8);
- if (unlikely(ret < 0))
- return ret;
+ sg_init_one(sg, data, len);
/* start the decryption afresh */
memset(&iv, 0, sizeof(iv));
@@ -464,13 +462,11 @@ static int rxkad_verify_packet_1(struct
return ret;
/* Extract the decrypted packet length */
- if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
- rxkad_abort_1_short_encdata);
- sp->offset += sizeof(sechdr);
- sp->len -= sizeof(sechdr);
+ sechdr = data;
+ call->rx_dec_offset = sizeof(*sechdr);
+ len -= sizeof(*sechdr);
- buf = ntohl(sechdr.data_size);
+ buf = ntohl(sechdr->data_size);
data_size = buf & 0xffff;
check = buf >> 16;
@@ -479,10 +475,10 @@ static int rxkad_verify_packet_1(struct
if (check != 0)
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_1_short_check);
- if (data_size > sp->len)
+ if (data_size > len)
return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
rxkad_abort_1_short_data);
- sp->len = data_size;
+ call->rx_dec_len = data_size;
_leave(" = 0 [dlen=%x]", data_size);
return 0;
@@ -496,43 +492,28 @@ static int rxkad_verify_packet_2(struct
struct skcipher_request *req)
{
const struct rxrpc_key_token *token;
- struct rxkad_level2_hdr sechdr;
+ struct rxkad_level2_hdr *sechdr;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_crypt iv;
- struct scatterlist _sg[4], *sg;
- u32 data_size, buf;
+ struct scatterlist sg[1];
+ void *data = call->rx_dec_buffer;
+ u32 len = sp->len, data_size, buf;
u16 check;
- int nsg, ret;
+ int ret;
- _enter(",{%d}", sp->len);
+ _enter(",{%d}", len);
- if (sp->len < 8)
+ if (len < 8)
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_2_short_header);
/* Don't let the crypto algo see a misaligned length. */
- sp->len = round_down(sp->len, 8);
+ len = round_down(len, 8);
- /* Decrypt the skbuff in-place. TODO: We really want to decrypt
- * directly into the target buffer.
+ /* Decrypt in place in the call's decryption buffer. TODO: We really
+ * want to decrypt directly into the target buffer.
*/
- sg = _sg;
- nsg = skb_shinfo(skb)->nr_frags + 1;
- if (nsg <= 4) {
- nsg = 4;
- } else {
- sg = kmalloc_array(nsg, sizeof(*sg), GFP_NOIO);
- if (!sg)
- return -ENOMEM;
- }
-
- sg_init_table(sg, nsg);
- ret = skb_to_sgvec(skb, sg, sp->offset, sp->len);
- if (unlikely(ret < 0)) {
- if (sg != _sg)
- kfree(sg);
- return ret;
- }
+ sg_init_one(sg, data, len);
/* decrypt from the session key */
token = call->conn->key->payload.data[0];
@@ -540,11 +521,9 @@ static int rxkad_verify_packet_2(struct
skcipher_request_set_sync_tfm(req, call->conn->rxkad.cipher);
skcipher_request_set_callback(req, 0, NULL, NULL);
- skcipher_request_set_crypt(req, sg, sg, sp->len, iv.x);
+ skcipher_request_set_crypt(req, sg, sg, len, iv.x);
ret = crypto_skcipher_decrypt(req);
skcipher_request_zero(req);
- if (sg != _sg)
- kfree(sg);
if (ret < 0) {
if (ret == -ENOMEM)
return ret;
@@ -553,13 +532,11 @@ static int rxkad_verify_packet_2(struct
}
/* Extract the decrypted packet length */
- if (skb_copy_bits(skb, sp->offset, &sechdr, sizeof(sechdr)) < 0)
- return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
- rxkad_abort_2_short_len);
- sp->offset += sizeof(sechdr);
- sp->len -= sizeof(sechdr);
+ sechdr = data;
+ call->rx_dec_offset = sizeof(*sechdr);
+ len -= sizeof(*sechdr);
- buf = ntohl(sechdr.data_size);
+ buf = ntohl(sechdr->data_size);
data_size = buf & 0xffff;
check = buf >> 16;
@@ -569,17 +546,18 @@ static int rxkad_verify_packet_2(struct
return rxrpc_abort_eproto(call, skb, RXKADSEALEDINCON,
rxkad_abort_2_short_check);
- if (data_size > sp->len)
+ if (data_size > len)
return rxrpc_abort_eproto(call, skb, RXKADDATALEN,
rxkad_abort_2_short_data);
- sp->len = data_size;
+ call->rx_dec_len = data_size;
_leave(" = 0 [dlen=%x]", data_size);
return 0;
}
/*
- * Verify the security on a received packet and the subpackets therein.
+ * Verify the security on a received (sub)packet. If the packet needs
+ * modifying (e.g. decrypting), it must be copied.
*/
static int rxkad_verify_packet(struct rxrpc_call *call, struct sk_buff *skb)
{
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 276/307] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 275/307] mm/memory: fix spurious warning when unmapping device-private/exclusive pages Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 277/307] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
` (33 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Ilpo Järvinen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit 348ccc754d8939e21ca5956ff45720b81d6e407f ]
After a PCIe Uncorrectable Error has been reported by a device with
Intel Vendor Specific Extended Capabilities and has been recovered
through a Secondary Bus Reset, its driver calls intel_vsec_pci_probe()
to rescan and reinitialize VSECs.
intel_vsec_pci_probe() invokes pcim_enable_device() and thereby adds
another devm action which calls pcim_disable_device() on driver unbind.
So once the driver unbinds, pcim_disable_device() will be called as many
times as an Uncorrectable Error occurred, plus one. This will lead to
an enable_cnt imbalance on driver unbind.
Additionally, since commit dc957ab6aa05 ("platform/x86/intel/vsec: Add
private data for per-device data"), a devm_kzalloc() allocation is
leaked on every Uncorrectable Error.
Avoid by splitting the VSEC rescan out of intel_vsec_pci_probe() into a
separate helper and calling that on PCIe error recovery.
Fixes: 936874b77dd0 ("platform/x86/intel/vsec: Add PCI error recovery support to Intel PMT")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v6.0+
Link: https://patch.msgid.link/bd594d09fa866dc51dddc9a447c3b23f9b1402cc.1778736835.git.lukas@wunner.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/vsec.c | 36 ++++++++++++++++++++++--------------
1 file changed, 22 insertions(+), 14 deletions(-)
--- a/drivers/platform/x86/intel/vsec.c
+++ b/drivers/platform/x86/intel/vsec.c
@@ -348,20 +348,10 @@ void intel_vsec_register(struct pci_dev
}
EXPORT_SYMBOL_NS_GPL(intel_vsec_register, INTEL_VSEC);
-static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+static int intel_vsec_pci_init(struct pci_dev *pdev,
+ struct intel_vsec_platform_info *info)
{
- struct intel_vsec_platform_info *info;
bool have_devices = false;
- int ret;
-
- ret = pcim_enable_device(pdev);
- if (ret)
- return ret;
-
- pci_save_state(pdev);
- info = (struct intel_vsec_platform_info *)id->driver_data;
- if (!info)
- return -EINVAL;
if (intel_vsec_walk_dvsec(pdev, info))
have_devices = true;
@@ -379,6 +369,23 @@ static int intel_vsec_pci_probe(struct p
return 0;
}
+static int intel_vsec_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+{
+ struct intel_vsec_platform_info *info;
+ int ret;
+
+ ret = pcim_enable_device(pdev);
+ if (ret)
+ return ret;
+
+ pci_save_state(pdev);
+ info = (struct intel_vsec_platform_info *)id->driver_data;
+ if (!info)
+ return -EINVAL;
+
+ return intel_vsec_pci_init(pdev, info);
+}
+
/* DG1 info */
static struct intel_vsec_header dg1_header = {
.length = 0x10,
@@ -467,6 +474,7 @@ static pci_ers_result_t intel_vsec_pci_e
static pci_ers_result_t intel_vsec_pci_slot_reset(struct pci_dev *pdev)
{
struct intel_vsec_device *intel_vsec_dev;
+ struct intel_vsec_platform_info *info;
pci_ers_result_t status = PCI_ERS_RESULT_DISCONNECT;
const struct pci_device_id *pci_dev_id;
unsigned long index;
@@ -489,10 +497,10 @@ static pci_ers_result_t intel_vsec_pci_s
devm_release_action(&pdev->dev, intel_vsec_remove_aux,
&intel_vsec_dev->auxdev);
}
- pci_disable_device(pdev);
pci_restore_state(pdev);
pci_dev_id = pci_match_id(intel_vsec_pci_ids, pdev);
- intel_vsec_pci_probe(pdev, pci_dev_id);
+ info = (struct intel_vsec_platform_info *)pci_dev_id->driver_data;
+ intel_vsec_pci_init(pdev, info);
out:
return status;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 287/315] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 286/315] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 288/315] serdev: Provide a bustype shutdown function Greg Kroah-Hartman
` (29 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, David Howells,
Simon Horman, Jiayuan Chen, linux-afs, stable, Jeffrey Altman,
Marc Dionne, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 8bfab4b6ffc2fe92da86300728fc8c3c7ebffb56 ]
This improves the fix for CVE-2026-43500.
Fix the verification of RESPONSE packets to avoid the problem of
overwriting a RESPONSE packet sent via splice to a local address by
extracting the contents of the UDP packet into a kmalloc'd linear buffer
rather than decrypting the data in place in the sk_buff (which may corrupt
the original buffer).
Fixes: 24481a7f5733 ("rxrpc: Fix conn-level packet handling to unshare RESPONSE packets")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
Link: https://patch.msgid.link/20260515230516.2718212-4-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/ar-internal.h | 7 ++-
net/rxrpc/conn_event.c | 30 ++++++---------
net/rxrpc/insecure.c | 5 +-
net/rxrpc/rxgk.c | 96 +++++++++++++++---------------------------------
net/rxrpc/rxgk_app.c | 46 +++++++++--------------
net/rxrpc/rxgk_common.h | 92 +---------------------------------------------
net/rxrpc/rxkad.c | 29 +++++---------
7 files changed, 81 insertions(+), 224 deletions(-)
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -307,15 +307,16 @@ struct rxrpc_security {
struct sk_buff *challenge);
/* verify a response */
- int (*verify_response)(struct rxrpc_connection *,
- struct sk_buff *);
+ int (*verify_response)(struct rxrpc_connection *conn,
+ struct sk_buff *response_skb,
+ void *response, unsigned int len);
/* clear connection security */
void (*clear)(struct rxrpc_connection *);
/* Default ticket -> key decoder */
int (*default_decode_ticket)(struct rxrpc_connection *conn, struct sk_buff *skb,
- unsigned int ticket_offset, unsigned int ticket_len,
+ void *ticket, unsigned int ticket_len,
struct key **_key);
};
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -243,28 +243,22 @@ static void rxrpc_call_is_secure(struct
static int rxrpc_verify_response(struct rxrpc_connection *conn,
struct sk_buff *skb)
{
+ unsigned int len = skb->len - sizeof(struct rxrpc_wire_header);
+ void *buffer;
int ret;
- if (skb_cloned(skb) || skb_has_frag_list(skb) ||
- skb_has_shared_frag(skb)) {
- /* Copy the packet if shared so that we can do in-place
- * decryption.
- */
- struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
+ buffer = kmalloc(len, GFP_NOFS);
+ if (!buffer)
+ return -ENOMEM;
- if (nskb) {
- rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
- ret = conn->security->verify_response(conn, nskb);
- rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
- } else {
- /* OOM - Drop the packet. */
- rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
- ret = -ENOMEM;
- }
- } else {
- ret = conn->security->verify_response(conn, skb);
- }
+ ret = skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), buffer, len);
+ if (ret < 0)
+ goto out;
+ ret = conn->security->verify_response(conn, skb, buffer, len);
+
+out:
+ kfree(buffer);
return ret;
}
--- a/net/rxrpc/insecure.c
+++ b/net/rxrpc/insecure.c
@@ -54,9 +54,10 @@ static int none_sendmsg_respond_to_chall
}
static int none_verify_response(struct rxrpc_connection *conn,
- struct sk_buff *skb)
+ struct sk_buff *response_skb,
+ void *response, unsigned int len)
{
- return rxrpc_abort_conn(conn, skb, RX_PROTOCOL_ERROR, -EPROTO,
+ return rxrpc_abort_conn(conn, response_skb, RX_PROTOCOL_ERROR, -EPROTO,
rxrpc_eproto_rxnull_response);
}
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -1084,11 +1084,12 @@ static int rxgk_sendmsg_respond_to_chall
* unsigned int call_numbers<>;
* };
*/
-static int rxgk_do_verify_authenticator(struct rxrpc_connection *conn,
- const struct krb5_enctype *krb5,
- struct sk_buff *skb,
- __be32 *p, __be32 *end)
+static int rxgk_verify_authenticator(struct rxrpc_connection *conn,
+ const struct krb5_enctype *krb5,
+ struct sk_buff *skb,
+ void *auth, unsigned int auth_len)
{
+ __be32 *p = auth, *end = auth + auth_len;
u32 app_len, call_count, level, epoch, cid, i;
_enter("");
@@ -1152,37 +1153,6 @@ static int rxgk_do_verify_authenticator(
}
/*
- * Extract the authenticator and verify it.
- */
-static int rxgk_verify_authenticator(struct rxrpc_connection *conn,
- const struct krb5_enctype *krb5,
- struct sk_buff *skb,
- unsigned int auth_offset, unsigned int auth_len)
-{
- void *auth;
- __be32 *p;
- int ret;
-
- auth = kmalloc(auth_len, GFP_NOFS);
- if (!auth)
- return -ENOMEM;
-
- ret = skb_copy_bits(skb, auth_offset, auth, auth_len);
- if (ret < 0) {
- ret = rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
- rxgk_abort_resp_short_auth);
- goto error;
- }
-
- p = auth;
- ret = rxgk_do_verify_authenticator(conn, krb5, skb, p,
- p + auth_len / sizeof(*p));
-error:
- kfree(auth);
- return ret;
-}
-
-/*
* Verify a response.
*
* struct RXGK_Response {
@@ -1192,49 +1162,45 @@ error:
* };
*/
static int rxgk_verify_response(struct rxrpc_connection *conn,
- struct sk_buff *skb)
+ struct sk_buff *skb,
+ void *buffer, unsigned int len)
{
const struct krb5_enctype *krb5;
struct rxrpc_key_token *token;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
- struct rxgk_response rhdr;
+ struct rxgk_response *rhdr;
struct rxgk_context *gk;
struct key *key = NULL;
- unsigned int offset = sizeof(struct rxrpc_wire_header);
- unsigned int len = skb->len - sizeof(struct rxrpc_wire_header);
- unsigned int token_offset, token_len;
- unsigned int auth_offset, auth_len;
+ unsigned int resp_token_len, auth_len;
+ void *resp_token, *auth;
__be32 xauth_len;
int ret, ec;
_enter("{%d}", conn->debug_id);
/* Parse the RXGK_Response object */
- if (sizeof(rhdr) + sizeof(__be32) > len)
+ if (len < sizeof(*rhdr) + sizeof(__be32))
goto short_packet;
-
- if (skb_copy_bits(skb, offset, &rhdr, sizeof(rhdr)) < 0)
- goto short_packet;
- offset += sizeof(rhdr);
- len -= sizeof(rhdr);
-
- token_offset = offset;
- token_len = ntohl(rhdr.token_len);
- if (token_len > len ||
- xdr_round_up(token_len) + sizeof(__be32) > len)
+ rhdr = buffer;
+ buffer += sizeof(*rhdr);
+ len -= sizeof(*rhdr);
+
+ resp_token = buffer;
+ resp_token_len = ntohl(rhdr->token_len);
+ if (resp_token_len > len ||
+ xdr_round_up(resp_token_len) + sizeof(__be32) > len)
goto short_packet;
- trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, token_len);
+ trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, resp_token_len);
- offset += xdr_round_up(token_len);
- len -= xdr_round_up(token_len);
+ buffer += xdr_round_up(resp_token_len);
+ len -= xdr_round_up(resp_token_len);
- if (skb_copy_bits(skb, offset, &xauth_len, sizeof(xauth_len)) < 0)
- goto short_packet;
- offset += sizeof(xauth_len);
+ xauth_len = *(__be32 *)buffer;
+ buffer += sizeof(xauth_len);
len -= sizeof(xauth_len);
- auth_offset = offset;
+ auth = buffer;
auth_len = ntohl(xauth_len);
if (auth_len > len)
goto short_packet;
@@ -1249,7 +1215,7 @@ static int rxgk_verify_response(struct r
* to the app to deal with - which might mean a round trip to
* userspace.
*/
- ret = rxgk_extract_token(conn, skb, token_offset, token_len, &key);
+ ret = rxgk_extract_token(conn, skb, resp_token, resp_token_len, &key);
if (ret < 0)
goto out;
@@ -1263,7 +1229,7 @@ static int rxgk_verify_response(struct r
*/
token = key->payload.data[0];
conn->security_level = token->rxgk->level;
- conn->rxgk.start_time = __be64_to_cpu(rhdr.start_time);
+ conn->rxgk.start_time = __be64_to_cpu(rhdr->start_time);
gk = rxgk_generate_transport_key(conn, token->rxgk, sp->hdr.cksum, GFP_NOFS);
if (IS_ERR(gk)) {
@@ -1273,18 +1239,18 @@ static int rxgk_verify_response(struct r
krb5 = gk->krb5;
- trace_rxrpc_rx_response(conn, sp->hdr.serial, krb5->etype, sp->hdr.cksum, token_len);
+ trace_rxrpc_rx_response(conn, sp->hdr.serial, krb5->etype, sp->hdr.cksum,
+ resp_token_len);
/* Decrypt, parse and verify the authenticator. */
- ret = rxgk_decrypt_skb(krb5, gk->resp_enc, skb,
- &auth_offset, &auth_len, &ec);
+ ret = rxgk_decrypt(krb5, gk->resp_enc, &auth, &auth_len, &ec);
if (ret < 0) {
rxrpc_abort_conn(conn, skb, RXGK_SEALEDINCON, ret,
rxgk_abort_resp_auth_dec);
goto out_gk;
}
- ret = rxgk_verify_authenticator(conn, krb5, skb, auth_offset, auth_len);
+ ret = rxgk_verify_authenticator(conn, krb5, skb, auth, auth_len);
if (ret < 0)
goto out_gk;
--- a/net/rxrpc/rxgk_app.c
+++ b/net/rxrpc/rxgk_app.c
@@ -40,7 +40,7 @@
* };
*/
int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
- unsigned int ticket_offset, unsigned int ticket_len,
+ void *buffer, unsigned int ticket_len,
struct key **_key)
{
struct rxrpc_key_token *token;
@@ -49,7 +49,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_
size_t pre_ticket_len, payload_len;
unsigned int klen, enctype;
void *payload, *ticket;
- __be32 *t, *p, *q, tmp[2];
+ __be32 *t, *p, *q, *tmp;
int ret;
_enter("");
@@ -59,10 +59,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_
rxgk_abort_resp_short_yfs_tkt);
/* Get the session key length */
- ret = skb_copy_bits(skb, ticket_offset, tmp, sizeof(tmp));
- if (ret < 0)
- return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
- rxgk_abort_resp_short_yfs_klen);
+ tmp = buffer;
enctype = ntohl(tmp[0]);
klen = ntohl(tmp[1]);
@@ -84,12 +81,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_
* it.
*/
ticket = payload + pre_ticket_len;
- ret = skb_copy_bits(skb, ticket_offset, ticket, ticket_len);
- if (ret < 0) {
- ret = rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO,
- rxgk_abort_resp_short_yfs_tkt);
- goto error;
- }
+ memcpy(ticket, buffer, ticket_len);
/* Fill out the form header. */
p = payload;
@@ -131,7 +123,7 @@ int rxgk_yfs_decode_ticket(struct rxrpc_
goto error;
}
- /* Ticket read in with skb_copy_bits above */
+ /* Ticket appended above. */
q += xdr_round_up(ticket_len) / 4;
if (WARN_ON((unsigned long)q - (unsigned long)payload != payload_len)) {
ret = -EIO;
@@ -182,14 +174,15 @@ error:
* [tools.ietf.org/html/draft-wilkinson-afs3-rxgk-afs-08 sec 6.1]
*/
int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
- unsigned int token_offset, unsigned int token_len,
+ void *token, unsigned int token_len,
struct key **_key)
{
const struct krb5_enctype *krb5;
const struct krb5_buffer *server_secret;
struct crypto_aead *token_enc = NULL;
struct key *server_key;
- unsigned int ticket_offset, ticket_len;
+ unsigned int ticket_len;
+ void *ticket;
u32 kvno, enctype;
int ret, ec = 0;
@@ -197,24 +190,23 @@ int rxgk_extract_token(struct rxrpc_conn
__be32 kvno;
__be32 enctype;
__be32 token_len;
- } container;
+ } *container;
- if (token_len < sizeof(container))
+ if (token_len < sizeof(*container))
goto short_packet;
/* Decode the RXGK_TokenContainer object. This tells us which server
* key we should be using. We can then fetch the key, get the secret
* and set up the crypto to extract the token.
*/
- if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0)
- goto short_packet;
+ container = token;
+ token += sizeof(*container);
- kvno = ntohl(container.kvno);
- enctype = ntohl(container.enctype);
- ticket_len = ntohl(container.token_len);
- ticket_offset = token_offset + sizeof(container);
+ kvno = ntohl(container->kvno);
+ enctype = ntohl(container->enctype);
+ ticket_len = ntohl(container->token_len);
- if (ticket_len > xdr_round_down(token_len - sizeof(container)))
+ if (ticket_len > xdr_round_down(token_len - sizeof(*container)))
goto short_packet;
_debug("KVNO %u", kvno);
@@ -237,8 +229,8 @@ int rxgk_extract_token(struct rxrpc_conn
* gain access to K0, from which we can derive the transport key and
* thence decode the authenticator.
*/
- ret = rxgk_decrypt_skb(krb5, token_enc, skb,
- &ticket_offset, &ticket_len, &ec);
+ ticket = token;
+ ret = rxgk_decrypt(krb5, token_enc, &ticket, &ticket_len, &ec);
crypto_free_aead(token_enc);
token_enc = NULL;
if (ret < 0) {
@@ -248,7 +240,7 @@ int rxgk_extract_token(struct rxrpc_conn
return ret;
}
- ret = conn->security->default_decode_ticket(conn, skb, ticket_offset,
+ ret = conn->security->default_decode_ticket(conn, skb, ticket,
ticket_len, _key);
if (ret < 0)
goto cant_get_token;
--- a/net/rxrpc/rxgk_common.h
+++ b/net/rxrpc/rxgk_common.h
@@ -41,10 +41,10 @@ struct rxgk_context {
* rxgk_app.c
*/
int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb,
- unsigned int ticket_offset, unsigned int ticket_len,
+ void *ticket, unsigned int ticket_len,
struct key **_key);
int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb,
- unsigned int token_offset, unsigned int token_len,
+ void *token, unsigned int token_len,
struct key **_key);
/*
@@ -62,50 +62,6 @@ int rxgk_set_up_token_cipher(const struc
gfp_t gfp);
/*
- * Apply decryption and checksumming functions to part of an skbuff. The
- * offset and length are updated to reflect the actual content of the encrypted
- * region.
- */
-static inline
-int rxgk_decrypt_skb(const struct krb5_enctype *krb5,
- struct crypto_aead *aead,
- struct sk_buff *skb,
- unsigned int *_offset, unsigned int *_len,
- int *_error_code)
-{
- struct scatterlist sg[16];
- size_t offset = 0, len = *_len;
- int nr_sg, ret;
-
- sg_init_table(sg, ARRAY_SIZE(sg));
- nr_sg = skb_to_sgvec(skb, sg, *_offset, len);
- if (unlikely(nr_sg < 0))
- return nr_sg;
-
- ret = crypto_krb5_decrypt(krb5, aead, sg, nr_sg,
- &offset, &len);
- switch (ret) {
- case 0:
- *_offset += offset;
- *_len = len;
- break;
- case -EBADMSG: /* Checksum mismatch. */
- case -EPROTO:
- *_error_code = RXGK_SEALEDINCON;
- break;
- case -EMSGSIZE:
- *_error_code = RXGK_PACKETSHORT;
- break;
- case -ENOPKG: /* Would prefer RXGK_BADETYPE, but not available for YFS. */
- default:
- *_error_code = RXGK_INCONSISTENCY;
- break;
- }
-
- return ret;
-}
-
-/*
* Apply decryption and checksumming functions a flat data buffer. The data
* point and length are updated to reflect the actual content of the encrypted
* region.
@@ -136,50 +92,6 @@ static inline int rxgk_decrypt(const str
case -EPROTO:
*_error_code = RXGK_SEALEDINCON;
break;
- case -EMSGSIZE:
- *_error_code = RXGK_PACKETSHORT;
- break;
- case -ENOPKG: /* Would prefer RXGK_BADETYPE, but not available for YFS. */
- default:
- *_error_code = RXGK_INCONSISTENCY;
- break;
- }
-
- return ret;
-}
-
-/*
- * Check the MIC on a region of an skbuff. The offset and length are updated
- * to reflect the actual content of the secure region.
- */
-static inline
-int rxgk_verify_mic_skb(const struct krb5_enctype *krb5,
- struct crypto_shash *shash,
- const struct krb5_buffer *metadata,
- struct sk_buff *skb,
- unsigned int *_offset, unsigned int *_len,
- u32 *_error_code)
-{
- struct scatterlist sg[16];
- size_t offset = 0, len = *_len;
- int nr_sg, ret;
-
- sg_init_table(sg, ARRAY_SIZE(sg));
- nr_sg = skb_to_sgvec(skb, sg, *_offset, len);
- if (unlikely(nr_sg < 0))
- return nr_sg;
-
- ret = crypto_krb5_verify_mic(krb5, shash, metadata, sg, nr_sg,
- &offset, &len);
- switch (ret) {
- case 0:
- *_offset += offset;
- *_len = len;
- break;
- case -EBADMSG: /* Checksum mismatch */
- case -EPROTO:
- *_error_code = RXGK_SEALEDINCON;
- break;
case -EMSGSIZE:
*_error_code = RXGK_PACKETSHORT;
break;
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -963,7 +963,6 @@ static int rxkad_decrypt_ticket(struct r
*_expiry = 0;
ASSERT(server_key->payload.data[0] != NULL);
- ASSERTCMP((unsigned long) ticket & 7UL, ==, 0);
memcpy(&iv, &server_key->payload.data[2], sizeof(iv));
@@ -1112,14 +1111,15 @@ unlock:
* verify a response
*/
static int rxkad_verify_response(struct rxrpc_connection *conn,
- struct sk_buff *skb)
+ struct sk_buff *skb,
+ void *buffer, unsigned int len)
{
struct rxkad_response *response;
struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
struct rxrpc_crypt session_key;
struct key *server_key;
time64_t expiry;
- void *ticket = NULL;
+ void *ticket;
u32 version, kvno, ticket_len, level;
__be32 csum;
int ret, i;
@@ -1142,13 +1142,8 @@ static int rxkad_verify_response(struct
}
}
- ret = -ENOMEM;
- response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS);
- if (!response)
- goto error;
-
- if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
- response, sizeof(*response)) < 0) {
+ response = buffer;
+ if (len < sizeof(*response)) {
ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
rxkad_abort_resp_short);
goto error;
@@ -1160,6 +1155,9 @@ static int rxkad_verify_response(struct
trace_rxrpc_rx_response(conn, sp->hdr.serial, version, kvno, ticket_len);
+ buffer += sizeof(*response);
+ len -= sizeof(*response);
+
if (version != RXKAD_VERSION) {
ret = rxrpc_abort_conn(conn, skb, RXKADINCONSISTENCY, -EPROTO,
rxkad_abort_resp_version);
@@ -1179,13 +1177,8 @@ static int rxkad_verify_response(struct
}
/* extract the kerberos ticket and decrypt and decode it */
- ret = -ENOMEM;
- ticket = kmalloc(ticket_len, GFP_NOFS);
- if (!ticket)
- goto error;
-
- if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header) + sizeof(*response),
- ticket, ticket_len) < 0) {
+ ticket = buffer;
+ if (ticket_len > len) {
ret = rxrpc_abort_conn(conn, skb, RXKADPACKETSHORT, -EPROTO,
rxkad_abort_resp_short_tkt);
goto error;
@@ -1265,8 +1258,6 @@ static int rxkad_verify_response(struct
ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno);
error:
- kfree(ticket);
- kfree(response);
key_put(server_key);
_leave(" = %d", ret);
return ret;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 277/307] net: hsr: defer node table free until after RCU readers
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 276/307] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 278/307] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
` (32 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit aaec7096f9961eb223b5b149abe9495525c205d9 ]
HSR node-list and node-status generic-netlink operations run under
rcu_read_lock(). They walk hsr->node_db through hsr_get_next_node() and
hsr_get_node_data(), but RTM_DELLINK teardown removes the same node table
with plain list_del() and frees each node immediately.
That lets a generic-netlink reader hold a struct hsr_node pointer across
hsr_dellink(). In a KASAN build, widening the reader window after
hsr_get_next_node() obtains the node reproduces a slab-use-after-free
when the reader copies node->macaddress_A; the freeing stack is
hsr_del_nodes() from hsr_dellink().
Use list_del_rcu() and defer the free through the existing
hsr_free_node_rcu() callback. This matches the lifetime rule used by the
HSR prune paths, which already delete nodes with list_del_rcu() and
call_rcu().
Fixes: b9a1e627405d ("hsr: implement dellink to clean up resources")
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260513233838.3064715-2-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ replaced `list_del`+`call_rcu(hsr_free_node_rcu)` with `list_del_rcu`+`kfree_rcu(node, rcu_head)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_framereg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -131,8 +131,10 @@ void hsr_del_nodes(struct list_head *nod
struct hsr_node *node;
struct hsr_node *tmp;
- list_for_each_entry_safe(node, tmp, node_db, mac_list)
- kfree(node);
+ list_for_each_entry_safe(node, tmp, node_db, mac_list) {
+ list_del_rcu(&node->mac_list);
+ kfree_rcu(node, rcu_head);
+ }
}
void prp_handle_san_frame(bool san, enum hsr_port_type port,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 278/307] selftests: mptcp: drop nanoseconds width specifier
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 277/307] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 279/307] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
` (31 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 01ff78e4b3d98689184c52d97f9575dfbdc3b10f ]
Using the format specifier +%s%3N with GNU date is honoured, and only
prints 3 digits of the nanoseconds portion of the seconds since epoch,
which corresponds to the milliseconds.
The uutils implementation of date currently does not honour this, and
always prints all 9 digits. This is a known issue [1], but can be worked
around by adapting this test to use nanoseconds instead of microseconds,
and then divide it by 1e6.
This fix is similar to what has been done on systemd side [2], and it is
needed to run the selftests on Ubuntu 26.04, containing uutils 0.8.0.
Note that the Fixes tag is there even if this patch doesn't fix an issue
in the kernel selftests, but it is useful for those using uutils 0.8.0.
Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
Cc: stable@vger.kernel.org
Link: https://github.com/uutils/coreutils/issues/11658 [1]
Link: https://github.com/systemd/systemd/pull/41627 [2]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-6-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ kept `timeout ${timeout_test}` wrapper in do_transfer() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +++---
tools/testing/selftests/net/mptcp/mptcp_lib.sh | 10 +++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
@@ -412,7 +412,7 @@ do_transfer()
mptcp_lib_wait_local_port_listen "${listener_ns}" "${port}"
local start
- start=$(date +%s%3N)
+ start=$(date +%s%N)
timeout ${timeout_test} \
ip netns exec ${connector_ns} \
./mptcp_connect -t ${timeout_poll} -p $port -s ${cl_proto} \
@@ -425,7 +425,7 @@ do_transfer()
local rets=$?
local stop
- stop=$(date +%s%3N)
+ stop=$(date +%s%N)
if $capture; then
sleep 1
@@ -441,7 +441,7 @@ do_transfer()
fi
local duration
- duration=$((stop-start))
+ duration=$(((stop-start) / 1000000))
printf "(duration %05sms) " "${duration}"
if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then
mptcp_lib_pr_fail "client exit code $retc, server $rets"
--- a/tools/testing/selftests/net/mptcp/mptcp_lib.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_lib.sh
@@ -29,7 +29,7 @@ declare -rx MPTCP_LIB_AF_INET6=10
MPTCP_LIB_SUBTESTS=()
MPTCP_LIB_SUBTESTS_DUPLICATED=0
MPTCP_LIB_SUBTEST_FLAKY=0
-MPTCP_LIB_SUBTESTS_LAST_TS_MS=
+MPTCP_LIB_SUBTESTS_LAST_TS_NS=
MPTCP_LIB_TEST_COUNTER=0
MPTCP_LIB_TEST_FORMAT="%02u %-50s"
MPTCP_LIB_IP_MPTCP=0
@@ -207,7 +207,7 @@ mptcp_lib_kversion_ge() {
}
mptcp_lib_subtests_last_ts_reset() {
- MPTCP_LIB_SUBTESTS_LAST_TS_MS="$(date +%s%3N)"
+ MPTCP_LIB_SUBTESTS_LAST_TS_NS="$(date +%s%N)"
}
mptcp_lib_subtests_last_ts_reset
@@ -226,7 +226,7 @@ __mptcp_lib_result_check_duplicated() {
__mptcp_lib_result_add() {
local result="${1}"
local time="time="
- local ts_prev_ms
+ local ts_prev_ns
shift
local id=$((${#MPTCP_LIB_SUBTESTS[@]} + 1))
@@ -236,9 +236,9 @@ __mptcp_lib_result_add() {
# not to add two '#'
[[ "${*}" != *"#"* ]] && time="# ${time}"
- ts_prev_ms="${MPTCP_LIB_SUBTESTS_LAST_TS_MS}"
+ ts_prev_ns="${MPTCP_LIB_SUBTESTS_LAST_TS_NS}"
mptcp_lib_subtests_last_ts_reset
- time+="$((MPTCP_LIB_SUBTESTS_LAST_TS_MS - ts_prev_ms))ms"
+ time+="$(((MPTCP_LIB_SUBTESTS_LAST_TS_NS - ts_prev_ns) / 1000000))ms"
MPTCP_LIB_SUBTESTS+=("${result} ${id} - ${KSFT_TEST}: ${*} ${time}")
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 288/315] serdev: Provide a bustype shutdown function
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 287/315] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 289/315] Bluetooth: hci_qca: Migrate to serdev specific " Greg Kroah-Hartman
` (28 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 6d71c62b13c33ea858ab298fe20beaec5736edc7 ]
To prepare serdev driver to migrate away from struct device_driver::shutdown
(and then eventually remove that callback) create a serdev driver shutdown
callback and migration code to keep the existing behaviour. Note this
introduces a warning for each driver at register time that isn't converted
yet to that callback.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/ab518883e3ed0976a19cb5b5b5faf42bd3a655b7.1765526117.git.u.kleine-koenig@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 375ba7484132 ("Bluetooth: hci_qca: Convert timeout from jiffies to ms")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serdev/core.c | 21 +++++++++++++++++++++
include/linux/serdev.h | 1 +
2 files changed, 22 insertions(+)
--- a/drivers/tty/serdev/core.c
+++ b/drivers/tty/serdev/core.c
@@ -414,11 +414,21 @@ static void serdev_drv_remove(struct dev
sdrv->remove(to_serdev_device(dev));
}
+static void serdev_drv_shutdown(struct device *dev)
+{
+ const struct serdev_device_driver *sdrv =
+ to_serdev_device_driver(dev->driver);
+
+ if (dev->driver && sdrv->shutdown)
+ sdrv->shutdown(to_serdev_device(dev));
+}
+
static const struct bus_type serdev_bus_type = {
.name = "serial",
.match = serdev_device_match,
.probe = serdev_drv_probe,
.remove = serdev_drv_remove,
+ .shutdown = serdev_drv_shutdown,
};
/**
@@ -814,6 +824,14 @@ void serdev_controller_remove(struct ser
}
EXPORT_SYMBOL_GPL(serdev_controller_remove);
+static void serdev_legacy_shutdown(struct serdev_device *serdev)
+{
+ struct device *dev = &serdev->dev;
+ struct device_driver *driver = dev->driver;
+
+ driver->shutdown(dev);
+}
+
/**
* __serdev_device_driver_register() - Register client driver with serdev core
* @sdrv: client driver to be associated with client-device.
@@ -830,6 +848,9 @@ int __serdev_device_driver_register(stru
/* force drivers to async probe so I/O is possible in probe */
sdrv->driver.probe_type = PROBE_PREFER_ASYNCHRONOUS;
+ if (!sdrv->shutdown && sdrv->driver.shutdown)
+ sdrv->shutdown = serdev_legacy_shutdown;
+
return driver_register(&sdrv->driver);
}
EXPORT_SYMBOL_GPL(__serdev_device_driver_register);
--- a/include/linux/serdev.h
+++ b/include/linux/serdev.h
@@ -65,6 +65,7 @@ struct serdev_device_driver {
struct device_driver driver;
int (*probe)(struct serdev_device *);
void (*remove)(struct serdev_device *);
+ void (*shutdown)(struct serdev_device *);
};
static inline struct serdev_device_driver *to_serdev_device_driver(struct device_driver *d)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 289/315] Bluetooth: hci_qca: Migrate to serdev specific shutdown function
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 288/315] serdev: Provide a bustype shutdown function Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 290/315] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
` (27 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 12a6a5726c515455935982429ac35dee2307233d ]
This saves a cast in the driver. The motivation is stop using the callback
.shutdown in qca_serdev_driver.driver to make it possible to drop that.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://patch.msgid.link/261a3384e25c4837d4efee87958805f15d7d4e3c.1765526117.git.u.kleine-koenig@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 375ba7484132 ("Bluetooth: hci_qca: Convert timeout from jiffies to ms")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -2567,11 +2567,10 @@ static void qca_serdev_remove(struct ser
hci_uart_unregister_device(&qcadev->serdev_hu);
}
-static void qca_serdev_shutdown(struct device *dev)
+static void qca_serdev_shutdown(struct serdev_device *serdev)
{
int ret;
int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
- struct serdev_device *serdev = to_serdev_device(dev);
struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
struct hci_uart *hu = &qcadev->serdev_hu;
struct hci_dev *hdev = hu->hdev;
@@ -2793,11 +2792,11 @@ static void hciqca_coredump(struct devic
static struct serdev_device_driver qca_serdev_driver = {
.probe = qca_serdev_probe,
.remove = qca_serdev_remove,
+ .shutdown = qca_serdev_shutdown,
.driver = {
.name = "hci_uart_qca",
.of_match_table = of_match_ptr(qca_bluetooth_of_match),
.acpi_match_table = ACPI_PTR(qca_bluetooth_acpi_match),
- .shutdown = qca_serdev_shutdown,
.pm = &qca_pm_ops,
#ifdef CONFIG_DEV_COREDUMP
.coredump = hciqca_coredump,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 279/307] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 278/307] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 280/307] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
` (30 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Xiasong, Matthieu Baerts (NGI0),
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
[ Upstream commit 51e398a3b8961b26a8c0a4ba9a777c5339791707 ]
When TCP option space is insufficient (e.g., when sending ADD_ADDR with an
IPv6 address and port while tcp_timestamps is enabled), the original code
jumped to out_unlock without clearing the addr_signal flag. This caused
mptcp_pm_add_timer to keep rescheduling indefinitely, not sending ADD_ADDR,
preventing subsequent addresses in the endpoint list from being announced.
Handle this case by clearing the ADD_ADDR signal and skipping the matching
ADD_ADDR retransmission entry. The skip path cancels the matching timer
(with id check) and advances PM state progression, preserving forward
progress to subsequent PM work.
This cancellation is inherently best-effort. A concurrent add_timer
callback may already be running and may acquire pm.lock before the
cancel path updates entry state. In that case, one final ADD_ADDR
transmit attempt can still be executed.
Once the cancel path sets entry->retrans_times to ADD_ADDR_RETRANS_MAX,
the callback-side retrans_times check suppresses further ADD_ADDR
retransmissions.
Note that when an ADD_ADDR is being prepared, a pure-ACK is queued. On
the output side, it means that it is fine to skip non-pure-ACK packets,
when drop_other_suboptions is set: a pure-ACK will be processed soon
after.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-2-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 40 +++++++++++++++++++++++++++++++++-------
net/mptcp/pm_netlink.c | 16 +++++++++++++---
2 files changed, 46 insertions(+), 10 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -334,6 +334,7 @@ bool mptcp_pm_add_addr_signal(struct mpt
struct mptcp_addr_info *addr, bool *echo,
bool *drop_other_suboptions)
{
+ bool skip_add_addr = false;
int ret = false;
u8 add_addr;
u8 family;
@@ -355,24 +356,49 @@ bool mptcp_pm_add_addr_signal(struct mpt
}
*echo = mptcp_pm_should_add_signal_echo(msk);
- port = !!(*echo ? msk->pm.remote.port : msk->pm.local.port);
-
- family = *echo ? msk->pm.remote.family : msk->pm.local.family;
- if (remaining < mptcp_add_addr_len(family, *echo, port))
- goto out_unlock;
-
if (*echo) {
*addr = msk->pm.remote;
add_addr = msk->pm.addr_signal & ~BIT(MPTCP_ADD_ADDR_ECHO);
+ port = !!msk->pm.remote.port;
+ family = msk->pm.remote.family;
} else {
*addr = msk->pm.local;
add_addr = msk->pm.addr_signal & ~BIT(MPTCP_ADD_ADDR_SIGNAL);
+ port = !!msk->pm.local.port;
+ family = msk->pm.local.family;
}
- WRITE_ONCE(msk->pm.addr_signal, add_addr);
+
+ if (remaining < mptcp_add_addr_len(family, *echo, port)) {
+ struct net *net = sock_net((struct sock *)msk);
+
+ if (!*drop_other_suboptions)
+ goto out_unlock;
+
+ if (*echo) {
+ MPTCP_INC_STATS(net, MPTCP_MIB_ECHOADDTXDROP);
+ } else {
+ skip_add_addr = true;
+ MPTCP_INC_STATS(net, MPTCP_MIB_ADDADDRTXDROP);
+ }
+ goto drop_signal_mark;
+ }
+
ret = true;
+drop_signal_mark:
+ WRITE_ONCE(msk->pm.addr_signal, add_addr);
+
out_unlock:
spin_unlock_bh(&msk->pm.lock);
+
+ /* On pure-ACK option-space exhaustion, stop retrying this ADD_ADDR:
+ * clear the signal bit, cancel the matching retransmission timer, and
+ * let the PM state machine progress.
+ */
+ if (skip_add_addr) {
+ mptcp_pm_del_add_timer(msk, addr, true);
+ mptcp_pm_subflow_established(msk);
+ }
return ret;
}
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -320,7 +320,13 @@ static void mptcp_pm_add_timer(struct ti
spin_lock_bh(&msk->pm.lock);
- if (!mptcp_pm_should_add_signal_addr(msk)) {
+ /* The cancel path (mptcp_pm_del_add_timer()) can race with this
+ * callback. Once cancel updates retrans_times to MAX, suppress further
+ * retransmissions here. If this callback acquires pm.lock first, one
+ * final transmit attempt is still possible.
+ */
+ if (entry->retrans_times < ADD_ADDR_RETRANS_MAX &&
+ !mptcp_pm_should_add_signal_addr(msk)) {
pr_debug("retransmit ADD_ADDR id=%d\n", entry->addr.id);
mptcp_pm_announce_addr(msk, &entry->addr, false);
mptcp_pm_add_addr_send_ack(msk);
@@ -368,8 +374,12 @@ mptcp_pm_del_add_timer(struct mptcp_sock
/* Note: entry might have been removed by another thread.
* We hold rcu_read_lock() to ensure it is not freed under us.
*/
- if (stop_timer)
- sk_stop_timer_sync(sk, &entry->add_timer);
+ if (stop_timer) {
+ if (check_id)
+ sk_stop_timer(sk, &entry->add_timer);
+ else
+ sk_stop_timer_sync(sk, &entry->add_timer);
+ }
rcu_read_unlock();
return entry;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 290/315] Bluetooth: hci_qca: Convert timeout from jiffies to ms
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 289/315] Bluetooth: hci_qca: Migrate to serdev specific " Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 291/315] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
` (26 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Bartosz Golaszewski,
Shuai Zhang, Luiz Augusto von Dentz, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
[ Upstream commit 375ba7484132662a4a8c7547d088fb6275c00282 ]
Since the timer uses jiffies as its unit rather than ms, the timeout value
must be converted from ms to jiffies when configuring the timer. Otherwise,
the intended 8s timeout is incorrectly set to approximately 33s.
To improve readability, embed msecs_to_jiffies() directly in the macro
definitions and drop the _MS suffix from macros that now yield jiffies
values: MEMDUMP_TIMEOUT, FW_DOWNLOAD_TIMEOUT, IBS_DISABLE_SSR_TIMEOUT,
CMD_TRANS_TIMEOUT, and IBS_BTSOC_TX_IDLE_TIMEOUT.
IBS_WAKE_RETRANS_TIMEOUT_MS and IBS_HOST_TX_IDLE_TIMEOUT_MS are
intentionally left unchanged. Their values are stored in the struct fields
wake_retrans and tx_idle_delay, which hold ms values at runtime and can be
modified via debugfs. The msecs_to_jiffies() conversion happens at each
call site against the field value, so it cannot be embedded in the macro.
Wake timer depends on commit c347ca17d62a
Cc: stable@vger.kernel.org
Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 33 ++++++++++++++++-----------------
1 file changed, 16 insertions(+), 17 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -48,13 +48,12 @@
#define HCI_MAX_IBS_SIZE 10
#define IBS_WAKE_RETRANS_TIMEOUT_MS 100
-#define IBS_BTSOC_TX_IDLE_TIMEOUT_MS 200
+#define IBS_BTSOC_TX_IDLE_TIMEOUT msecs_to_jiffies(200)
#define IBS_HOST_TX_IDLE_TIMEOUT_MS 2000
-#define CMD_TRANS_TIMEOUT_MS 100
-#define MEMDUMP_TIMEOUT_MS 8000
-#define IBS_DISABLE_SSR_TIMEOUT_MS \
- (MEMDUMP_TIMEOUT_MS + FW_DOWNLOAD_TIMEOUT_MS)
-#define FW_DOWNLOAD_TIMEOUT_MS 3000
+#define CMD_TRANS_TIMEOUT msecs_to_jiffies(100)
+#define MEMDUMP_TIMEOUT msecs_to_jiffies(8000)
+#define FW_DOWNLOAD_TIMEOUT msecs_to_jiffies(3000)
+#define IBS_DISABLE_SSR_TIMEOUT (MEMDUMP_TIMEOUT + FW_DOWNLOAD_TIMEOUT)
/* susclk rate */
#define SUSCLK_RATE_32KHZ 32768
@@ -1091,7 +1090,7 @@ static void qca_controller_memdump(struc
queue_delayed_work(qca->workqueue,
&qca->ctrl_memdump_timeout,
- msecs_to_jiffies(MEMDUMP_TIMEOUT_MS));
+ MEMDUMP_TIMEOUT);
skb_pull(skb, sizeof(qca_memdump->ram_dump_size));
qca_memdump->current_seq_no = 0;
qca_memdump->received_dump = 0;
@@ -1364,7 +1363,7 @@ static int qca_set_baudrate(struct hci_d
if (hu->serdev)
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
/* Give the controller time to process the request */
switch (qca_soc_type(hu)) {
@@ -1396,8 +1395,8 @@ static inline void host_set_baudrate(str
static int qca_send_power_pulse(struct hci_uart *hu, bool on)
{
+ int timeout = CMD_TRANS_TIMEOUT;
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
u8 cmd = on ? QCA_WCN3990_POWERON_PULSE : QCA_WCN3990_POWEROFF_PULSE;
/* These power pulses are single byte command which are sent
@@ -1602,7 +1601,7 @@ static void qca_wait_for_dump_collection
struct qca_data *qca = hu->priv;
wait_on_bit_timeout(&qca->flags, QCA_MEMDUMP_COLLECTION,
- TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT_MS);
+ TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT);
clear_bit(QCA_MEMDUMP_COLLECTION, &qca->flags);
}
@@ -2570,7 +2569,7 @@ static void qca_serdev_remove(struct ser
static void qca_serdev_shutdown(struct serdev_device *serdev)
{
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
+ int timeout = CMD_TRANS_TIMEOUT;
struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
struct hci_uart *hu = &qcadev->serdev_hu;
struct hci_dev *hdev = hu->hdev;
@@ -2627,7 +2626,7 @@ static int __maybe_unused qca_suspend(st
bool tx_pending = false;
int ret = 0;
u8 cmd;
- u32 wait_timeout = 0;
+ unsigned long wait_timeout = 0;
set_bit(QCA_SUSPENDING, &qca->flags);
@@ -2648,15 +2647,15 @@ static int __maybe_unused qca_suspend(st
if (test_bit(QCA_IBS_DISABLED, &qca->flags) ||
test_bit(QCA_SSR_TRIGGERED, &qca->flags)) {
wait_timeout = test_bit(QCA_SSR_TRIGGERED, &qca->flags) ?
- IBS_DISABLE_SSR_TIMEOUT_MS :
- FW_DOWNLOAD_TIMEOUT_MS;
+ IBS_DISABLE_SSR_TIMEOUT :
+ FW_DOWNLOAD_TIMEOUT;
/* QCA_IBS_DISABLED flag is set to true, During FW download
* and during memory dump collection. It is reset to false,
* After FW download complete.
*/
wait_on_bit_timeout(&qca->flags, QCA_IBS_DISABLED,
- TASK_UNINTERRUPTIBLE, msecs_to_jiffies(wait_timeout));
+ TASK_UNINTERRUPTIBLE, wait_timeout);
if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
bt_dev_err(hu->hdev, "SSR or FW download time out");
@@ -2708,7 +2707,7 @@ static int __maybe_unused qca_suspend(st
if (tx_pending) {
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
serial_clock_vote(HCI_IBS_TX_VOTE_CLOCK_OFF, hu);
}
@@ -2717,7 +2716,7 @@ static int __maybe_unused qca_suspend(st
*/
ret = wait_event_interruptible_timeout(qca->suspend_wait_q,
qca->rx_ibs_state == HCI_IBS_RX_ASLEEP,
- msecs_to_jiffies(IBS_BTSOC_TX_IDLE_TIMEOUT_MS));
+ IBS_BTSOC_TX_IDLE_TIMEOUT);
if (ret == 0) {
ret = -ETIMEDOUT;
goto error;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 280/307] ice: fix VF queue configuration with low MTU values
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 279/307] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 281/307] ring-buffer: Flush and stop persistent ring buffer on panic Greg Kroah-Hartman
` (29 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Ignacio Tornos Martinez,
Jacob Keller, Michal Swiatkowski, Paul Menzel, Rafal Romanowski,
Tony Nguyen, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
[ Upstream commit 3ba4dd024d26372733d1c02e13e076c6016e3320 ]
The ice driver's VF queue configuration validation rejects
databuffer_size values below 1024 bytes, which prevents VFs from
using MTU values below 871 bytes.
The iavf driver calculates databuffer_size based on the MTU using:
databuffer_size = ALIGN(MTU + LIBETH_RX_LL_LEN, 128)
where LIBETH_RX_LL_LEN = 26 (ETH_HLEN + 2*VLAN_HLEN + ETH_FCS_LEN).
For MTU values below 871:
MTU 870: 870 + 26 = 896, aligned to 128 = 896 (< 1024, rejected)
MTU 871: 871 + 26 = 897, aligned to 128 = 1024 (>= 1024, accepted)
The 1024-byte minimum seems unnecessarily restrictive, because the hardware
supports databuffer_size as low as 128 bytes (the alignment boundary),
which should allow MTU values down to the standard minimum of 68 bytes.
I haven't found the reason why the limit was configured in the commit
9c7dd7566d18 ("ice: add validation in OP_CONFIG_VSI_QUEUES VF message"), so
with no more information and since it is working, change the minimum
databuffer_size validation from 1024 to 128 bytes to allow standard low
MTU values while still preventing invalid configurations.
Fixes: 9c7dd7566d18 ("ice: add validation in OP_CONFIG_VSI_QUEUES VF message")
cc: stable@vger.kernel.org
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-3-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied the change to ice_virtchnl.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_virtchnl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
@@ -1746,7 +1746,7 @@ static int ice_vc_cfg_qs_msg(struct ice_
if (qpi->rxq.databuffer_size != 0 &&
(qpi->rxq.databuffer_size > ((16 * 1024) - 128) ||
- qpi->rxq.databuffer_size < 1024))
+ qpi->rxq.databuffer_size < 128))
goto error_param;
ring->rx_buf_len = qpi->rxq.databuffer_size;
if (qpi->rxq.max_pkt_size > max_frame_size ||
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 281/307] ring-buffer: Flush and stop persistent ring buffer on panic
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 280/307] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 282/307] mptcp: cleanup fallback dummy mapping generation Greg Kroah-Hartman
` (28 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Mathieu Desnoyers,
Ian Rogers, Masami Hiramatsu (Google), Catalin Marinas,
Geert Uytterhoeven, Steven Rostedt, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
[ Upstream commit a494d3c8d5392bcdff83c2a593df0c160ff9f322 ]
On real hardware, panic and machine reboot may not flush hardware cache
to memory. This means the persistent ring buffer, which relies on a
coherent state of memory, may not have its events written to the buffer
and they may be lost. Moreover, there may be inconsistency with the
counters which are used for validation of the integrity of the
persistent ring buffer which may cause all data to be discarded.
To avoid this issue, stop recording of the ring buffer on panic and
flush the cache of the ring buffer's memory.
Fixes: e645535a954a ("tracing: Add option to use memmapped memory for trace boot instance")
Cc: stable@vger.kernel.org
Cc: Will Deacon <will@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Ian Rogers <irogers@google.com>
Link: https://patch.msgid.link/177751969602.2136606.12031934362587643488.stgit@mhiramat.tok.corp.google.com
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/include/asm/Kbuild | 1 +
arch/arc/include/asm/Kbuild | 1 +
arch/arm/include/asm/Kbuild | 1 +
arch/arm64/include/asm/ring_buffer.h | 10 ++++++++++
arch/csky/include/asm/Kbuild | 1 +
arch/hexagon/include/asm/Kbuild | 1 +
arch/loongarch/include/asm/Kbuild | 1 +
arch/m68k/include/asm/Kbuild | 1 +
arch/microblaze/include/asm/Kbuild | 1 +
arch/mips/include/asm/Kbuild | 1 +
arch/nios2/include/asm/Kbuild | 1 +
arch/openrisc/include/asm/Kbuild | 1 +
arch/parisc/include/asm/Kbuild | 1 +
arch/powerpc/include/asm/Kbuild | 1 +
arch/riscv/include/asm/Kbuild | 1 +
arch/s390/include/asm/Kbuild | 1 +
arch/sh/include/asm/Kbuild | 1 +
arch/sparc/include/asm/Kbuild | 1 +
arch/um/include/asm/Kbuild | 1 +
arch/x86/include/asm/Kbuild | 1 +
arch/xtensa/include/asm/Kbuild | 1 +
include/asm-generic/ring_buffer.h | 13 +++++++++++++
kernel/trace/ring_buffer.c | 22 ++++++++++++++++++++++
23 files changed, 65 insertions(+)
create mode 100644 arch/arm64/include/asm/ring_buffer.h
create mode 100644 include/asm-generic/ring_buffer.h
--- a/arch/alpha/include/asm/Kbuild
+++ b/arch/alpha/include/asm/Kbuild
@@ -5,3 +5,4 @@ generic-y += agp.h
generic-y += asm-offsets.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
+generic-y += ring_buffer.h
--- a/arch/arc/include/asm/Kbuild
+++ b/arch/arc/include/asm/Kbuild
@@ -5,4 +5,5 @@ generic-y += extable.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
generic-y += parport.h
+generic-y += ring_buffer.h
generic-y += user.h
--- a/arch/arm/include/asm/Kbuild
+++ b/arch/arm/include/asm/Kbuild
@@ -3,6 +3,7 @@ generic-y += early_ioremap.h
generic-y += extable.h
generic-y += flat.h
generic-y += parport.h
+generic-y += ring_buffer.h
generated-y += mach-types.h
generated-y += unistd-nr.h
--- /dev/null
+++ b/arch/arm64/include/asm/ring_buffer.h
@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+#ifndef _ASM_ARM64_RING_BUFFER_H
+#define _ASM_ARM64_RING_BUFFER_H
+
+#include <asm/cacheflush.h>
+
+/* Flush D-cache on persistent ring buffer */
+#define arch_ring_buffer_flush_range(start, end) dcache_clean_pop(start, end)
+
+#endif /* _ASM_ARM64_RING_BUFFER_H */
--- a/arch/csky/include/asm/Kbuild
+++ b/arch/csky/include/asm/Kbuild
@@ -9,5 +9,6 @@ generic-y += qrwlock.h
generic-y += qrwlock_types.h
generic-y += qspinlock.h
generic-y += parport.h
+generic-y += ring_buffer.h
generic-y += user.h
generic-y += vmlinux.lds.h
--- a/arch/hexagon/include/asm/Kbuild
+++ b/arch/hexagon/include/asm/Kbuild
@@ -5,3 +5,4 @@ generic-y += extable.h
generic-y += iomap.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
+generic-y += ring_buffer.h
--- a/arch/loongarch/include/asm/Kbuild
+++ b/arch/loongarch/include/asm/Kbuild
@@ -9,5 +9,6 @@ generic-y += qrwlock.h
generic-y += user.h
generic-y += ioctl.h
generic-y += mmzone.h
+generic-y += ring_buffer.h
generic-y += statfs.h
generic-y += param.h
--- a/arch/m68k/include/asm/Kbuild
+++ b/arch/m68k/include/asm/Kbuild
@@ -3,4 +3,5 @@ generated-y += syscall_table.h
generic-y += extable.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
+generic-y += ring_buffer.h
generic-y += spinlock.h
--- a/arch/microblaze/include/asm/Kbuild
+++ b/arch/microblaze/include/asm/Kbuild
@@ -5,6 +5,7 @@ generic-y += extable.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
generic-y += parport.h
+generic-y += ring_buffer.h
generic-y += syscalls.h
generic-y += tlb.h
generic-y += user.h
--- a/arch/mips/include/asm/Kbuild
+++ b/arch/mips/include/asm/Kbuild
@@ -12,4 +12,5 @@ generic-y += mcs_spinlock.h
generic-y += parport.h
generic-y += qrwlock.h
generic-y += qspinlock.h
+generic-y += ring_buffer.h
generic-y += user.h
--- a/arch/nios2/include/asm/Kbuild
+++ b/arch/nios2/include/asm/Kbuild
@@ -5,5 +5,6 @@ generic-y += cmpxchg.h
generic-y += extable.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
+generic-y += ring_buffer.h
generic-y += spinlock.h
generic-y += user.h
--- a/arch/openrisc/include/asm/Kbuild
+++ b/arch/openrisc/include/asm/Kbuild
@@ -8,4 +8,5 @@ generic-y += spinlock_types.h
generic-y += spinlock.h
generic-y += qrwlock_types.h
generic-y += qrwlock.h
+generic-y += ring_buffer.h
generic-y += user.h
--- a/arch/parisc/include/asm/Kbuild
+++ b/arch/parisc/include/asm/Kbuild
@@ -4,4 +4,5 @@ generated-y += syscall_table_64.h
generic-y += agp.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
+generic-y += ring_buffer.h
generic-y += user.h
--- a/arch/powerpc/include/asm/Kbuild
+++ b/arch/powerpc/include/asm/Kbuild
@@ -6,4 +6,5 @@ generic-y += agp.h
generic-y += kvm_types.h
generic-y += mcs_spinlock.h
generic-y += qrwlock.h
+generic-y += ring_buffer.h
generic-y += early_ioremap.h
--- a/arch/riscv/include/asm/Kbuild
+++ b/arch/riscv/include/asm/Kbuild
@@ -11,5 +11,6 @@ generic-y += spinlock.h
generic-y += spinlock_types.h
generic-y += qrwlock.h
generic-y += qrwlock_types.h
+generic-y += ring_buffer.h
generic-y += user.h
generic-y += vmlinux.lds.h
--- a/arch/s390/include/asm/Kbuild
+++ b/arch/s390/include/asm/Kbuild
@@ -8,3 +8,4 @@ generic-y += asm-offsets.h
generic-y += kvm_types.h
generic-y += mcs_spinlock.h
generic-y += mmzone.h
+generic-y += ring_buffer.h
--- a/arch/sh/include/asm/Kbuild
+++ b/arch/sh/include/asm/Kbuild
@@ -3,3 +3,4 @@ generated-y += syscall_table.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
generic-y += parport.h
+generic-y += ring_buffer.h
--- a/arch/sparc/include/asm/Kbuild
+++ b/arch/sparc/include/asm/Kbuild
@@ -4,3 +4,4 @@ generated-y += syscall_table_64.h
generic-y += agp.h
generic-y += kvm_para.h
generic-y += mcs_spinlock.h
+generic-y += ring_buffer.h
--- a/arch/um/include/asm/Kbuild
+++ b/arch/um/include/asm/Kbuild
@@ -19,6 +19,7 @@ generic-y += param.h
generic-y += parport.h
generic-y += percpu.h
generic-y += preempt.h
+generic-y += ring_buffer.h
generic-y += runtime-const.h
generic-y += softirq_stack.h
generic-y += switch_to.h
--- a/arch/x86/include/asm/Kbuild
+++ b/arch/x86/include/asm/Kbuild
@@ -12,3 +12,4 @@ generated-y += xen-hypercalls.h
generic-y += early_ioremap.h
generic-y += mcs_spinlock.h
generic-y += mmzone.h
+generic-y += ring_buffer.h
--- a/arch/xtensa/include/asm/Kbuild
+++ b/arch/xtensa/include/asm/Kbuild
@@ -7,4 +7,5 @@ generic-y += param.h
generic-y += parport.h
generic-y += qrwlock.h
generic-y += qspinlock.h
+generic-y += ring_buffer.h
generic-y += user.h
--- /dev/null
+++ b/include/asm-generic/ring_buffer.h
@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Generic arch dependent ring_buffer macros.
+ */
+#ifndef __ASM_GENERIC_RING_BUFFER_H__
+#define __ASM_GENERIC_RING_BUFFER_H__
+
+#include <linux/cacheflush.h>
+
+/* Flush cache on ring buffer range if needed. Do nothing by default. */
+#define arch_ring_buffer_flush_range(start, end) do { } while (0)
+
+#endif /* __ASM_GENERIC_RING_BUFFER_H__ */
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5,6 +5,7 @@
* Copyright (C) 2008 Steven Rostedt <srostedt@redhat.com>
*/
#include <linux/trace_recursion.h>
+#include <linux/panic_notifier.h>
#include <linux/trace_events.h>
#include <linux/ring_buffer.h>
#include <linux/trace_clock.h>
@@ -29,6 +30,7 @@
#include <linux/oom.h>
#include <linux/mm.h>
+#include <asm/ring_buffer.h>
#include <asm/local64.h>
#include <asm/local.h>
@@ -549,6 +551,7 @@ struct trace_buffer {
unsigned long range_addr_start;
unsigned long range_addr_end;
+ struct notifier_block flush_nb;
long last_text_delta;
long last_data_delta;
@@ -2316,6 +2319,16 @@ static void rb_free_cpu_buffer(struct ri
kfree(cpu_buffer);
}
+/* Stop recording on a persistent buffer and flush cache if needed. */
+static int rb_flush_buffer_cb(struct notifier_block *nb, unsigned long event, void *data)
+{
+ struct trace_buffer *buffer = container_of(nb, struct trace_buffer, flush_nb);
+
+ ring_buffer_record_off(buffer);
+ arch_ring_buffer_flush_range(buffer->range_addr_start, buffer->range_addr_end);
+ return NOTIFY_DONE;
+}
+
static struct trace_buffer *alloc_buffer(unsigned long size, unsigned flags,
int order, unsigned long start,
unsigned long end,
@@ -2421,6 +2434,12 @@ static struct trace_buffer *alloc_buffer
mutex_init(&buffer->mutex);
+ /* Persistent ring buffer needs to flush cache before reboot. */
+ if (start && end) {
+ buffer->flush_nb.notifier_call = rb_flush_buffer_cb;
+ atomic_notifier_chain_register(&panic_notifier_list, &buffer->flush_nb);
+ }
+
return buffer;
fail_free_buffers:
@@ -2512,6 +2531,9 @@ ring_buffer_free(struct trace_buffer *bu
{
int cpu;
+ if (buffer->range_addr_start && buffer->range_addr_end)
+ atomic_notifier_chain_unregister(&panic_notifier_list, &buffer->flush_nb);
+
cpuhp_state_remove_instance(CPUHP_TRACE_RB_PREPARE, &buffer->node);
irq_work_sync(&buffer->irq_work.work);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 291/315] selftests: mptcp: drop nanoseconds width specifier
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 290/315] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 292/315] net: devmem: reject dma-buf bind with non-page-aligned size or SG length Greg Kroah-Hartman
` (25 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 01ff78e4b3d98689184c52d97f9575dfbdc3b10f ]
Using the format specifier +%s%3N with GNU date is honoured, and only
prints 3 digits of the nanoseconds portion of the seconds since epoch,
which corresponds to the milliseconds.
The uutils implementation of date currently does not honour this, and
always prints all 9 digits. This is a known issue [1], but can be worked
around by adapting this test to use nanoseconds instead of microseconds,
and then divide it by 1e6.
This fix is similar to what has been done on systemd side [2], and it is
needed to run the selftests on Ubuntu 26.04, containing uutils 0.8.0.
Note that the Fixes tag is there even if this patch doesn't fix an issue
in the kernel selftests, but it is useful for those using uutils 0.8.0.
Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
Cc: stable@vger.kernel.org
Link: https://github.com/uutils/coreutils/issues/11658 [1]
Link: https://github.com/systemd/systemd/pull/41627 [2]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-6-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ kept `timeout ${timeout_test}` wrapper in do_transfer() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +++---
tools/testing/selftests/net/mptcp/mptcp_lib.sh | 10 +++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
@@ -415,7 +415,7 @@ do_transfer()
mptcp_lib_wait_local_port_listen "${listener_ns}" "${port}"
local start
- start=$(date +%s%3N)
+ start=$(date +%s%N)
timeout ${timeout_test} \
ip netns exec ${connector_ns} \
./mptcp_connect -t ${timeout_poll} -p $port -s ${cl_proto} \
@@ -428,7 +428,7 @@ do_transfer()
local rets=$?
local stop
- stop=$(date +%s%3N)
+ stop=$(date +%s%N)
if $capture; then
sleep 1
@@ -444,7 +444,7 @@ do_transfer()
fi
local duration
- duration=$((stop-start))
+ duration=$(((stop-start) / 1000000))
printf "(duration %05sms) " "${duration}"
if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then
mptcp_lib_pr_fail "client exit code $retc, server $rets"
--- a/tools/testing/selftests/net/mptcp/mptcp_lib.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_lib.sh
@@ -28,7 +28,7 @@ declare -rx MPTCP_LIB_AF_INET6=10
MPTCP_LIB_SUBTESTS=()
MPTCP_LIB_SUBTESTS_DUPLICATED=0
MPTCP_LIB_SUBTEST_FLAKY=0
-MPTCP_LIB_SUBTESTS_LAST_TS_MS=
+MPTCP_LIB_SUBTESTS_LAST_TS_NS=
MPTCP_LIB_TEST_COUNTER=0
MPTCP_LIB_TEST_FORMAT="%02u %-50s"
MPTCP_LIB_IP_MPTCP=0
@@ -227,7 +227,7 @@ mptcp_lib_kversion_ge() {
}
mptcp_lib_subtests_last_ts_reset() {
- MPTCP_LIB_SUBTESTS_LAST_TS_MS="$(date +%s%3N)"
+ MPTCP_LIB_SUBTESTS_LAST_TS_NS="$(date +%s%N)"
}
mptcp_lib_subtests_last_ts_reset
@@ -246,7 +246,7 @@ __mptcp_lib_result_check_duplicated() {
__mptcp_lib_result_add() {
local result="${1}"
local time="time="
- local ts_prev_ms
+ local ts_prev_ns
shift
local id=$((${#MPTCP_LIB_SUBTESTS[@]} + 1))
@@ -256,9 +256,9 @@ __mptcp_lib_result_add() {
# not to add two '#'
[[ "${*}" != *"#"* ]] && time="# ${time}"
- ts_prev_ms="${MPTCP_LIB_SUBTESTS_LAST_TS_MS}"
+ ts_prev_ns="${MPTCP_LIB_SUBTESTS_LAST_TS_NS}"
mptcp_lib_subtests_last_ts_reset
- time+="$((MPTCP_LIB_SUBTESTS_LAST_TS_MS - ts_prev_ms))ms"
+ time+="$(((MPTCP_LIB_SUBTESTS_LAST_TS_NS - ts_prev_ns) / 1000000))ms"
MPTCP_LIB_SUBTESTS+=("${result} ${id} - ${KSFT_TEST}: ${*} ${time}")
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 292/315] net: devmem: reject dma-buf bind with non-page-aligned size or SG length
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 291/315] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 293/315] mptcp: handle first subflow closing consistently Greg Kroah-Hartman
` (24 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Bobby Eshleman,
Stanislav Fomichev, Mina Almasry, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit 4eb82ba543421e9e38cc14e4e82058b78850df50 ]
net_devmem_bind_dmabuf() trusts dmabuf->size and sg_dma_len() to be
PAGE_SIZE multiples without checking:
- tx_vec is sized dmabuf->size / PAGE_SIZE, and
net_devmem_get_niov_at() only bounds-checks virt_addr < dmabuf->size
before indexing tx_vec[virt_addr / PAGE_SIZE]. With size =
N*PAGE_SIZE + r (1 <= r < PAGE_SIZE), sendmsg() at iov_base =
N*PAGE_SIZE passes the bound check and reads tx_vec[N] -- one past.
- owner->area.num_niovs = len / PAGE_SIZE while gen_pool_add_owner()
covers the full byte len, so a non-page-multiple non-final sg
desyncs num_niovs from the gen_pool region for every later sg, on
both RX and TX.
dma-buf does not require page-aligned sizes, so the bind path has to
enforce what its own indexing assumes. Reject both with -EINVAL.
The size check is TX-only (only tx_vec is sized off dmabuf->size); the
SG-length check covers both directions.
Fixes: bd61848900bf ("net: devmem: Implement TX path")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Bobby Eshleman <bobbyeshleman@meta.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Link: https://patch.msgid.link/20260519203530.66310-1-devnexen@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/devmem.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/net/core/devmem.c
+++ b/net/core/devmem.c
@@ -232,6 +232,11 @@ net_devmem_bind_dmabuf(struct net_device
}
if (direction == DMA_TO_DEVICE) {
+ if (!IS_ALIGNED(dmabuf->size, PAGE_SIZE)) {
+ err = -EINVAL;
+ NL_SET_ERR_MSG(extack, "TX dma-buf size must be a multiple of PAGE_SIZE");
+ goto err_unmap;
+ }
binding->tx_vec = kvmalloc_array(dmabuf->size / PAGE_SIZE,
sizeof(struct net_iov *),
GFP_KERNEL);
@@ -259,6 +264,12 @@ net_devmem_bind_dmabuf(struct net_device
size_t len = sg_dma_len(sg);
struct net_iov *niov;
+ if (!IS_ALIGNED(len, PAGE_SIZE)) {
+ err = -EINVAL;
+ NL_SET_ERR_MSG(extack, "dma-buf SG length must be PAGE_SIZE aligned");
+ goto err_free_chunks;
+ }
+
owner = kzalloc_node(sizeof(*owner), GFP_KERNEL,
dev_to_node(&dev->dev));
if (!owner) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 282/307] mptcp: cleanup fallback dummy mapping generation
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 281/307] ring-buffer: Flush and stop persistent ring buffer on panic Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 283/307] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
` (27 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Geliang Tang,
Mat Martineau, Matthieu Baerts (NGI0), Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 2834f8edd74d5dda368087a654c0e52b141e9893 ]
MPTCP currently access ack_seq outside the msk socket log scope to
generate the dummy mapping for fallback socket. Soon we are going
to introduce backlog usage and even for fallback socket the ack_seq
value will be significantly off outside of the msk socket lock scope.
Avoid relying on ack_seq for dummy mapping generation, using instead
the subflow sequence number. Note that in case of disconnect() and
(re)connect() we must ensure that any previous state is re-set.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Geliang Tang <geliang@kernel.org>
Tested-by: Geliang Tang <geliang@kernel.org>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251121-net-next-mptcp-memcg-backlog-imp-v1-6-1f34b6c1e0b1@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0981f90e1a05 ("mptcp: reset rcv wnd on disconnect")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 3 +++
net/mptcp/subflow.c | 8 +++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3369,6 +3369,9 @@ static int mptcp_disconnect(struct sock
msk->rcvspace_init = 0;
msk->fastclosing = 0;
+ /* for fallback's sake */
+ WRITE_ONCE(msk->ack_seq, 0);
+
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
return 0;
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -490,6 +490,9 @@ static void subflow_set_remote_key(struc
mptcp_crypto_key_sha(subflow->remote_key, NULL, &subflow->iasn);
subflow->iasn++;
+ /* for fallback's sake */
+ subflow->map_seq = subflow->iasn;
+
WRITE_ONCE(msk->remote_key, subflow->remote_key);
WRITE_ONCE(msk->ack_seq, subflow->iasn);
WRITE_ONCE(msk->can_ack, true);
@@ -1415,9 +1418,12 @@ reset:
skb = skb_peek(&ssk->sk_receive_queue);
subflow->map_valid = 1;
- subflow->map_seq = READ_ONCE(msk->ack_seq);
subflow->map_data_len = skb->len;
subflow->map_subflow_seq = tcp_sk(ssk)->copied_seq - subflow->ssn_offset;
+ subflow->map_seq = __mptcp_expand_seq(subflow->map_seq,
+ subflow->iasn +
+ TCP_SKB_CB(skb)->seq -
+ subflow->ssn_offset - 1);
WRITE_ONCE(subflow->data_avail, true);
return true;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 293/315] mptcp: handle first subflow closing consistently
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 292/315] net: devmem: reject dma-buf bind with non-page-aligned size or SG length Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 294/315] mptcp: borrow forward memory from subflow Greg Kroah-Hartman
` (23 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 0eeb372deebce6c25b9afc09e35d6c75a744299a ]
Currently, as soon as the PM closes a subflow, the msk stops accepting
data from it, even if the TCP socket could be still formally open in the
incoming direction, with the notable exception of the first subflow.
The root cause of such behavior is that code currently piggy back two
separate semantic on the subflow->disposable bit: the subflow context
must be released and that the subflow must stop accepting incoming
data.
The first subflow is never disposed, so it also never stop accepting
incoming data. Use a separate bit to mark the latter status and set such
bit in __mptcp_close_ssk() for all subflows.
Beyond making per subflow behaviour more consistent this will also
simplify the next patch.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251121-net-next-mptcp-memcg-backlog-imp-v1-11-1f34b6c1e0b1@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 50c2d91c5dfa ("mptcp: do not drop partial packets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 14 +++++++++-----
net/mptcp/protocol.h | 3 ++-
2 files changed, 11 insertions(+), 6 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -854,10 +854,10 @@ void mptcp_data_ready(struct sock *sk, s
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
/* The peer can send data while we are shutting down this
- * subflow at msk destruction time, but we must avoid enqueuing
+ * subflow at subflow destruction time, but we must avoid enqueuing
* more data to the msk receive queue
*/
- if (unlikely(subflow->disposable))
+ if (unlikely(subflow->closing))
return;
mptcp_data_lock(sk);
@@ -2455,6 +2455,13 @@ static void __mptcp_close_ssk(struct soc
struct mptcp_sock *msk = mptcp_sk(sk);
bool dispose_it, need_push = false;
+ /* Do not pass RX data to the msk, even if the subflow socket is not
+ * going to be freed (i.e. even for the first subflow on graceful
+ * subflow close.
+ */
+ lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
+ subflow->closing = 1;
+
/* If the first subflow moved to a close state before accept, e.g. due
* to an incoming reset or listener shutdown, the subflow socket is
* already deleted by inet_child_forget() and the mptcp socket can't
@@ -2465,7 +2472,6 @@ static void __mptcp_close_ssk(struct soc
/* ensure later check in mptcp_worker() will dispose the msk */
sock_set_flag(sk, SOCK_DEAD);
mptcp_set_close_tout(sk, tcp_jiffies32 - (mptcp_close_timeout(sk) + 1));
- lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
mptcp_subflow_drop_ctx(ssk);
goto out_release;
}
@@ -2474,8 +2480,6 @@ static void __mptcp_close_ssk(struct soc
if (dispose_it)
list_del(&subflow->node);
- lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
-
if (subflow->send_fastclose && ssk->sk_state != TCP_CLOSE)
tcp_set_state(ssk, TCP_CLOSE);
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -537,12 +537,13 @@ struct mptcp_subflow_context {
send_infinite_map : 1,
remote_key_valid : 1, /* received the peer key from */
disposable : 1, /* ctx can be free at ulp release time */
+ closing : 1, /* must not pass rx data to msk anymore */
stale : 1, /* unable to snd/rcv data, do not use for xmit */
valid_csum_seen : 1, /* at least one csum validated */
is_mptfo : 1, /* subflow is doing TFO */
close_event_done : 1, /* has done the post-closed part */
mpc_drop : 1, /* the MPC option has been dropped in a rtx */
- __unused : 9;
+ __unused : 8;
bool data_avail;
bool scheduled;
bool pm_listener; /* a listener managed by the kernel PM? */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 283/307] mptcp: reset rcv wnd on disconnect
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 282/307] mptcp: cleanup fallback dummy mapping generation Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 284/307] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
` (26 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 0981f90e1a05773a4c29c6e720f5ea1e3c8f1876 ]
If the MPTCP socket fallback to TCP before the MP handshake completion,
the IASN remain 0, and the rcv_wnd_sent field is not explicitly
initialized, just incremented over time with the data transfer.
At disconnect time such value is not cleared. If the next connection falls
back to TCP before the MP handshake completion, the data transfer will
keep incrementing the receive window end sequence starting from the last
value used in the previous connection: the announced window will be
unrelated from the actual receiver buffer size and likely too big.
Address the issue zeroing the field at disconnect time.
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-4-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3371,6 +3371,7 @@ static int mptcp_disconnect(struct sock
/* for fallback's sake */
WRITE_ONCE(msk->ack_seq, 0);
+ atomic64_set(&msk->rcv_wnd_sent, 0);
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 294/315] mptcp: borrow forward memory from subflow
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 293/315] mptcp: handle first subflow closing consistently Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 295/315] mptcp: do not drop partial packets Greg Kroah-Hartman
` (22 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 9db5b3cec4ec1c0cd3239689f5c8653d691a1754 ]
In the MPTCP receive path, we release the subflow allocated fwd
memory just to allocate it again shortly after for the msk.
That could increases the failures chances, especially when we will
add backlog processing, with other actions could consume the just
released memory before the msk socket has a chance to do the
rcv allocation.
Replace the skb_orphan() call with an open-coded variant that
explicitly borrows, the fwd memory from the subflow socket instead
of releasing it.
The borrowed memory does not have PAGE_SIZE granularity; rounding to
the page size will make the fwd allocated memory higher than what is
strictly required and could make the incoming subflow fwd mem
consistently negative. Instead, keep track of the accumulated frag and
borrow the full page at subflow close time.
This allow removing the last drop in the TCP to MPTCP transition and
the associated, now unused, MIB.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251121-net-next-mptcp-memcg-backlog-imp-v1-12-1f34b6c1e0b1@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 50c2d91c5dfa ("mptcp: do not drop partial packets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/fastopen.c | 4 +++-
net/mptcp/mib.c | 1 -
net/mptcp/mib.h | 1 -
net/mptcp/protocol.c | 23 +++++++++++++++--------
net/mptcp/protocol.h | 28 ++++++++++++++++++++++++++++
5 files changed, 46 insertions(+), 11 deletions(-)
--- a/net/mptcp/fastopen.c
+++ b/net/mptcp/fastopen.c
@@ -33,7 +33,8 @@ void mptcp_fastopen_subflow_synack_set_p
/* dequeue the skb from sk receive queue */
__skb_unlink(skb, &ssk->sk_receive_queue);
skb_ext_reset(skb);
- skb_orphan(skb);
+
+ mptcp_subflow_lend_fwdmem(subflow, skb);
/* We copy the fastopen data, but that don't belong to the mptcp sequence
* space, need to offset it in the subflow sequence, see mptcp_subflow_get_map_offset()
@@ -52,6 +53,7 @@ void mptcp_fastopen_subflow_synack_set_p
mptcp_data_lock(sk);
DEBUG_NET_WARN_ON_ONCE(sock_owned_by_user_nocheck(sk));
+ mptcp_borrow_fwdmem(sk, skb);
skb_set_owner_r(skb, sk);
__skb_queue_tail(&sk->sk_receive_queue, skb);
mptcp_sk(sk)->bytes_received += skb->len;
--- a/net/mptcp/mib.c
+++ b/net/mptcp/mib.c
@@ -71,7 +71,6 @@ static const struct snmp_mib mptcp_snmp_
SNMP_MIB_ITEM("MPFastcloseRx", MPTCP_MIB_MPFASTCLOSERX),
SNMP_MIB_ITEM("MPRstTx", MPTCP_MIB_MPRSTTX),
SNMP_MIB_ITEM("MPRstRx", MPTCP_MIB_MPRSTRX),
- SNMP_MIB_ITEM("RcvPruned", MPTCP_MIB_RCVPRUNED),
SNMP_MIB_ITEM("SubflowStale", MPTCP_MIB_SUBFLOWSTALE),
SNMP_MIB_ITEM("SubflowRecover", MPTCP_MIB_SUBFLOWRECOVER),
SNMP_MIB_ITEM("SndWndShared", MPTCP_MIB_SNDWNDSHARED),
--- a/net/mptcp/mib.h
+++ b/net/mptcp/mib.h
@@ -70,7 +70,6 @@ enum linux_mptcp_mib_field {
MPTCP_MIB_MPFASTCLOSERX, /* Received a MP_FASTCLOSE */
MPTCP_MIB_MPRSTTX, /* Transmit a MP_RST */
MPTCP_MIB_MPRSTRX, /* Received a MP_RST */
- MPTCP_MIB_RCVPRUNED, /* Incoming packet dropped due to memory limit */
MPTCP_MIB_SUBFLOWSTALE, /* Subflows entered 'stale' status */
MPTCP_MIB_SUBFLOWRECOVER, /* Subflows returned to active status after being stale */
MPTCP_MIB_SNDWNDSHARED, /* Subflow snd wnd is overridden by msk's one */
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -352,7 +352,7 @@ end:
static void mptcp_init_skb(struct sock *ssk, struct sk_buff *skb, int offset,
int copy_len)
{
- const struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
+ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
bool has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
/* the skb map_seq accounts for the skb offset:
@@ -377,11 +377,7 @@ static bool __mptcp_move_skb(struct sock
struct mptcp_sock *msk = mptcp_sk(sk);
struct sk_buff *tail;
- /* try to fetch required memory from subflow */
- if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_RCVPRUNED);
- goto drop;
- }
+ mptcp_borrow_fwdmem(sk, skb);
if (MPTCP_SKB_CB(skb)->map_seq == msk->ack_seq) {
/* in sequence */
@@ -403,7 +399,6 @@ static bool __mptcp_move_skb(struct sock
* will retransmit as needed, if needed.
*/
MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
-drop:
mptcp_drop(sk, skb);
return false;
}
@@ -704,7 +699,7 @@ static bool __mptcp_move_skbs_from_subfl
size_t len = skb->len - offset;
mptcp_init_skb(ssk, skb, offset, len);
- skb_orphan(skb);
+ mptcp_subflow_lend_fwdmem(subflow, skb);
ret = __mptcp_move_skb(sk, skb) || ret;
seq += len;
@@ -2454,6 +2449,7 @@ static void __mptcp_close_ssk(struct soc
{
struct mptcp_sock *msk = mptcp_sk(sk);
bool dispose_it, need_push = false;
+ int fwd_remaining;
/* Do not pass RX data to the msk, even if the subflow socket is not
* going to be freed (i.e. even for the first subflow on graceful
@@ -2462,6 +2458,17 @@ static void __mptcp_close_ssk(struct soc
lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
subflow->closing = 1;
+ /* Borrow the fwd allocated page left-over; fwd memory for the subflow
+ * could be negative at this point, but will be reach zero soon - when
+ * the data allocated using such fragment will be freed.
+ */
+ if (subflow->lent_mem_frag) {
+ fwd_remaining = PAGE_SIZE - subflow->lent_mem_frag;
+ sk_forward_alloc_add(sk, fwd_remaining);
+ sk_forward_alloc_add(ssk, -fwd_remaining);
+ subflow->lent_mem_frag = 0;
+ }
+
/* If the first subflow moved to a close state before accept, e.g. due
* to an incoming reset or listener shutdown, the subflow socket is
* already deleted by inet_child_forget() and the mptcp socket can't
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -548,6 +548,7 @@ struct mptcp_subflow_context {
bool scheduled;
bool pm_listener; /* a listener managed by the kernel PM? */
bool fully_established; /* path validated */
+ u32 lent_mem_frag;
u32 remote_nonce;
u64 thmac;
u32 local_nonce;
@@ -647,6 +648,33 @@ mptcp_send_active_reset_reason(struct so
tcp_send_active_reset(sk, GFP_ATOMIC, reason);
}
+/* Made the fwd mem carried by the given skb available to the msk,
+ * To be paired with a previous mptcp_subflow_lend_fwdmem() before freeing
+ * the skb or setting the skb ownership.
+ */
+static inline void mptcp_borrow_fwdmem(struct sock *sk, struct sk_buff *skb)
+{
+ struct sock *ssk = skb->sk;
+
+ /* The subflow just lend the skb fwd memory, and we know that the skb
+ * is only accounted on the incoming subflow rcvbuf.
+ */
+ DEBUG_NET_WARN_ON_ONCE(skb->destructor);
+ skb->sk = NULL;
+ sk_forward_alloc_add(sk, skb->truesize);
+ atomic_sub(skb->truesize, &ssk->sk_rmem_alloc);
+}
+
+static inline void
+mptcp_subflow_lend_fwdmem(struct mptcp_subflow_context *subflow,
+ struct sk_buff *skb)
+{
+ int frag = (subflow->lent_mem_frag + skb->truesize) & (PAGE_SIZE - 1);
+
+ skb->destructor = NULL;
+ subflow->lent_mem_frag = frag;
+}
+
static inline u64
mptcp_subflow_get_map_offset(const struct mptcp_subflow_context *subflow)
{
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 284/307] arm64: tlb: Flush walk cache when unsharing PMD tables
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 283/307] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 285/307] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
` (25 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeng Heng, Catalin Marinas,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit c2ff4764e03e7a8d758352f4aceb8fe1be6ac971 ]
When huge_pmd_unshare() is called to unshare a PMD table, the
tlb_unshare_pmd_ptdesc() function sets tlb->unshared_tables=true
but the aarch64 tlb_flush() only checked tlb->freed_tables to
determine whether to use TLBF_NONE (vae1is, invalidates walk
cache) or TLBF_NOWALKCACHE (vale1is, leaf-only).
This caused the stale PMD page table entry to remain in the walk cache
after unshare, potentially leading to incorrect page table walks.
Fix by including unshared_tables in the check, so that when
unsharing tables, TLBF_NONE is used and the walk cache is properly
invalidated.
Here is the detailed distinction between vae1is and vale1is:
| Instruction Combination | Actual Invalidation Scope |
| ------------------------ | --------------------------------------------------|
| `VAE1IS` + TTL=`0` | All entries at all levels (full invalidation) |
| `VAE1IS` + TTL=`2` (L2) | Non-leaf at Level 0/1 + leaf at Level 2 |
| `VALE1IS` + TTL=`0` | Leaf entries at all levels (non-leaf not cleared) |
| `VALE1IS` + TTL=`2` (L2) | Leaf entry at Level 2 only |
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Fixes: 8ce720d5bd91 ("mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather")
Cc: <stable@vger.kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/tlb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/include/asm/tlb.h
+++ b/arch/arm64/include/asm/tlb.h
@@ -58,7 +58,7 @@ static inline int tlb_get_level(struct m
static inline void tlb_flush(struct mmu_gather *tlb)
{
struct vm_area_struct vma = TLB_FLUSH_VMA(tlb->mm, 0);
- bool last_level = !tlb->freed_tables;
+ bool last_level = !(tlb->freed_tables || tlb->unshared_tables);
unsigned long stride = tlb_get_unmap_size(tlb);
int tlb_level = tlb_get_level(tlb);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 295/315] mptcp: do not drop partial packets
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 294/315] mptcp: borrow forward memory from subflow Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 296/315] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
` (21 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shardul Bankar, Paolo Abeni,
Matthieu Baerts (NGI0), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
[ Upstream commit 50c2d91c5dfa0e465826ec1f8dbad9cdc254bd85 ]
When a packet arrives with map_seq < ack_seq < end_seq, the beginning
of the packet has already been acknowledged but the end contains new
data. Currently the entire packet is dropped as "old data," forcing
the sender to retransmit.
Instead, skip the already-acked bytes by adjusting the skb offset and
enqueue only the new portion. Update bytes_received and ack_seq to
reflect the new data consumed.
A previous attempt at this fix has been sent by Paolo Abeni [1], but had
issues [2]: it also added a zero-window check and changed rcv_wnd_sent
initialization, which caused test regressions. This version addresses
only the partial packet handling without modifying receive window
accounting.
Fixes: ab174ad8ef76 ("mptcp: move ooo skbs into msk out of order queue.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/c9b426a4e163aa3c4fe8b80c79f1a610f47ae7d8.1763075056.git.pabeni@redhat.com [1]
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/600 [2]
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
[pabeni@redhat.com: update map]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-1-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -395,12 +395,26 @@ static bool __mptcp_move_skb(struct sock
return false;
}
- /* old data, keep it simple and drop the whole pkt, sender
- * will retransmit as needed, if needed.
+ /* Completely old data? */
+ if (!after64(MPTCP_SKB_CB(skb)->end_seq, msk->ack_seq)) {
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
+ mptcp_drop(sk, skb);
+ return false;
+ }
+
+ /* Partial packet: map_seq < ack_seq < end_seq.
+ * Skip the already-acked bytes and enqueue the new data.
*/
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
- mptcp_drop(sk, skb);
- return false;
+ copy_len = MPTCP_SKB_CB(skb)->end_seq - msk->ack_seq;
+ MPTCP_SKB_CB(skb)->offset += msk->ack_seq - MPTCP_SKB_CB(skb)->map_seq;
+ MPTCP_SKB_CB(skb)->map_seq += msk->ack_seq -
+ MPTCP_SKB_CB(skb)->map_seq;
+ msk->bytes_received += copy_len;
+ WRITE_ONCE(msk->ack_seq, msk->ack_seq + copy_len);
+
+ skb_set_owner_r(skb, sk);
+ __skb_queue_tail(&sk->sk_receive_queue, skb);
+ return true;
}
static void mptcp_stop_rtx_timer(struct sock *sk)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 285/307] octeontx2-pf: avoid double free of pool->stack on AQ init failure
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 284/307] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 286/307] mptcp: introduce the mptcp_init_skb helper Greg Kroah-Hartman
` (24 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng, Simon Horman,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
[ Upstream commit 9b244c242bec48b37e82b89787afd6a4c43457e1 ]
otx2_pool_aq_init() frees pool->stack when mailbox sync or retry
allocation fails, but leaves the pointer unchanged. Later,
otx2_sq_aura_pool_init() unwinds the partial setup through
otx2_aura_pool_free(), which frees pool->stack again. The CN20K-specific
cn20k_pool_aq_init() implementation has the same bug in
its corresponding error path.
Set pool->stack to NULL immediately after the local free so the shared
cleanup path does not free the same stack again while cleaning up
partially initialized pool state.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc3.
Runtime validation was not performed because reproducing this path
requires OcteonTX2/CN20K hardware.
Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
Fixes: d322fbd17203 ("octeontx2-pf: Initialize cn20k specific aura and pool contexts")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260515151826.1005397-1-dawei.feng@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
@@ -1386,11 +1386,13 @@ int otx2_pool_init(struct otx2_nic *pfvf
err = otx2_sync_mbox_msg(&pfvf->mbox);
if (err) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return err;
}
aq = otx2_mbox_alloc_msg_npa_aq_enq(&pfvf->mbox);
if (!aq) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return -ENOMEM;
}
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 296/315] arm64: tlb: Flush walk cache when unsharing PMD tables
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 295/315] mptcp: do not drop partial packets Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 297/315] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
` (20 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeng Heng, Catalin Marinas,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit c2ff4764e03e7a8d758352f4aceb8fe1be6ac971 ]
When huge_pmd_unshare() is called to unshare a PMD table, the
tlb_unshare_pmd_ptdesc() function sets tlb->unshared_tables=true
but the aarch64 tlb_flush() only checked tlb->freed_tables to
determine whether to use TLBF_NONE (vae1is, invalidates walk
cache) or TLBF_NOWALKCACHE (vale1is, leaf-only).
This caused the stale PMD page table entry to remain in the walk cache
after unshare, potentially leading to incorrect page table walks.
Fix by including unshared_tables in the check, so that when
unsharing tables, TLBF_NONE is used and the walk cache is properly
invalidated.
Here is the detailed distinction between vae1is and vale1is:
| Instruction Combination | Actual Invalidation Scope |
| ------------------------ | --------------------------------------------------|
| `VAE1IS` + TTL=`0` | All entries at all levels (full invalidation) |
| `VAE1IS` + TTL=`2` (L2) | Non-leaf at Level 0/1 + leaf at Level 2 |
| `VALE1IS` + TTL=`0` | Leaf entries at all levels (non-leaf not cleared) |
| `VALE1IS` + TTL=`2` (L2) | Leaf entry at Level 2 only |
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Fixes: 8ce720d5bd91 ("mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather")
Cc: <stable@vger.kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/tlb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/include/asm/tlb.h
+++ b/arch/arm64/include/asm/tlb.h
@@ -53,7 +53,7 @@ static inline int tlb_get_level(struct m
static inline void tlb_flush(struct mmu_gather *tlb)
{
struct vm_area_struct vma = TLB_FLUSH_VMA(tlb->mm, 0);
- bool last_level = !tlb->freed_tables;
+ bool last_level = !(tlb->freed_tables || tlb->unshared_tables);
unsigned long stride = tlb_get_unmap_size(tlb);
int tlb_level = tlb_get_level(tlb);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 286/307] mptcp: introduce the mptcp_init_skb helper
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 285/307] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 287/307] mptcp: handle first subflow closing consistently Greg Kroah-Hartman
` (23 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), Paolo Abeni,
Geliang Tang, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 9a0afe0db46720ce1a009c7dac168aa0584bd732 ]
Factor out all the skb initialization step in a new helper and
use it. Note that this change moves the MPTCP CB initialization
earlier: we can do such step as soon as the skb leaves the
subflow socket receive queues.
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Geliang Tang <geliang@kernel.org>
Tested-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250927-net-next-mptcp-rcv-path-imp-v1-4-5da266aa9c1a@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 50c2d91c5dfa ("mptcp: do not drop partial packets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 50 +++++++++++++++++++++++++++-----------------------
1 file changed, 27 insertions(+), 23 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -321,7 +321,7 @@ end:
mptcp_set_owner_r(skb, sk);
}
-static bool mptcp_rmem_schedule(struct sock *sk, struct sock *ssk, int size)
+static bool mptcp_rmem_schedule(struct sock *sk, int size)
{
struct mptcp_sock *msk = mptcp_sk(sk);
int amt, amount;
@@ -339,27 +339,11 @@ static bool mptcp_rmem_schedule(struct s
return true;
}
-static bool __mptcp_move_skb(struct mptcp_sock *msk, struct sock *ssk,
- struct sk_buff *skb, unsigned int offset,
- size_t copy_len)
+static void mptcp_init_skb(struct sock *ssk, struct sk_buff *skb, int offset,
+ int copy_len)
{
- struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
- struct sock *sk = (struct sock *)msk;
- struct sk_buff *tail;
- bool has_rxtstamp;
-
- __skb_unlink(skb, &ssk->sk_receive_queue);
-
- skb_ext_reset(skb);
- skb_orphan(skb);
-
- /* try to fetch required memory from subflow */
- if (!mptcp_rmem_schedule(sk, ssk, skb->truesize)) {
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_RCVPRUNED);
- goto drop;
- }
-
- has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
+ const struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
+ bool has_rxtstamp = TCP_SKB_CB(skb)->has_rxtstamp;
/* the skb map_seq accounts for the skb offset:
* mptcp_subflow_get_mapped_dsn() is based on the current tp->copied_seq
@@ -371,6 +355,25 @@ static bool __mptcp_move_skb(struct mptc
MPTCP_SKB_CB(skb)->has_rxtstamp = has_rxtstamp;
MPTCP_SKB_CB(skb)->cant_coalesce = 0;
+ __skb_unlink(skb, &ssk->sk_receive_queue);
+
+ skb_ext_reset(skb);
+ skb_dst_drop(skb);
+}
+
+static bool __mptcp_move_skb(struct sock *sk, struct sk_buff *skb)
+{
+ u64 copy_len = MPTCP_SKB_CB(skb)->end_seq - MPTCP_SKB_CB(skb)->map_seq;
+ struct mptcp_sock *msk = mptcp_sk(sk);
+ struct sk_buff *tail;
+
+ /* try to fetch required memory from subflow */
+ if (!mptcp_rmem_schedule(sk, skb->truesize)) {
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_RCVPRUNED);
+ mptcp_drop(sk, skb);
+ return false;
+ }
+
if (MPTCP_SKB_CB(skb)->map_seq == msk->ack_seq) {
/* in sequence */
msk->bytes_received += copy_len;
@@ -391,7 +394,6 @@ static bool __mptcp_move_skb(struct mptc
* will retransmit as needed, if needed.
*/
MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
-drop:
mptcp_drop(sk, skb);
return false;
}
@@ -720,7 +722,9 @@ static bool __mptcp_move_skbs_from_subfl
if (tp->urg_data)
done = true;
- if (__mptcp_move_skb(msk, ssk, skb, offset, len))
+ mptcp_init_skb(ssk, skb, offset, len);
+ skb_orphan(skb);
+ if (__mptcp_move_skb(sk, skb))
moved += len;
seq += len;
t t;
- if (!chan || !chan->cl)
+ if (!chan || !chan->cl || mssg == MBOX_NO_MSG)
return -EINVAL;
t = add_to_rbuf(chan, mssg);
@@ -319,7 +319,7 @@ static int __mbox_bind_client(struct mbo
scoped_guard(spinlock_irqsave, &chan->lock) {
chan->msg_free = 0;
chan->msg_count = 0;
- chan->active_req = NULL;
+ chan->active_req = MBOX_NO_MSG;
chan->cl = cl;
init_completion(&chan->tx_complete);
@@ -477,7 +477,7 @@ void mbox_free_channel(struct mbox_chan
/* The queued TX requests are simply aborted, no callbacks are made */
scoped_guard(spinlock_irqsave, &chan->lock) {
chan->cl = NULL;
- chan->active_req = NULL;
+ chan->active_req = MBOX_NO_MSG;
if (chan->txdone_method == TXDONE_BY_ACK)
chan->txdone_method = TXDONE_BY_POLL;
}
@@ -531,6 +531,7 @@ int mbox_controller_register(struct mbox
chan->cl = NULL;
chan->mbox = mbox;
+ chan->active_req = MBOX_NO_MSG;
chan->txdone_method = txdone;
spin_lock_init(&chan->lock);
}
--- a/drivers/mailbox/tegra-hsp.c
+++ b/drivers/mailbox/tegra-hsp.c
@@ -497,7 +497,7 @@ static int tegra_hsp_mailbox_flush(struc
mbox_chan_txdone(chan, 0);
/* Wait until channel is empty */
- if (chan->active_req != NULL)
+ if (chan->active_req != MBOX_NO_MSG)
continue;
return 0;
--- a/include/linux/mailbox_controller.h
+++ b/include/linux/mailbox_controller.h
@@ -11,6 +11,9 @@
struct mbox_chan;
+/* Sentinel value distinguishing "no active request" from "NULL message data" */
+#define MBOX_NO_MSG ((void *)-1)
+
/**
* struct mbox_chan_ops - methods to control mailbox channels
* @send_data: The API asks the MBOX controller driver, in atomic
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 297/315] octeontx2-pf: avoid double free of pool->stack on AQ init failure
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 296/315] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 298/315] mptcp: cleanup fallback dummy mapping generation Greg Kroah-Hartman
` (19 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng, Simon Horman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
[ Upstream commit 9b244c242bec48b37e82b89787afd6a4c43457e1 ]
otx2_pool_aq_init() frees pool->stack when mailbox sync or retry
allocation fails, but leaves the pointer unchanged. Later,
otx2_sq_aura_pool_init() unwinds the partial setup through
otx2_aura_pool_free(), which frees pool->stack again. The CN20K-specific
cn20k_pool_aq_init() implementation has the same bug in
its corresponding error path.
Set pool->stack to NULL immediately after the local free so the shared
cleanup path does not free the same stack again while cleaning up
partially initialized pool state.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc3.
Runtime validation was not performed because reproducing this path
requires OcteonTX2/CN20K hardware.
Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
Fixes: d322fbd17203 ("octeontx2-pf: Initialize cn20k specific aura and pool contexts")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260515151826.1005397-1-dawei.feng@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
@@ -1468,11 +1468,13 @@ int otx2_pool_init(struct otx2_nic *pfvf
err = otx2_sync_mbox_msg(&pfvf->mbox);
if (err) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return err;
}
aq = otx2_mbox_alloc_msg_npa_aq_enq(&pfvf->mbox);
if (!aq) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return -ENOMEM;
}
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 287/307] mptcp: handle first subflow closing consistently
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 286/307] mptcp: introduce the mptcp_init_skb helper Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 288/307] mptcp: do not drop partial packets Greg Kroah-Hartman
` (22 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 0eeb372deebce6c25b9afc09e35d6c75a744299a ]
Currently, as soon as the PM closes a subflow, the msk stops accepting
data from it, even if the TCP socket could be still formally open in the
incoming direction, with the notable exception of the first subflow.
The root cause of such behavior is that code currently piggy back two
separate semantic on the subflow->disposable bit: the subflow context
must be released and that the subflow must stop accepting incoming
data.
The first subflow is never disposed, so it also never stop accepting
incoming data. Use a separate bit to mark the latter status and set such
bit in __mptcp_close_ssk() for all subflows.
Beyond making per subflow behaviour more consistent this will also
simplify the next patch.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251121-net-next-mptcp-memcg-backlog-imp-v1-11-1f34b6c1e0b1@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 50c2d91c5dfa ("mptcp: do not drop partial packets")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 14 +++++++++-----
net/mptcp/protocol.h | 3 ++-
2 files changed, 11 insertions(+), 6 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -877,10 +877,10 @@ void mptcp_data_ready(struct sock *sk, s
int sk_rbuf, ssk_rbuf;
/* The peer can send data while we are shutting down this
- * subflow at msk destruction time, but we must avoid enqueuing
+ * subflow at subflow destruction time, but we must avoid enqueuing
* more data to the msk receive queue
*/
- if (unlikely(subflow->disposable))
+ if (unlikely(subflow->closing))
return;
ssk_rbuf = READ_ONCE(ssk->sk_rcvbuf);
@@ -2514,6 +2514,13 @@ static void __mptcp_close_ssk(struct soc
struct mptcp_sock *msk = mptcp_sk(sk);
bool dispose_it, need_push = false;
+ /* Do not pass RX data to the msk, even if the subflow socket is not
+ * going to be freed (i.e. even for the first subflow on graceful
+ * subflow close.
+ */
+ lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
+ subflow->closing = 1;
+
/* If the first subflow moved to a close state before accept, e.g. due
* to an incoming reset or listener shutdown, the subflow socket is
* already deleted by inet_child_forget() and the mptcp socket can't
@@ -2524,7 +2531,6 @@ static void __mptcp_close_ssk(struct soc
/* ensure later check in mptcp_worker() will dispose the msk */
sock_set_flag(sk, SOCK_DEAD);
mptcp_set_close_tout(sk, tcp_jiffies32 - (mptcp_close_timeout(sk) + 1));
- lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
mptcp_subflow_drop_ctx(ssk);
goto out_release;
}
@@ -2533,8 +2539,6 @@ static void __mptcp_close_ssk(struct soc
if (dispose_it)
list_del(&subflow->node);
- lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
-
if (subflow->send_fastclose && ssk->sk_state != TCP_CLOSE)
tcp_set_state(ssk, TCP_CLOSE);
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -537,12 +537,13 @@ struct mptcp_subflow_context {
send_infinite_map : 1,
remote_key_valid : 1, /* received the peer key from */
disposable : 1, /* ctx can be free at ulp release time */
+ closing : 1, /* must not pass rx data to msk anymore */
stale : 1, /* unable to snd/rcv data, do not use for xmit */
valid_csum_seen : 1, /* at least one csum validated */
is_mptfo : 1, /* subflow is doing TFO */
close_event_done : 1, /* has done the post-closed part */
mpc_drop : 1, /* the MPC option has been dropped in a rtx */
- __unused : 9;
+ __unused : 8;
bool data_avail;
bool scheduled;
bool pm_listener; /* a listener managed by the kernel PM? */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 298/315] mptcp: cleanup fallback dummy mapping generation
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 297/315] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 299/315] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
` (18 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Geliang Tang,
Mat Martineau, Matthieu Baerts (NGI0), Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 2834f8edd74d5dda368087a654c0e52b141e9893 ]
MPTCP currently access ack_seq outside the msk socket log scope to
generate the dummy mapping for fallback socket. Soon we are going
to introduce backlog usage and even for fallback socket the ack_seq
value will be significantly off outside of the msk socket lock scope.
Avoid relying on ack_seq for dummy mapping generation, using instead
the subflow sequence number. Note that in case of disconnect() and
(re)connect() we must ensure that any previous state is re-set.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Geliang Tang <geliang@kernel.org>
Tested-by: Geliang Tang <geliang@kernel.org>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251121-net-next-mptcp-memcg-backlog-imp-v1-6-1f34b6c1e0b1@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 0981f90e1a05 ("mptcp: reset rcv wnd on disconnect")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 3 +++
net/mptcp/subflow.c | 8 +++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3333,6 +3333,9 @@ static int mptcp_disconnect(struct sock
msk->rcvspace_init = 0;
msk->fastclosing = 0;
+ /* for fallback's sake */
+ WRITE_ONCE(msk->ack_seq, 0);
+
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
return 0;
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -491,6 +491,9 @@ static void subflow_set_remote_key(struc
mptcp_crypto_key_sha(subflow->remote_key, NULL, &subflow->iasn);
subflow->iasn++;
+ /* for fallback's sake */
+ subflow->map_seq = subflow->iasn;
+
WRITE_ONCE(msk->remote_key, subflow->remote_key);
WRITE_ONCE(msk->ack_seq, subflow->iasn);
WRITE_ONCE(msk->can_ack, true);
@@ -1435,9 +1438,12 @@ reset:
skb = skb_peek(&ssk->sk_receive_queue);
subflow->map_valid = 1;
- subflow->map_seq = READ_ONCE(msk->ack_seq);
subflow->map_data_len = skb->len;
subflow->map_subflow_seq = tcp_sk(ssk)->copied_seq - subflow->ssn_offset;
+ subflow->map_seq = __mptcp_expand_seq(subflow->map_seq,
+ subflow->iasn +
+ TCP_SKB_CB(skb)->seq -
+ subflow->ssn_offset - 1);
WRITE_ONCE(subflow->data_avail, true);
return true;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 288/307] mptcp: do not drop partial packets
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 287/307] mptcp: handle first subflow closing consistently Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 289/307] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() Greg Kroah-Hartman
` (21 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shardul Bankar, Paolo Abeni,
Matthieu Baerts (NGI0), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
[ Upstream commit 50c2d91c5dfa0e465826ec1f8dbad9cdc254bd85 ]
When a packet arrives with map_seq < ack_seq < end_seq, the beginning
of the packet has already been acknowledged but the end contains new
data. Currently the entire packet is dropped as "old data," forcing
the sender to retransmit.
Instead, skip the already-acked bytes by adjusting the skb offset and
enqueue only the new portion. Update bytes_received and ack_seq to
reflect the new data consumed.
A previous attempt at this fix has been sent by Paolo Abeni [1], but had
issues [2]: it also added a zero-window check and changed rcv_wnd_sent
initialization, which caused test regressions. This version addresses
only the partial packet handling without modifying receive window
accounting.
Fixes: ab174ad8ef76 ("mptcp: move ooo skbs into msk out of order queue.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/c9b426a4e163aa3c4fe8b80c79f1a610f47ae7d8.1763075056.git.pabeni@redhat.com [1]
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/600 [2]
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
[pabeni@redhat.com: update map]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-1-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -390,12 +390,26 @@ static bool __mptcp_move_skb(struct sock
return false;
}
- /* old data, keep it simple and drop the whole pkt, sender
- * will retransmit as needed, if needed.
+ /* Completely old data? */
+ if (!after64(MPTCP_SKB_CB(skb)->end_seq, msk->ack_seq)) {
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
+ mptcp_drop(sk, skb);
+ return false;
+ }
+
+ /* Partial packet: map_seq < ack_seq < end_seq.
+ * Skip the already-acked bytes and enqueue the new data.
*/
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
- mptcp_drop(sk, skb);
- return false;
+ copy_len = MPTCP_SKB_CB(skb)->end_seq - msk->ack_seq;
+ MPTCP_SKB_CB(skb)->offset += msk->ack_seq - MPTCP_SKB_CB(skb)->map_seq;
+ MPTCP_SKB_CB(skb)->map_seq += msk->ack_seq -
+ MPTCP_SKB_CB(skb)->map_seq;
+ msk->bytes_received += copy_len;
+ WRITE_ONCE(msk->ack_seq, msk->ack_seq + copy_len);
+
+ skb_set_owner_r(skb, sk);
+ __skb_queue_tail(&sk->sk_receive_queue, skb);
+ return true;
}
static void mptcp_stop_rtx_timer(struct sock *sk)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 299/315] mptcp: reset rcv wnd on disconnect
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 298/315] mptcp: cleanup fallback dummy mapping generation Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 300/315] cpufreq: intel_pstate: Add and use hybrid_get_cpu_type() Greg Kroah-Hartman
` (17 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 0981f90e1a05773a4c29c6e720f5ea1e3c8f1876 ]
If the MPTCP socket fallback to TCP before the MP handshake completion,
the IASN remain 0, and the rcv_wnd_sent field is not explicitly
initialized, just incremented over time with the data transfer.
At disconnect time such value is not cleared. If the next connection falls
back to TCP before the MP handshake completion, the data transfer will
keep incrementing the receive window end sequence starting from the last
value used in the previous connection: the announced window will be
unrelated from the actual receiver buffer size and likely too big.
Address the issue zeroing the field at disconnect time.
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-4-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3335,6 +3335,7 @@ static int mptcp_disconnect(struct sock
/* for fallback's sake */
WRITE_ONCE(msk->ack_seq, 0);
+ atomic64_set(&msk->rcv_wnd_sent, 0);
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 289/307] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 288/307] mptcp: do not drop partial packets Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 290/307] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
` (20 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Andrew Morton,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
[ Upstream commit 441f92f7d386b85bad16de49db95a307cba048a2 ]
DAMON sysfs maintains the DAMOS tried region directory objects via a
linked list. When the user requests refresh of the directories, DAMON
sysfs removes all the region directories first, and then generate updated
regions directory on the empty space. The removal function
(damon_sysfs_scheme_regions_rm_dirs()) only puts the kobj objects.
Deletion of the container region object from the linked list is done
inside the kobj release callback function.
If somehow the callback invocation is delayed, the list will contain
regions list that gonna be freed. If the updated region directories
creation is started in this situation, the list can be corrupted and
use-after-free can happen.
Because the kobj objects are managed by only DAMON sysfs, the issue cannot
happen in normal situation. But, such delays can be made on kernels that
built with CONFIG_DEBUG_KOBJECT_RELEASE. On the kernel, the issue can
indeed be reproduced like below.
# damo start --damos_action stat
# cd /sys/kernel/mm/damon/admin/kdamonds/0/
# for i in {1..10}; do echo update_schemes_tried_regions > state; done
# dmesg | grep underflow
[ 89.296152] refcount_t: underflow; use-after-free.
Fix the issue by removing the region object from the list when
decrementing the reference count.
Also update damos_sysfs_populate_region_dir() to add the region object to
the list only after the kobject_init_and_add() is success, so that fail of
kobject_init_and_add() is not leaving the deallocated object on the list.
The issue was discovered [1] by Sashiko.
Link: https://lore.kernel.org/20260518152559.93038-1-sj@kernel.org
Link: https://lore.kernel.org/20260513011920.119183-1-sj@kernel.org [1]
Fixes: 9277d0367ba1 ("mm/damon/sysfs-schemes: implement scheme region directory")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org> # 6.2.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs-schemes.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -79,7 +79,6 @@ static void damon_sysfs_scheme_region_re
struct damon_sysfs_scheme_region *region = container_of(kobj,
struct damon_sysfs_scheme_region, kobj);
- list_del(®ion->list);
kfree(region);
}
@@ -197,7 +196,7 @@ static void damon_sysfs_scheme_regions_r
struct damon_sysfs_scheme_region *r, *next;
list_for_each_entry_safe(r, next, ®ions->regions_list, list) {
- /* release function deletes it from the list */
+ list_del(&r->list);
kobject_put(&r->kobj);
regions->nr_regions--;
}
@@ -2186,14 +2185,15 @@ static int damon_sysfs_before_damos_appl
region = damon_sysfs_scheme_region_alloc(r);
if (!region)
return 0;
- list_add_tail(®ion->list, &sysfs_regions->regions_list);
- sysfs_regions->nr_regions++;
if (kobject_init_and_add(®ion->kobj,
&damon_sysfs_scheme_region_ktype,
&sysfs_regions->kobj, "%d",
damon_sysfs_schemes_region_idx++)) {
kobject_put(®ion->kobj);
+ return 0;
}
+ list_add_tail(®ion->list, &sysfs_regions->regions_list);
+ sysfs_regions->nr_regions++;
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 300/315] cpufreq: intel_pstate: Add and use hybrid_get_cpu_type()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 299/315] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 301/315] cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E Greg Kroah-Hartman
` (16 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit 528dde6619677ac6dc26d9dda1e3c9014b4a08c8 ]
Introduce a function for identifying the type of a given CPU in a
hybrid system, called hybrid_get_cpu_type(), and use if for hybrid
scaling factor determination in hwp_get_cpu_scaling().
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/1954386.tdWV9SEqCh@rafael.j.wysocki
Stable-dep-of: 0e7c710478b3 ("cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/intel_pstate.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -909,6 +909,11 @@ static struct freq_attr *hwp_cpufreq_att
[HWP_CPUFREQ_ATTR_COUNT] = NULL,
};
+static u8 hybrid_get_cpu_type(unsigned int cpu)
+{
+ return cpu_data(cpu).topo.intel_type;
+}
+
static bool no_cas __ro_after_init;
static struct cpudata *hybrid_max_perf_cpu __read_mostly;
@@ -2299,18 +2304,14 @@ static int knl_get_turbo_pstate(int cpu)
static int hwp_get_cpu_scaling(int cpu)
{
if (hybrid_scaling_factor) {
- struct cpuinfo_x86 *c = &cpu_data(cpu);
- u8 cpu_type = c->topo.intel_type;
-
/*
* Return the hybrid scaling factor for P-cores and use the
* default core scaling for E-cores.
*/
- if (cpu_type == INTEL_CPU_TYPE_CORE)
+ if (hybrid_get_cpu_type(cpu) == INTEL_CPU_TYPE_CORE)
return hybrid_scaling_factor;
- if (cpu_type == INTEL_CPU_TYPE_ATOM)
- return core_get_scaling();
+ return core_get_scaling();
}
/* Use core scaling on non-hybrid systems. */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 290/307] iio: chemical: scd30: Use guard(mutex) to allow early returns
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 289/307] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 291/307] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
` (19 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Tomasz Duszynski,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 5feb5532870fbced5d6f450b8061a33f461b88ca ]
Auto cleanup based release of the lock allows for simpler code flow in a
few functions with large multiplexing style switch statements and no
common operations following the switch.
Suggested-by: David Lechner <dlechner@baylibre.com>
Cc: Tomasz Duszynski <tomasz.duszynski@octakon.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250209180624.701140-3-jic23@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 5aba4f94b225 ("iio: chemical: scd30: fix division by zero in write_raw")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 63 ++++++++++++++++----------------------
1 file changed, 28 insertions(+), 35 deletions(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -5,6 +5,7 @@
* Copyright (c) 2020 Tomasz Duszynski <tomasz.duszynski@octakon.com>
*/
#include <linux/bits.h>
+#include <linux/cleanup.h>
#include <linux/completion.h>
#include <linux/delay.h>
#include <linux/device.h>
@@ -198,112 +199,104 @@ static int scd30_read_raw(struct iio_dev
int *val, int *val2, long mask)
{
struct scd30_state *state = iio_priv(indio_dev);
- int ret = -EINVAL;
+ int ret;
u16 tmp;
- mutex_lock(&state->lock);
+ guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_RAW:
case IIO_CHAN_INFO_PROCESSED:
if (chan->output) {
*val = state->pressure_comp;
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
}
ret = iio_device_claim_direct_mode(indio_dev);
if (ret)
- break;
+ return ret;
ret = scd30_read(state);
if (ret) {
iio_device_release_direct_mode(indio_dev);
- break;
+ return ret;
}
*val = state->meas[chan->address];
iio_device_release_direct_mode(indio_dev);
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
case IIO_CHAN_INFO_SCALE:
*val = 0;
*val2 = 1;
- ret = IIO_VAL_INT_PLUS_MICRO;
- break;
+ return IIO_VAL_INT_PLUS_MICRO;
case IIO_CHAN_INFO_SAMP_FREQ:
ret = scd30_command_read(state, CMD_MEAS_INTERVAL, &tmp);
if (ret)
- break;
+ return ret;
*val = 0;
*val2 = 1000000000 / tmp;
- ret = IIO_VAL_INT_PLUS_NANO;
- break;
+ return IIO_VAL_INT_PLUS_NANO;
case IIO_CHAN_INFO_CALIBBIAS:
ret = scd30_command_read(state, CMD_TEMP_OFFSET, &tmp);
if (ret)
- break;
+ return ret;
*val = tmp;
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
}
- mutex_unlock(&state->lock);
-
- return ret;
}
static int scd30_write_raw(struct iio_dev *indio_dev, struct iio_chan_spec const *chan,
int val, int val2, long mask)
{
struct scd30_state *state = iio_priv(indio_dev);
- int ret = -EINVAL;
+ int ret;
- mutex_lock(&state->lock);
+ guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_SAMP_FREQ:
if (val)
- break;
+ return -EINVAL;
val = 1000000000 / val2;
if (val < SCD30_MEAS_INTERVAL_MIN_S || val > SCD30_MEAS_INTERVAL_MAX_S)
- break;
+ return -EINVAL;
ret = scd30_command_write(state, CMD_MEAS_INTERVAL, val);
if (ret)
- break;
+ return ret;
state->meas_interval = val;
- break;
+ return 0;
case IIO_CHAN_INFO_RAW:
switch (chan->type) {
case IIO_PRESSURE:
if (val < SCD30_PRESSURE_COMP_MIN_MBAR ||
val > SCD30_PRESSURE_COMP_MAX_MBAR)
- break;
+ return -EINVAL;
ret = scd30_command_write(state, CMD_START_MEAS, val);
if (ret)
- break;
+ return ret;
state->pressure_comp = val;
- break;
+ return 0;
default:
- break;
+ return -EINVAL;
}
- break;
case IIO_CHAN_INFO_CALIBBIAS:
if (val < 0 || val > SCD30_TEMP_OFFSET_MAX)
- break;
+ return -EINVAL;
/*
* Manufacturer does not explicitly specify min/max sensible
* values hence check is omitted for simplicity.
*/
- ret = scd30_command_write(state, CMD_TEMP_OFFSET / 10, val);
+ return scd30_command_write(state, CMD_TEMP_OFFSET / 10, val);
+ default:
+ return -EINVAL;
}
- mutex_unlock(&state->lock);
-
- return ret;
}
static int scd30_write_raw_get_fmt(struct iio_dev *indio_dev, struct iio_chan_spec const *chan,
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 301/315] cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 300/315] cpufreq: intel_pstate: Add and use hybrid_get_cpu_type() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 302/315] xfrm: iptfs: reset runtime state when cloning SAs Greg Kroah-Hartman
` (15 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Tseng, Rafael J. Wysocki,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit 0e7c710478b3089cdfe8669347f77b163e836c4f ]
Raptor Lake-E has the same processor ID as Raptor Lake-S, so there is
an entry in intel_hybrid_scaling_factor[] for it. It does not contain
E-cores though and hybrid_get_cpu_type() returns 0 for its P-cores, so
they get the default "core" scaling factor. However, the original
Raptor Lake scaling factor for P-cores still needs to be used for
mapping the HWP performance levels of the P-cores in Raptor Lake-E to
frequency, as though they were part of a real hybrid system.
To address this, update hwp_get_cpu_scaling() to return
hybrid_scaling_factor, which is the P-core scaling factor
retrieved from intel_hybrid_scaling_factor[], for all CPUs
that are not enumerated as E-cores.
Fixes: 9b18d536b124 ("cpufreq: intel_pstate: Use CPPC to get scaling factors")
Link: https://lore.kernel.org/all/20260511235328.2018458-1-srinivas.pandruvada@linux.intel.com/
Reported-by: Henry Tseng <henrytseng@qnap.com>
Closes: https://lore.kernel.org/linux-pm/20260508063032.3248602-1-henrytseng@qnap.com/
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: All applicable <stable@vger.kernel.org>
Link: https://patch.msgid.link/4523296.ejJDZkT8p0@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/intel_pstate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -2308,7 +2308,7 @@ static int hwp_get_cpu_scaling(int cpu)
* Return the hybrid scaling factor for P-cores and use the
* default core scaling for E-cores.
*/
- if (hybrid_get_cpu_type(cpu) == INTEL_CPU_TYPE_CORE)
+ if (hybrid_get_cpu_type(cpu) != INTEL_CPU_TYPE_ATOM)
return hybrid_scaling_factor;
return core_get_scaling();
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 291/307] iio: chemical: scd30: fix division by zero in write_raw
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 290/307] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 292/307] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
` (18 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
[ Upstream commit 5aba4f94b225617a55fed442a70329b2ee19c0a5 ]
Add a zero check for val2 before using it as a divisor when setting the
sampling frequency. A user writing a zero fractional part to the
sampling_frequency sysfs attribute triggers a division by zero in the
kernel.
Fixes: 64b3d8b1b0f5 ("iio: chemical: scd30: add core driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -257,7 +257,7 @@ static int scd30_write_raw(struct iio_de
guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_SAMP_FREQ:
- if (val)
+ if (val || !val2)
return -EINVAL;
val = 1000000000 / val2;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 302/315] xfrm: iptfs: reset runtime state when cloning SAs
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 301/315] cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 303/315] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
` (14 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shaomin Chen, Steffen Klassert,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaomin Chen <eeesssooo020@gmail.com>
[ Upstream commit 7f83d174073234839aea176f265e517e0d50a1d2 ]
iptfs_clone_state() clones the IPTFS mode data with kmemdup(). This
copies runtime objects which must not be shared with the original SA,
including the embedded sk_buff_head, hrtimers, spinlock, and in-flight
reassembly/reorder state.
If xfrm_state_migrate() fails after clone_state() but before the later
init_state() call has reinitialized those fields, the cloned state can be
destroyed by xfrm_state_gc_task() with list and timer state copied from the
original SA. With queued packets this lets the clone splice and free skbs
owned by the original IPTFS queue, leading to use-after-free and
double-free reports in iptfs_destroy_state() and skb release paths.
Reinitialize the clone's runtime state before publishing it through
x->mode_data. Because clone_state() now publishes a destroyable mode_data
object before init_state(), take the mode callback module reference there.
Avoid taking it again from __iptfs_init_state() for the same object.
Fixes: 0e4fbf013fa5 ("xfrm: iptfs: add user packet (tunnel ingress) handling")
Cc: stable@vger.kernel.org
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_iptfs.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
--- a/net/xfrm/xfrm_iptfs.c
+++ b/net/xfrm/xfrm_iptfs.c
@@ -2650,7 +2650,8 @@ static void __iptfs_init_state(struct xf
x->props.enc_hdr_len = sizeof(struct ip_iptfs_hdr);
/* Always keep a module reference when x->mode_data is set */
- __module_get(x->mode_cbs->owner);
+ if (x->mode_data != xtfs)
+ __module_get(x->mode_cbs->owner);
x->mode_data = xtfs;
xtfs->x = x;
@@ -2658,22 +2659,40 @@ static void __iptfs_init_state(struct xf
static int iptfs_clone_state(struct xfrm_state *x, struct xfrm_state *orig)
{
+ struct skb_wseq *w_saved = NULL;
struct xfrm_iptfs_data *xtfs;
xtfs = kmemdup(orig->mode_data, sizeof(*xtfs), GFP_KERNEL);
if (!xtfs)
return -ENOMEM;
- xtfs->ra_newskb = NULL;
if (xtfs->cfg.reorder_win_size) {
- xtfs->w_saved = kcalloc(xtfs->cfg.reorder_win_size,
- sizeof(*xtfs->w_saved), GFP_KERNEL);
- if (!xtfs->w_saved) {
+ w_saved = kcalloc(xtfs->cfg.reorder_win_size,
+ sizeof(*w_saved), GFP_KERNEL);
+ if (!w_saved) {
kfree_sensitive(xtfs);
return -ENOMEM;
}
}
+ xtfs->w_saved = w_saved;
+ __skb_queue_head_init(&xtfs->queue);
+ xtfs->queue_size = 0;
+ hrtimer_setup(&xtfs->iptfs_timer, iptfs_delay_timer, CLOCK_MONOTONIC,
+ IPTFS_HRTIMER_MODE);
+
+ spin_lock_init(&xtfs->drop_lock);
+ hrtimer_setup(&xtfs->drop_timer, iptfs_drop_timer, CLOCK_MONOTONIC,
+ IPTFS_HRTIMER_MODE);
+
+ xtfs->w_seq_set = false;
+ xtfs->w_wantseq = 0;
+ xtfs->w_savedlen = 0;
+ xtfs->ra_newskb = NULL;
+ xtfs->ra_wantseq = 0;
+ xtfs->ra_runtlen = 0;
+
+ __module_get(x->mode_cbs->owner);
x->mode_data = xtfs;
xtfs->x = x;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 292/307] iio: dac: ad5686: fix ref bit initialization for single-channel parts
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 291/307] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 293/307] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
` (17 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
[ Upstream commit ecae2ae606d493cf11457946436335bd0e726663 ]
The reference bit position was ignored when writing the register at the
probe() function (!!val was used). When such bit is 1, internal voltage
reference is disabled so that an external one can be used. For
multi-channel devices, bit 0 of the Internal Reference Setup command
behaves the same way, so AD5686_REF_BIT_MSK is created. The issue exists
since support for single-channel devices were first introduced.
Fixes: be1b24d24541 ("iio:dac:ad5686: Add AD5691R/AD5692R/AD5693/AD5693R support")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[ adapted `has_external_vref` to the in-tree equivalent `voltage_uv` variable in the `val =` computation ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 6 +++---
drivers/iio/dac/ad5686.h | 1 +
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -528,7 +528,7 @@ int ad5686_probe(struct device *dev,
break;
case AD5686_REGMAP:
cmd = AD5686_CMD_INTERNAL_REFER_SETUP;
- ref_bit_msk = 0;
+ ref_bit_msk = AD5686_REF_BIT_MSK;
break;
case AD5693_REGMAP:
cmd = AD5686_CMD_CONTROL_REG;
@@ -540,9 +540,9 @@ int ad5686_probe(struct device *dev,
goto error_disable_reg;
}
- val = (voltage_uv | ref_bit_msk);
+ val = voltage_uv ? ref_bit_msk : 0;
- ret = st->write(st, cmd, 0, !!val);
+ ret = st->write(st, cmd, 0, val);
if (ret)
goto error_disable_reg;
--- a/drivers/iio/dac/ad5686.h
+++ b/drivers/iio/dac/ad5686.h
@@ -46,6 +46,7 @@
#define AD5310_REF_BIT_MSK BIT(8)
#define AD5683_REF_BIT_MSK BIT(12)
+#define AD5686_REF_BIT_MSK BIT(0)
#define AD5693_REF_BIT_MSK BIT(12)
/**
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 303/315] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 302/315] xfrm: iptfs: reset runtime state when cloning SAs Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 304/315] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
` (13 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Radhey Shyam Pandey,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
[ Upstream commit c1a0ecbf32c4b397353204e2ec94c5bb9f3300ed ]
Fix error handling and resource cleanup i.e remove invalid
phy_exit() after failed phy_init(), route failures through
proper cleanup paths and return 0 explicitly on success.
Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Link: https://patch.msgid.link/20260519115529.2980421-1-radhey.shyam.pandey@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-xilinx.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/drivers/usb/dwc3/dwc3-xilinx.c
+++ b/drivers/usb/dwc3/dwc3-xilinx.c
@@ -190,15 +190,13 @@ static int dwc3_xlnx_init_zynqmp(struct
}
ret = phy_init(priv_data->usb3_phy);
- if (ret < 0) {
- phy_exit(priv_data->usb3_phy);
+ if (ret < 0)
goto err;
- }
ret = reset_control_deassert(apbrst);
if (ret < 0) {
dev_err(dev, "Failed to release APB reset\n");
- goto err;
+ goto err_phy_exit;
}
/* Set PIPE Power Present signal in FPD Power Present Register*/
@@ -210,27 +208,25 @@ static int dwc3_xlnx_init_zynqmp(struct
ret = reset_control_deassert(crst);
if (ret < 0) {
dev_err(dev, "Failed to release core reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = reset_control_deassert(hibrst);
if (ret < 0) {
dev_err(dev, "Failed to release hibernation reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = phy_power_on(priv_data->usb3_phy);
- if (ret < 0) {
- phy_exit(priv_data->usb3_phy);
- goto err;
- }
+ if (ret < 0)
+ goto err_phy_exit;
skip_usb3_phy:
/* ulpi reset via gpio-modepin or gpio-framework driver */
reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH);
if (IS_ERR(reset_gpio)) {
- return dev_err_probe(dev, PTR_ERR(reset_gpio),
- "Failed to request reset GPIO\n");
+ ret = PTR_ERR(reset_gpio);
+ goto err_phy_power_off;
}
if (reset_gpio) {
@@ -240,6 +236,13 @@ skip_usb3_phy:
}
dwc3_xlnx_set_coherency(priv_data, XLNX_USB_TRAFFIC_ROUTE_CONFIG);
+
+ return 0;
+
+err_phy_power_off:
+ phy_power_off(priv_data->usb3_phy);
+err_phy_exit:
+ phy_exit(priv_data->usb3_phy);
err:
return ret;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 293/307] ALSA: firewire-motu: Protect register DSP event queue positions
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 292/307] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 294/307] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
` (16 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel,
Takashi Sakamoto, Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 98fb1c1bb11e29eb609b7200a25e136e05aa4498 ]
The register DSP event queue is updated under parser->lock, but
snd_motu_register_dsp_message_parser_count_event() reads pull_pos and
push_pos without the lock.
snd_motu_register_dsp_message_parser_copy_event() also reads both queue
positions before taking the lock.
Protect these accesses with parser->lock as well. This keeps the hwdep
poll/read path consistent with the producer side and with the cached
meter/parameter accessors.
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20260521-alsa-firewire-motu-event-locking-v1-1-708e1c2b5e56@gmail.com
[ converted copy_event() from manual spin_lock_irqsave/spin_unlock_irqrestore to guard(spinlock_irqsave) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/motu/motu-register-dsp-message-parser.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/sound/firewire/motu/motu-register-dsp-message-parser.c
+++ b/sound/firewire/motu/motu-register-dsp-message-parser.c
@@ -393,6 +393,8 @@ unsigned int snd_motu_register_dsp_messa
{
struct msg_parser *parser = motu->message_parser;
+ guard(spinlock_irqsave)(&parser->lock);
+
if (parser->pull_pos > parser->push_pos)
return EVENT_QUEUE_SIZE - parser->pull_pos + parser->push_pos;
else
@@ -402,14 +404,14 @@ unsigned int snd_motu_register_dsp_messa
bool snd_motu_register_dsp_message_parser_copy_event(struct snd_motu *motu, u32 *event)
{
struct msg_parser *parser = motu->message_parser;
- unsigned int pos = parser->pull_pos;
- unsigned long flags;
+ unsigned int pos;
- if (pos == parser->push_pos)
- return false;
+ guard(spinlock_irqsave)(&parser->lock);
- spin_lock_irqsave(&parser->lock, flags);
+ if (parser->pull_pos == parser->push_pos)
+ return false;
+ pos = parser->pull_pos;
*event = parser->event_queue[pos];
++pos;
@@ -417,7 +419,5 @@ bool snd_motu_register_dsp_message_parse
pos = 0;
parser->pull_pos = pos;
- spin_unlock_irqrestore(&parser->lock, flags);
-
return true;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 304/315] USB: serial: cypress_m8: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 303/315] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 305/315] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
` (12 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e1a9d791fd66ab2431b9e6f6f835823809869047 upstream.
Make sure that the interrupt-out endpoint max packet size is at least
eight bytes to avoid user-controlled slab corruption or NULL-pointer
dereference should a malicious device report a smaller size.
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
[ johan: adjust context for 6.18 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
This one should apply to 6.18 and earlier trees that lack kzalloc_obj().
Johan
drivers/usb/serial/cypress_m8.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -445,6 +445,14 @@ static int cypress_generic_port_probe(st
return -ENODEV;
}
+ /*
+ * The buffer must be large enough for the one or two-byte header (and
+ * following data), but assume anything smaller than eight bytes is
+ * broken.
+ */
+ if (port->interrupt_out_size < 8)
+ return -EINVAL;
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 294/307] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 293/307] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 295/307] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
` (15 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Radhey Shyam Pandey,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
[ Upstream commit c1a0ecbf32c4b397353204e2ec94c5bb9f3300ed ]
Fix error handling and resource cleanup i.e remove invalid
phy_exit() after failed phy_init(), route failures through
proper cleanup paths and return 0 explicitly on success.
Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Link: https://patch.msgid.link/20260519115529.2980421-1-radhey.shyam.pandey@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-xilinx.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
--- a/drivers/usb/dwc3/dwc3-xilinx.c
+++ b/drivers/usb/dwc3/dwc3-xilinx.c
@@ -170,15 +170,13 @@ static int dwc3_xlnx_init_zynqmp(struct
}
ret = phy_init(priv_data->usb3_phy);
- if (ret < 0) {
- phy_exit(priv_data->usb3_phy);
+ if (ret < 0)
goto err;
- }
ret = reset_control_deassert(apbrst);
if (ret < 0) {
dev_err(dev, "Failed to release APB reset\n");
- goto err;
+ goto err_phy_exit;
}
/* Set PIPE Power Present signal in FPD Power Present Register*/
@@ -190,27 +188,25 @@ static int dwc3_xlnx_init_zynqmp(struct
ret = reset_control_deassert(crst);
if (ret < 0) {
dev_err(dev, "Failed to release core reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = reset_control_deassert(hibrst);
if (ret < 0) {
dev_err(dev, "Failed to release hibernation reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = phy_power_on(priv_data->usb3_phy);
- if (ret < 0) {
- phy_exit(priv_data->usb3_phy);
- goto err;
- }
+ if (ret < 0)
+ goto err_phy_exit;
skip_usb3_phy:
/* ulpi reset via gpio-modepin or gpio-framework driver */
reset_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH);
if (IS_ERR(reset_gpio)) {
- return dev_err_probe(dev, PTR_ERR(reset_gpio),
- "Failed to request reset GPIO\n");
+ ret = PTR_ERR(reset_gpio);
+ goto err_phy_power_off;
}
if (reset_gpio) {
@@ -230,6 +226,12 @@ skip_usb3_phy:
writel(reg, priv_data->regs + XLNX_USB_TRAFFIC_ROUTE_CONFIG);
}
+ return 0;
+
+err_phy_power_off:
+ phy_power_off(priv_data->usb3_phy);
+err_phy_exit:
+ phy_exit(priv_data->usb3_phy);
err:
return ret;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 305/315] USB: serial: digi_acceleport: fix memory corruption with small endpoints
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 304/315] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 306/315] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
` (11 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit cb3560e8eab1dfa1cac1ed52631adf8ec6ff2cd5 upstream.
Add the missing bulk-out buffer size sanity checks to avoid
out-of-bounds memory accesses or slab corruption should a malicious
device report smaller buffers than expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Should apply also to older trees without kzalloc_obj().
Johan
drivers/usb/serial/digi_acceleport.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1229,15 +1229,34 @@ static int digi_port_init(struct usb_ser
static int digi_startup(struct usb_serial *serial)
{
struct digi_serial *serial_priv;
+ int oob_port_num;
int ret;
+ int i;
+
+ /*
+ * The port bulk-out buffers must be large enough for header and
+ * buffered data.
+ */
+ for (i = 0; i < serial->type->num_ports; i++) {
+ if (serial->port[i]->bulk_out_size < DIGI_OUT_BUF_SIZE + 2)
+ return -EINVAL;
+ }
+
+ /*
+ * The OOB port bulk-out buffer must be large enough for the two
+ * commands in digi_set_modem_signals().
+ */
+ oob_port_num = serial->type->num_ports;
+ if (serial->port[oob_port_num]->bulk_out_size < 8)
+ return -EINVAL;
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)
return -ENOMEM;
spin_lock_init(&serial_priv->ds_serial_lock);
- serial_priv->ds_oob_port_num = serial->type->num_ports;
- serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
+ serial_priv->ds_oob_port_num = oob_port_num;
+ serial_priv->ds_oob_port = serial->port[oob_port_num];
ret = digi_port_init(serial_priv->ds_oob_port,
serial_priv->ds_oob_port_num);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 295/307] usb: musb: omap2430: Fix use-after-free in omap2430_probe()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 294/307] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 296/307] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
` (14 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wentao Liang, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit e194ce048f5a6c549b3a23a8c568c6470f40f772 ]
In omap2430_probe(), of_node_put(np) is called prematurely before the
last access to np, leading to a use-after-free if the node's reference
count drops to zero. Move the of_node_put() calls after the last use of
np in both the success and error paths.
Fixes: ffbe2feac59b ("usb: musb: omap2430: Fix probe regression for missing resources")
Cc: stable <stable@kernel.org>
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409101104.480623-1-vulab@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/omap2430.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/musb/omap2430.c
+++ b/drivers/usb/musb/omap2430.c
@@ -340,7 +340,6 @@ static int omap2430_probe(struct platfor
} else {
device_set_of_node_from_dev(&musb->dev, &pdev->dev);
}
- of_node_put(np);
glue->dev = &pdev->dev;
glue->musb = musb;
@@ -458,6 +457,7 @@ static int omap2430_probe(struct platfor
dev_err(&pdev->dev, "failed to register musb device\n");
goto err3;
}
+ of_node_put(np);
return 0;
@@ -467,6 +467,7 @@ err_put_control_otghs:
if (!IS_ERR(glue->control_otghs))
put_device(glue->control_otghs);
err2:
+ of_node_put(np);
platform_device_put(musb);
err0:
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 306/315] USB: serial: mct_u232: fix memory corruption with small endpoint
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 305/315] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 307/315] hwmon: (pmbus) Add support for guarded PMBus lock Greg Kroah-Hartman
` (10 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
The driver overrides the maximum transfer size for a specific device
which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
Make sure to never increase the maximum transfer size to prevent slab
corruption should a malicious device report a smaller endpoint max
packet size than expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct us
{
struct usb_serial *serial = port->serial;
struct mct_u232_private *priv;
+ u16 pid;
/* check first to simplify error handling */
if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct us
return -ENODEV;
}
+ /*
+ * Compensate for a hardware bug: although the Sitecom U232-P25
+ * device reports a maximum output packet size of 32 bytes,
+ * it seems to be able to accept only 16 bytes (and that's what
+ * SniffUSB says too...)
+ */
+ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
+ if (pid == MCT_U232_SITECOM_PID)
+ port->bulk_out_size = min(16, port->bulk_out_size);
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct
static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
{
- struct usb_serial *serial = port->serial;
struct mct_u232_private *priv = usb_get_serial_port_data(port);
int retval = 0;
unsigned int control_state;
@@ -418,15 +428,6 @@ static int mct_u232_open(struct tty_str
unsigned char last_lcr;
unsigned char last_msr;
- /* Compensate for a hardware bug: although the Sitecom U232-P25
- * device reports a maximum output packet size of 32 bytes,
- * it seems to be able to accept only 16 bytes (and that's what
- * SniffUSB says too...)
- */
- if (le16_to_cpu(serial->dev->descriptor.idProduct)
- == MCT_U232_SITECOM_PID)
- port->bulk_out_size = 16;
-
/* Do a defined restart: the normal serial device seems to
* always turn on DTR and RTS here, so do the same. I'm not
* sure if this is really necessary. But it should not harm
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 296/307] usb: typec: ucsi: Check if power role change actually happened before handling
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 295/307] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 297/307] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
` (13 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Heikki Krogerus, Sasha Levin, Sergey Senozhatsky
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
[ Upstream commit b80e7d34c7ea6a564525119d6138fbb577a23dba ]
The CrOS EC may send a connector status change event with the power
direction changed flag set even if the power direction hasn't actually
changed after initiating a SET_PDR command internally [1]. In practice
this happens on every system suspend due to other changes performed by
the EC [2][3][4], causing suspend to fail.
Fix this by checking if the power role change actually happened before
handling it.
[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=1689;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[2]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=3923;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[3]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=5094;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[4]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=2229;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
Cc: stable <stable@kernel.org>
Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-1-6f1239535187@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1201,7 +1201,7 @@ static void ucsi_handle_connector_change
struct ucsi_connector *con = container_of(work, struct ucsi_connector,
work);
struct ucsi *ucsi = con->ucsi;
- enum typec_role role;
+ enum typec_role role, prev_role;
u64 command;
int ret;
@@ -1211,6 +1211,8 @@ static void ucsi_handle_connector_change
dev_err_once(ucsi->dev, "%s entered without EVENT_PENDING\n",
__func__);
+ prev_role = !!(con->status.flags & UCSI_CONSTAT_PWR_DIR);
+
command = UCSI_GET_CONNECTOR_STATUS | UCSI_CONNECTOR_NUMBER(con->num);
ret = ucsi_send_command_common(ucsi, command, &con->status,
@@ -1229,7 +1231,7 @@ static void ucsi_handle_connector_change
role = !!(con->status.flags & UCSI_CONSTAT_PWR_DIR);
- if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
+ if ((con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) && role != prev_role) {
typec_set_pwr_role(con->port, role);
ucsi_port_psy_changed(con);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 307/315] hwmon: (pmbus) Add support for guarded PMBus lock
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 306/315] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 308/315] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock Greg Kroah-Hartman
` (9 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanman Pradhan, Guenter Roeck,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 1814f4d3ff358277a5b6957e7f133c2812dc80ec ]
Add support for guard(pmbus_lock)() and scoped_guard(pmbus_lock)()
to be able to simplify the PMBus code.
Also introduce pmbus_lock() as pre-requisite for supporting
guard().
Reviewed-by: Sanman Pradhan <psanman@juniper.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Stable-dep-of: 4e4af55aaca7 ("hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/pmbus.h | 5 +++++
drivers/hwmon/pmbus/pmbus_core.c | 8 ++++++++
2 files changed, 13 insertions(+)
--- a/drivers/hwmon/pmbus/pmbus.h
+++ b/drivers/hwmon/pmbus/pmbus.h
@@ -10,6 +10,7 @@
#define PMBUS_H
#include <linux/bitops.h>
+#include <linux/cleanup.h>
#include <linux/regulator/driver.h>
/*
@@ -563,7 +564,11 @@ int pmbus_get_fan_rate_device(struct i2c
int pmbus_get_fan_rate_cached(struct i2c_client *client, int page, int id,
enum pmbus_fan_mode mode);
int pmbus_lock_interruptible(struct i2c_client *client);
+void pmbus_lock(struct i2c_client *client);
void pmbus_unlock(struct i2c_client *client);
+
+DEFINE_GUARD(pmbus_lock, struct i2c_client *, pmbus_lock(_T), pmbus_unlock(_T))
+
int pmbus_update_fan(struct i2c_client *client, int page, int id,
u8 config, u8 mask, u16 command);
struct dentry *pmbus_get_debugfs_dir(struct i2c_client *client);
--- a/drivers/hwmon/pmbus/pmbus_core.c
+++ b/drivers/hwmon/pmbus/pmbus_core.c
@@ -3871,6 +3871,14 @@ struct dentry *pmbus_get_debugfs_dir(str
}
EXPORT_SYMBOL_NS_GPL(pmbus_get_debugfs_dir, "PMBUS");
+void pmbus_lock(struct i2c_client *client)
+{
+ struct pmbus_data *data = i2c_get_clientdata(client);
+
+ mutex_lock(&data->update_lock);
+}
+EXPORT_SYMBOL_NS_GPL(pmbus_lock, "PMBUS");
+
int pmbus_lock_interruptible(struct i2c_client *client)
{
struct pmbus_data *data = i2c_get_clientdata(client);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 297/307] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 296/307] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 298/307] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
` (12 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 928abe19fbf0127003abcb1ea69cabc1c897d0ab ]
A DIRECTORY entry's value field is used as the dir_offset for a
recursive call into __tb_property_parse_dir() with no depth counter.
A crafted peer that chains DIRECTORY entries into a back-reference
loop drives the parser until the kernel stack is exhausted and the
guard page fires. Any untrusted XDomain peer (cable, dock, in-line
inspector, adjacent host) that reaches the PROPERTIES_REQUEST
control-plane exchange can trigger this without authentication.
Thread a depth counter through tb_property_parse() and
__tb_property_parse_dir(), and reject blocks that exceed
TB_PROPERTY_MAX_DEPTH = 8. That is comfortably larger than any
observed legitimate XDomain layout.
Operators who do not need XDomain host-to-host discovery can disable
the path entirely with thunderbolt.xdomain=0 on the kernel command
line.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -35,10 +35,11 @@ struct tb_property_dir_entry {
};
#define TB_PROPERTY_ROOTDIR_MAGIC 0x55584401
+#define TB_PROPERTY_MAX_DEPTH 8
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
size_t block_len, unsigned int dir_offset, size_t dir_len,
- bool is_root);
+ bool is_root, unsigned int depth);
static inline void parse_dwdata(void *dst, const void *src, size_t dwords)
{
@@ -97,7 +98,8 @@ tb_property_alloc(const char *key, enum
}
static struct tb_property *tb_property_parse(const u32 *block, size_t block_len,
- const struct tb_property_entry *entry)
+ const struct tb_property_entry *entry,
+ unsigned int depth)
{
char key[TB_PROPERTY_KEY_SIZE + 1];
struct tb_property *property;
@@ -118,7 +120,7 @@ static struct tb_property *tb_property_p
switch (property->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
dir = __tb_property_parse_dir(block, block_len, entry->value,
- entry->length, false);
+ entry->length, false, depth + 1);
if (!dir) {
kfree(property);
return NULL;
@@ -163,13 +165,17 @@ static struct tb_property *tb_property_p
}
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
- size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root)
+ size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root,
+ unsigned int depth)
{
const struct tb_property_entry *entries;
size_t i, content_len, nentries;
unsigned int content_offset;
struct tb_property_dir *dir;
+ if (depth > TB_PROPERTY_MAX_DEPTH)
+ return NULL;
+
dir = kzalloc(sizeof(*dir), GFP_KERNEL);
if (!dir)
return NULL;
@@ -200,7 +206,7 @@ static struct tb_property_dir *__tb_prop
for (i = 0; i < nentries; i++) {
struct tb_property *property;
- property = tb_property_parse(block, block_len, &entries[i]);
+ property = tb_property_parse(block, block_len, &entries[i], depth);
if (!property) {
tb_property_free_dir(dir);
return NULL;
@@ -237,7 +243,7 @@ struct tb_property_dir *tb_property_pars
return NULL;
return __tb_property_parse_dir(block, block_len, 0, rootdir->length,
- true);
+ true, 0);
}
/**
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 308/315] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 307/315] hwmon: (pmbus) Add support for guarded PMBus lock Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 309/315] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses " Greg Kroah-Hartman
` (8 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit 4e4af55aaca7f6d7673d5f9889ad0529db86a048 ]
adm1266_state_read() backs the sequencer_state debugfs entry and
issues an i2c_smbus_read_word_data(client, ADM1266_READ_STATE)
against the device without taking pmbus_lock. pmbus_core holds
pmbus_lock around its own multi-transaction sequences (notably the
"set PAGE, then read paged register" pattern used by hwmon
attributes), so an unlocked debugfs reader can land between a PAGE
write and the subsequent paged read in another thread. READ_STATE
itself is not paged, so it cannot corrupt PAGE in flight, but the
same defensive serialisation that applies to the GPIO accessors
applies here: any direct device access from outside pmbus_core
should be ordered with respect to pmbus_core's own.
Take pmbus_lock at the top of adm1266_state_read() via the
scope-based guard().
Fixes: ed1ff457e187 ("hwmon: (pmbus/adm1266) add debugfs for states")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-8-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -328,6 +328,7 @@ static int adm1266_state_read(struct seq
struct i2c_client *client = to_i2c_client(dev);
int ret;
+ guard(pmbus_lock)(client);
ret = i2c_smbus_read_word_data(client, ADM1266_READ_STATE);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 298/307] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 297/307] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 299/307] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
` (11 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 778c2ab142c625a8a8afa570e0f9b7873f445d99 ]
Two latent bugs in the Text-phase handler, both present since the
original LIO integration in commit e48354ce078c ("iscsi-target: Add
iSCSI fabric support for target v4.1"):
1) DataDigest CRC buffer overread (4 bytes past text_in).
text_in is kzalloc()'d at ALIGN(payload_length, 4). rx_size is then
incremented by ISCSI_CRC_LEN to make room for the received DataDigest
in the iovec, but the same (now-bumped) rx_size is passed as the
buffer length to iscsit_crc_buf():
if (conn->conn_ops->DataDigest) {
...
rx_size += ISCSI_CRC_LEN;
}
...
if (conn->conn_ops->DataDigest) {
data_crc = iscsit_crc_buf(text_in, rx_size, 0, NULL);
iscsit_crc_buf() walks rx_size bytes of text_in with crc32c(), so
when DataDigest is negotiated it reads 4 bytes past the end of the
text_in allocation. KASAN reproduces this directly on the unpatched
mainline tree as slab-out-of-bounds in crc32c() called from the Text
PDU path. The OOB bytes feed crc32c() and are then compared against
the initiator-supplied checksum, so the value does not flow back to
the attacker, but the kernel does read past the buffer on every Text
PDU with DataDigest=CRC32C.
Fix by passing the actual padded payload length
(ALIGN(payload_length, 4)) that was used for the kzalloc().
2) Stale cmd->text_in_ptr re-free (double-free) on ERL>0 bad DataDigest
drop.
On DataDigest mismatch with ErrorRecoveryLevel > 0 the handler
silently drops the PDU and lets the initiator plug the CmdSN gap:
kfree(text_in);
return 0;
cmd->text_in_ptr still points at the freed buffer. The next Text
Request on the same ITT re-enters iscsit_setup_text_cmd(), which
unconditionally does
kfree(cmd->text_in_ptr);
cmd->text_in_ptr = NULL;
freeing the same pointer a second time. Session teardown via
iscsit_release_cmd() has the same shape and hits the same double-free
if the connection is dropped before a second Text Request arrives.
On an unmodified mainline tree the bug-1 CRC overread fires first on
the initial valid Text Request and perturbs the subsequent state, so
#4 was isolated by building a kernel with only the bug-1 hunk of this
patch applied plus temporary printk() observability around the three
relevant kfree() sites. The observability prints are not part of
this patch. On that build, a three-PDU Text Request sequence after
login produces two back-to-back splats:
BUG: KASAN: double-free in iscsit_setup_text_cmd+0x??
BUG: KASAN: double-free in iscsit_release_cmd+0x??
showing the same pointer freed in the ERL>0 drop path and again in
iscsit_setup_text_cmd() (next Text Request on the same ITT) and once
more in iscsit_release_cmd() (session teardown). On distro kernels
with CONFIG_SLAB_FREELIST_HARDENED=y (default) the double-free
becomes a remote kernel BUG(); on non-hardened kernels it corrupts
the slab freelist.
Fix by clearing cmd->text_in_ptr after the kfree() in the ERL>0 drop
path. With both hunks applied #4 is directly observable on the stock
tree without observability printks; fixing bug-1 alone would mask #4
less, not more, so the hunks are submitted together.
Both fixes are one-liners. The Text PDU state machine is unchanged and
the wire protocol is unaffected.
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2329,8 +2329,9 @@ iscsit_handle_text_cmd(struct iscsit_con
if (conn->conn_ops->DataDigest) {
iscsit_do_crypto_hash_buf(conn->conn_rx_hash,
- text_in, rx_size, 0, NULL,
- &data_crc);
+ text_in,
+ ALIGN(payload_length, 4),
+ 0, NULL, &data_crc);
if (checksum != data_crc) {
pr_err("Text data CRC32C DataDigest"
@@ -2350,6 +2351,7 @@ iscsit_handle_text_cmd(struct iscsit_con
" Command CmdSN: 0x%08x due to"
" DataCRC error.\n", hdr->cmdsn);
kfree(text_in);
+ cmd->text_in_ptr = NULL;
return 0;
}
} else {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 309/315] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 308/315] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 310/315] mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache() Greg Kroah-Hartman
` (7 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Guenter Roeck, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit bab8c6fb5af8df7e753d196c1262cb78e92ca872 ]
adm1266_gpio_get(), adm1266_gpio_get_multiple(), and
adm1266_gpio_dbg_show() all issue PMBus reads against the device but
none of them take pmbus_lock. The pmbus_core framework holds
pmbus_lock around its own multi-transaction sequences (notably the
"set PAGE, then read paged register" pattern used by hwmon
attributes), so an unlocked GPIO accessor can land between a PAGE
write and the subsequent paged read in another thread and corrupt
either side's view of the device state machine.
Take pmbus_lock at the top of each of the three accessors via the
scope-based guard(). The lock is uncontended in the common case and
adds only a single mutex round-trip per call.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-6-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -173,6 +173,8 @@ static int adm1266_gpio_get(struct gpio_
else
pmbus_cmd = ADM1266_PDIO_STATUS;
+ guard(pmbus_lock)(data->client);
+
ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf);
if (ret < 0)
return ret;
@@ -195,6 +197,8 @@ static int adm1266_gpio_get_multiple(str
unsigned int gpio_nr;
int ret;
+ guard(pmbus_lock)(data->client);
+
ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf);
if (ret < 0)
return ret;
@@ -236,6 +240,8 @@ static void adm1266_gpio_dbg_show(struct
int ret;
int i;
+ guard(pmbus_lock)(data->client);
+
for (i = 0; i < ADM1266_GPIO_NR; i++) {
write_cmd = adm1266_gpio_mapping[i][1];
ret = adm1266_pmbus_block_xfer(data, ADM1266_GPIO_CONFIG, 1, &write_cmd, read_buf);
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 299/307] usb: typec: ucsi: Dont update power_supply on power role change if not connected
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 298/307] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 300/307] x86/alternatives: Rename apply_relocation() to text_poke_apply_relocation() Greg Kroah-Hartman
` (10 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Sasha Levin, Sergey Senozhatsky
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
[ Upstream commit d98d413ca65d0790a8f3695d0a5845538958ab84 ]
We only need to update the power_supply on power role change if the port
is connected, because otherwise the online status should be the same for
both cases.
Cc: stable <stable@kernel.org>
Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-2-6f1239535187@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ This is documentation for an already-completed backport. The change is described clearly.
"translated upstream `UCSI_CONSTAT(con, CONNECTED)` accessor macro to in-tree idiom `con->status.flags & UCSI_CONSTAT_CONNECTED`" ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1233,7 +1233,12 @@ static void ucsi_handle_connector_change
if ((con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) && role != prev_role) {
typec_set_pwr_role(con->port, role);
- ucsi_port_psy_changed(con);
+
+ /* Some power_supply properties vary depending on the power direction when
+ * connected
+ */
+ if (con->status.flags & UCSI_CONSTAT_CONNECTED)
+ ucsi_port_psy_changed(con);
/* Complete pending power role swap */
if (!completion_done(&con->complete))
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 310/315] mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 309/315] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses " Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 311/315] net: phy: micrel: fix LAN8814 QSGMII soft reset Greg Kroah-Hartman
` (6 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qing Wang, Vlastimil Babka (SUSE),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qing Wang <wangqing7171@gmail.com>
[ Upstream commit 67ea9d353d0ba12bdbc9183ff568dead9e949b80 ]
flush_rcu_sheaves_on_cache() calls queue_work_on() in a
for_each_online_cpu() loop, which requires the cpu to stay online.
But cpus_read_lock() is not held in kvfree_rcu_barrier_on_cache() and the
set of "online cpus" is subject to change.
There are two paths that call flush_rcu_sheaves_on_cache():
// has cpus_read_lock()
flush_all_rcu_sheaves()
-> flush_rcu_sheaves_on_cache()
// no cpus_read_lock()
kvfree_rcu_barrier_on_cache()
-> flush_rcu_sheaves_on_cache()
Fix this by holding cpus_read_lock() in kvfree_rcu_barrier_on_cache().
Why not move cpus_read_lock() from flush_all_rcu_sheaves() into
flush_rcu_sheaves_on_cache()? The reason is it would introduce a new lock
order (slab_mutex -> cpu_hotplug_lock). The reverse order
(cpu_hotplug_lock -> slab_mutex) is established by
- cpuhp_setup_state_nocalls(..., slub_cpu_setup, ...)
- kmem_cache_destroy()
The two orders together would form an AB-BA deadlock.
Finally, add lockdep_assert_cpus_held() in flush_rcu_sheaves_on_cache()
to catch the same problem in the future.
Fixes: 0f35040de593 ("mm/slab: introduce kvfree_rcu_barrier_on_cache() for cache destruction")
Cc: <stable@vger.kernel.org>
Signed-off-by: Qing Wang <wangqing7171@gmail.com>
Link: https://patch.msgid.link/20260512035035.762317-1-wangqing7171@gmail.com
Signed-off-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slab_common.c | 2 ++
mm/slub.c | 1 +
2 files changed, 3 insertions(+)
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -2135,7 +2135,9 @@ EXPORT_SYMBOL_GPL(kvfree_rcu_barrier);
void kvfree_rcu_barrier_on_cache(struct kmem_cache *s)
{
if (s->cpu_sheaves) {
+ cpus_read_lock();
flush_rcu_sheaves_on_cache(s);
+ cpus_read_unlock();
rcu_barrier();
}
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -4203,6 +4203,7 @@ void flush_rcu_sheaves_on_cache(struct k
struct slub_flush_work *sfw;
unsigned int cpu;
+ lockdep_assert_cpus_held();
mutex_lock(&flush_lock);
for_each_online_cpu(cpu) {
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 300/307] x86/alternatives: Rename apply_relocation() to text_poke_apply_relocation()
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 299/307] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 301/307] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines Greg Kroah-Hartman
` (9 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Juergen Gross,
H . Peter Anvin, Linus Torvalds, Peter Zijlstra, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ingo Molnar <mingo@kernel.org>
[ Upstream commit 023f42dd59203be8ad2fc0574af32d3b4ad041ec ]
Join the text_poke_*() API namespace.
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Juergen Gross <jgross@suse.com>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250411054105.2341982-52-mingo@kernel.org
Stable-dep-of: a17dc12bfed8 ("x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/text-patching.h | 2 +-
arch/x86/kernel/alternative.c | 6 +++---
arch/x86/kernel/callthunks.c | 6 +++---
3 files changed, 7 insertions(+), 7 deletions(-)
--- a/arch/x86/include/asm/text-patching.h
+++ b/arch/x86/include/asm/text-patching.h
@@ -15,7 +15,7 @@
extern void text_poke_early(void *addr, const void *opcode, size_t len);
-extern void apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len);
+extern void text_poke_apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len);
/*
* Clear and restore the kernel write-protection flag on the local CPU.
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -502,7 +502,7 @@ static void __apply_relocation(u8 *buf,
}
}
-void apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len)
+void text_poke_apply_relocation(u8 *buf, const u8 * const instr, size_t instrlen, u8 *repl, size_t repl_len)
{
__apply_relocation(buf, instr, instrlen, repl, repl_len);
optimize_nops(instr, buf, instrlen);
@@ -658,7 +658,7 @@ void __init_or_module noinline apply_alt
for (; insn_buff_sz < a->instrlen; insn_buff_sz++)
insn_buff[insn_buff_sz] = 0x90;
- apply_relocation(insn_buff, instr, a->instrlen, replacement, a->replacementlen);
+ text_poke_apply_relocation(insn_buff, instr, a->instrlen, replacement, a->replacementlen);
DUMP_BYTES(ALT, instr, a->instrlen, "%px: old_insn: ", instr);
DUMP_BYTES(ALT, replacement, a->replacementlen, "%px: rpl_insn: ", replacement);
@@ -1865,7 +1865,7 @@ __visible noinline void __init __alt_rel
static noinline void __init alt_reloc_selftest(void)
{
/*
- * Tests apply_relocation().
+ * Tests text_poke_apply_relocation().
*
* This has a relative immediate (CALL) in a place other than the first
* instruction and additionally on x86_64 we get a RIP-relative LEA:
--- a/arch/x86/kernel/callthunks.c
+++ b/arch/x86/kernel/callthunks.c
@@ -180,7 +180,7 @@ static void *patch_dest(void *dest, bool
u8 *pad = dest - tsize;
memcpy(insn_buff, skl_call_thunk_template, tsize);
- apply_relocation(insn_buff, pad, tsize, skl_call_thunk_template, tsize);
+ text_poke_apply_relocation(insn_buff, pad, tsize, skl_call_thunk_template, tsize);
/* Already patched? */
if (!bcmp(pad, insn_buff, tsize))
@@ -302,7 +302,7 @@ static bool is_callthunk(void *addr)
pad = (void *)(dest - tmpl_size);
memcpy(insn_buff, skl_call_thunk_template, tmpl_size);
- apply_relocation(insn_buff, pad, tmpl_size, skl_call_thunk_template, tmpl_size);
+ text_poke_apply_relocation(insn_buff, pad, tmpl_size, skl_call_thunk_template, tmpl_size);
return !bcmp(pad, insn_buff, tmpl_size);
}
@@ -320,7 +320,7 @@ int x86_call_depth_emit_accounting(u8 **
return 0;
memcpy(insn_buff, skl_call_thunk_template, tmpl_size);
- apply_relocation(insn_buff, ip, tmpl_size, skl_call_thunk_template, tmpl_size);
+ text_poke_apply_relocation(insn_buff, ip, tmpl_size, skl_call_thunk_template, tmpl_size);
memcpy(*pprog, insn_buff, tmpl_size);
*pprog += tmpl_size;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 311/315] net: phy: micrel: fix LAN8814 QSGMII soft reset
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 310/315] mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 312/315] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
` (5 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Marko, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Marko <robert.marko@sartura.hr>
[ Upstream commit e027c218c482c6a0ae1948129ccda3b0a2033368 ]
LAN8814 QSGMII soft reset was moved into the probe function to avoid
triggering it for each of 4 PHY-s in the package.
However, that broke QSGMII link between the MAC and PHY on most LAN8814
PHY-s, specificaly for us on the Microchip LAN969x switch.
Reading the QSGMII status registers it was visible that lanes were only
partially synced.
It looks like the reset timing is crucial, so lets move the reset back
into the .config_init function but guard it with phy_package_init_once()
to avoid it being triggered on each of 4 PHY-s in the package.
Change the probe function to use phy_package_probe_once() for coma and PtP
setup.
Fixes: 96a9178a29a6 ("net: phy: micrel: lan8814 fix reset of the QSGMII interface")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Link: https://patch.msgid.link/20260428134138.1741253-1-robert.marko@sartura.hr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/micrel.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
index bc19880107ae42..e6f00aa9a99010 100644
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -4389,6 +4389,13 @@ static int lan8814_config_init(struct phy_device *phydev)
{
struct kszphy_priv *lan8814 = phydev->priv;
+ if (phy_package_init_once(phydev))
+ /* Reset the PHY */
+ lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS,
+ LAN8814_QSGMII_SOFT_RESET,
+ LAN8814_QSGMII_SOFT_RESET_BIT,
+ LAN8814_QSGMII_SOFT_RESET_BIT);
+
/* Disable ANEG with QSGMII PCS Host side */
lanphy_modify_page_reg(phydev, LAN8814_PAGE_PORT_REGS,
LAN8814_QSGMII_PCS1G_ANEG_CONFIG,
@@ -4473,13 +4480,7 @@ static int lan8814_probe(struct phy_device *phydev)
devm_phy_package_join(&phydev->mdio.dev, phydev,
addr, sizeof(struct lan8814_shared_priv));
- if (phy_package_init_once(phydev)) {
- /* Reset the PHY */
- lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS,
- LAN8814_QSGMII_SOFT_RESET,
- LAN8814_QSGMII_SOFT_RESET_BIT,
- LAN8814_QSGMII_SOFT_RESET_BIT);
-
+ if (phy_package_probe_once(phydev)) {
err = lan8814_release_coma_mode(phydev);
if (err)
return err;
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 301/307] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 300/307] x86/alternatives: Rename apply_relocation() to text_poke_apply_relocation() Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 302/307] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock Greg Kroah-Hartman
` (8 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexis Lothoré ,
Borislav Petkov (AMD), Peter Zijlstra (Intel), Steven Rostedt,
stable, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
[ Upstream commit a17dc12bfed8868e6a86f3b45c16065a70641acb ]
With CONFIG_CALL_DEPTH_TRACKING enabled on an x86 retbleed-affected platform
(eg: Skylake), with retbleed=stuff, registering a dynamic ftrace trampoline
crashes on the first call into the traced function:
BUG: unable to handle page fault for address: ffff88817ae18880
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 4b53067 P4D 4b53067 PUD 0
Oops: Oops: 0002 [#1] SMP PTI
CPU: 3 UID: 0 PID: 187 Comm: usleep Not tainted 7.0.10 #243 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014
Code: 24 78 00 00 00 00 48 89 ea 48 89 54 24 20 48 8b b4 24 b8 00 00 00 48 8b bc 24 b0 00 00 00 48 89 bc 24 80 00 00 00 48 83 ef 05 <65> 48 c1 3d 1f a8 b6 02 05 48 8b 15 f6 00 00 00 4c 89 3c 24 4c 89
Call Trace:
<TASK>
? find_held_lock
? exc_page_fault
? lock_release
? __x64_sys_clock_nanosleep
? lockdep_hardirqs_on_prepare
? trace_hardirqs_on
__x64_sys_clock_nanosleep
do_syscall_64
? exc_page_fault
? call_depth_return_thunk
entry_SYSCALL_64_after_hwframe
...
Kernel panic - not syncing: Fatal exception
This small reproducer allows to easily trigger the crash:
# echo 'p __x64_sys_clock_nanosleep' > /sys/kernel/tracing/kprobe_events
# echo 1 > /sys/kernel/tracing/events/kprobes/p___x64_sys_clock_nanosleep_0/enable
# usleep 1
Monitoring the crash under GDB points to the exact instruction in charge of
incrementing the call depth:
sarq $5, %gs:__x86_call_depth(%rip)
This instruction matches the one inserted by the ftrace_regs_caller from
ftrace_64.S. This emitted code was likely working fine until the introduction
of
59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()"):
it has made the call depth accounting addressing relative to $rip, instead of
being based on an absolute address.
As this code exact location depends on where the trampoline lives in memory,
the corresponding displacement needs to be adjusted at runtime to actually
correctly find the per-cpu __x86_call_depth value, otherwise the targeted
address is wrong, leading to the page fault seen above.
Fix the %rip-relative displacement of the copied CALL_DEPTH_ACCOUNT
instruction (from ftrace_regs_caller) by calling text_poke_apply_relocation(),
as it is done for example by the x86 BPF JIT compiler through
x86_call_depth_emit_accounting(). This corrects both CALL_DEPTH_ACCOUNT slots,
in ftrace_caller and ftrace_regs_caller.
[ bp: Massage. ]
Fixes: 59bec00ace28 ("x86/percpu: Introduce %rip-relative addressing to PER_CPU_VAR()")
Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: <stable@kernel.org>
Link: https://patch.msgid.link/20260527-fix_call_depth_in_trampoline-v1-1-1c1abc8ae310@bootlin.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/ftrace.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/kernel/ftrace.c
+++ b/arch/x86/kernel/ftrace.c
@@ -371,6 +371,13 @@ create_trampoline(struct ftrace_ops *ops
}
/*
+ * Generated trampoline may contain rIP-relative addressing which
+ * displacement needs to be fixed.
+ */
+ text_poke_apply_relocation(trampoline, trampoline, size,
+ (void *)start_offset, size);
+
+ /*
* The address of the ftrace_ops that is used for this trampoline
* is stored at the end of the trampoline. This will be used to
* load the third parameter for the callback. Basically, that
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 312/315] xhci: tegra: Fix ghost USB device on dual-role port unplug
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 311/315] net: phy: micrel: fix LAN8814 QSGMII soft reset Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 314/315] drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable Greg Kroah-Hartman
` (4 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei-Cheng Chen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei-Cheng Chen <weichengc@nvidia.com>
[ Upstream commit 5a4c828b8b29b47534814ade26d9aee09d5101fc ]
When a USB device is unplugged from the dual-role port, the device-mode
path in tegra_xhci_id_work() explicitly clears both SS and HS port power
via direct hub_control ClearPortFeature(POWER) calls. This preempts the
xHCI controller's normal disconnect processing -- PORT_CSC is never
generated, the USB core never sees the disconnect, and the device remains
in its internal tree as a ghost visible in lsusb.
Add an otg_set_port_power flag to control whether the dual-role switch
path performs explicit port power management. SoCs that need it
(Tegra124 / Tegra210 / Tegra186) set the flag; later SoCs (Tegra194 and
beyond) rely on the PHY mode change to handle disconnect naturally and
skip all port power calls.
Within the port power path, otg_reset_sspi additionally gates the SSPI
reset sequence on host-mode entry for SoCs that require it.
Flags set per SoC:
Tegra124, Tegra186 -> otg_set_port_power
Tegra210 -> otg_set_port_power, otg_reset_sspi
Tegra194 and later -> (none)
[ Backport to 6.18.y: keep the host-mode snapshot in the existing
tegra->lock section, retain pm_runtime_mark_last_busy() in the host
port-power path, preserve str_on_off(), and resolve context around the
SoC ops/Tegra234 entries. ]
Fixes: f836e7843036 ("usb: xhci-tegra: Add OTG support")
Cc: stable@vger.kernel.org
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Link: https://patch.msgid.link/20260505112630.217704-1-weichengc@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-tegra.c | 79 ++++++++++++++++++++---------------
1 file changed, 45 insertions(+), 34 deletions(-)
diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
index 83b1766ff1521b..b0dcdede1fc8e6 100644
--- a/drivers/usb/host/xhci-tegra.c
+++ b/drivers/usb/host/xhci-tegra.c
@@ -247,6 +247,7 @@ struct tegra_xusb_soc {
bool has_ipfs;
bool lpm_support;
bool otg_reset_sspi;
+ bool otg_set_port_power;
bool has_bar2;
};
@@ -1352,14 +1353,17 @@ static void tegra_xhci_id_work(struct work_struct *work)
struct tegra_xusb_mbox_msg msg;
struct phy *phy = tegra_xusb_get_phy(tegra, "usb2",
tegra->otg_usb2_port);
+ bool host_mode;
u32 status;
int ret;
- dev_dbg(tegra->dev, "host mode %s\n", str_on_off(tegra->host_mode));
-
mutex_lock(&tegra->lock);
- if (tegra->host_mode)
+ host_mode = tegra->host_mode;
+
+ dev_dbg(tegra->dev, "host mode %s\n", str_on_off(host_mode));
+
+ if (host_mode)
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_HOST);
else
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_NONE);
@@ -1370,42 +1374,44 @@ static void tegra_xhci_id_work(struct work_struct *work)
tegra->otg_usb2_port);
pm_runtime_get_sync(tegra->dev);
- if (tegra->host_mode) {
- /* switch to host mode */
- if (tegra->otg_usb3_port >= 0) {
- if (tegra->soc->otg_reset_sspi) {
- /* set PP=0 */
- tegra_xhci_hc_driver.hub_control(
- xhci->shared_hcd, GetPortStatus,
- 0, tegra->otg_usb3_port+1,
- (char *) &status, sizeof(status));
- if (status & USB_SS_PORT_STAT_POWER)
- tegra_xhci_set_port_power(tegra, false,
- false);
-
- /* reset OTG port SSPI */
- msg.cmd = MBOX_CMD_RESET_SSPI;
- msg.data = tegra->otg_usb3_port+1;
-
- ret = tegra_xusb_mbox_send(tegra, &msg);
- if (ret < 0) {
- dev_info(tegra->dev,
- "failed to RESET_SSPI %d\n",
- ret);
+ if (tegra->soc->otg_set_port_power) {
+ if (host_mode) {
+ /* switch to host mode */
+ if (tegra->otg_usb3_port >= 0) {
+ if (tegra->soc->otg_reset_sspi) {
+ /* set PP=0 */
+ tegra_xhci_hc_driver.hub_control(
+ xhci->shared_hcd, GetPortStatus,
+ 0, tegra->otg_usb3_port+1,
+ (char *) &status, sizeof(status));
+ if (status & USB_SS_PORT_STAT_POWER)
+ tegra_xhci_set_port_power(tegra, false,
+ false);
+
+ /* reset OTG port SSPI */
+ msg.cmd = MBOX_CMD_RESET_SSPI;
+ msg.data = tegra->otg_usb3_port+1;
+
+ ret = tegra_xusb_mbox_send(tegra, &msg);
+ if (ret < 0) {
+ dev_info(tegra->dev,
+ "failed to RESET_SSPI %d\n",
+ ret);
+ }
}
- }
- tegra_xhci_set_port_power(tegra, false, true);
- }
+ tegra_xhci_set_port_power(tegra, false, true);
+ }
- tegra_xhci_set_port_power(tegra, true, true);
- pm_runtime_mark_last_busy(tegra->dev);
+ tegra_xhci_set_port_power(tegra, true, true);
+ pm_runtime_mark_last_busy(tegra->dev);
- } else {
- if (tegra->otg_usb3_port >= 0)
- tegra_xhci_set_port_power(tegra, false, false);
+ } else {
+ if (tegra->otg_usb3_port >= 0)
+ tegra_xhci_set_port_power(tegra, false, false);
- tegra_xhci_set_port_power(tegra, true, false);
+ tegra_xhci_set_port_power(tegra, true, false);
+ }
}
pm_runtime_put_autosuspend(tegra->dev);
}
@@ -2558,6 +2564,7 @@ static const struct tegra_xusb_soc tegra124_soc = {
.scale_ss_clock = true,
.has_ipfs = true,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0xe4,
@@ -2596,6 +2603,7 @@ static const struct tegra_xusb_soc tegra210_soc = {
.scale_ss_clock = false,
.has_ipfs = true,
.otg_reset_sspi = true,
+ .otg_set_port_power = true,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0xe4,
@@ -2639,6 +2647,7 @@ static const struct tegra_xusb_soc tegra186_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0xe4,
@@ -2672,6 +2681,7 @@ static const struct tegra_xusb_soc tegra194_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = false,
.ops = &tegra124_ops,
.mbox = {
.cmd = 0x68,
@@ -2705,6 +2715,7 @@ static const struct tegra_xusb_soc tegra234_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = false,
.ops = &tegra234_ops,
.mbox = {
.cmd = XUSB_BAR2_ARU_MBOX_CMD,
--
2.53.0
^ permalink raw reply related [flat|nested] 630+ messages in thread
* [PATCH 6.12 302/307] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 301/307] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 303/307] hwmon: (pmbus/adm1266) serialize NVMEM blackbox " Greg Kroah-Hartman
` (7 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit 4e4af55aaca7f6d7673d5f9889ad0529db86a048 ]
adm1266_state_read() backs the sequencer_state debugfs entry and
issues an i2c_smbus_read_word_data(client, ADM1266_READ_STATE)
against the device without taking pmbus_lock. pmbus_core holds
pmbus_lock around its own multi-transaction sequences (notably the
"set PAGE, then read paged register" pattern used by hwmon
attributes), so an unlocked debugfs reader can land between a PAGE
write and the subsequent paged read in another thread. READ_STATE
itself is not paged, so it cannot corrupt PAGE in flight, but the
same defensive serialisation that applies to the GPIO accessors
applies here: any direct device access from outside pmbus_core
should be ordered with respect to pmbus_core's own.
Take pmbus_lock at the top of adm1266_state_read() via the
scope-based guard().
Fixes: ed1ff457e187 ("hwmon: (pmbus/adm1266) add debugfs for states")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-8-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ replaced `guard(pmbus_lock)(client)` with manual `pmbus_lock_interruptible()`/`pmbus_unlock()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -328,7 +328,12 @@ static int adm1266_state_read(struct seq
struct i2c_client *client = to_i2c_client(dev);
int ret;
+ ret = pmbus_lock_interruptible(client);
+ if (ret)
+ return ret;
+
ret = i2c_smbus_read_word_data(client, ADM1266_READ_STATE);
+ pmbus_unlock(client);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 303/307] hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 302/307] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 304/307] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses " Greg Kroah-Hartman
` (6 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain, Guenter Roeck,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit 9f1dd8f9491eb840cbea7ffdf4cad031e25f8ae0 ]
adm1266_nvmem_read() is the reg_read callback the NVMEM core invokes
when userspace reads /sys/bus/nvmem/devices/.../nvmem on this chip.
On the first byte of every read it does a memset of data->dev_mem,
walks the device blackbox through adm1266_nvmem_read_blackbox()
(which issues a chain of PMBus block transactions), and then memcpys
the refreshed buffer out to userspace. None of that runs under
pmbus_lock today.
Two consequences:
- The PMBus traffic the refresh issues is not serialised against
pmbus_core's own multi-step PAGE+register sequences. A paged
hwmon attribute read from another thread can land between a
PAGE write and the paged read in either direction and corrupt
one side's view of the device state machine.
- The NVMEM core does not serialise concurrent reg_read calls, so
two userspace readers racing at offset 0 can interleave the
memset of data->dev_mem with another reader's
adm1266_nvmem_read_blackbox() refill or memcpy out, returning
torn data to userspace.
Take pmbus_lock at the top of adm1266_nvmem_read() via the
scope-based guard(). Patch 5 of this series moves
adm1266_config_nvmem() past pmbus_do_probe() so the lock is
guaranteed to be live before the callback is reachable from
userspace.
Fixes: 15609d189302 ("hwmon: (pmbus/adm1266) read blackbox")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-7-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ changed `guard(pmbus_lock)(data->client)` to explicit `pmbus_lock_interruptible()`/`pmbus_unlock()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -398,18 +398,25 @@ static int adm1266_nvmem_read(void *priv
if (offset + bytes > data->nvmem_config.size)
return -EINVAL;
+ ret = pmbus_lock_interruptible(data->client);
+ if (ret)
+ return ret;
+
if (offset == 0) {
memset(data->dev_mem, 0, data->nvmem_config.size);
ret = adm1266_nvmem_read_blackbox(data, data->dev_mem);
if (ret) {
dev_err(&data->client->dev, "Could not read blackbox!");
+ pmbus_unlock(data->client);
return ret;
}
}
memcpy(val, data->dev_mem + offset, bytes);
+ pmbus_unlock(data->client);
+
return 0;
}
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 314/315] drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 312/315] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 315/315] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
` (3 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander,
Michał Grzelak, Tvrtko Ursulin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
[ Upstream commit 3549a9649dc7c5fc586ab12f675279283cdcb2a7 ]
We are observing following warnings:
*ERROR* power well DC_off state mismatch (refcount 0/enabled 1)
gen9_dc_off_power_well_enabled is considering target state DC_STATE_DISABLE
as DC_OFF power well being enabled. Fix this by using wakeref for the
purpose.
To achieve this we need to modify notification code as well. Currently it
is possible that PSR gets notified vblank enable/disable twice on same
status. This is currently not a problem as it is just triggering call to
intel_display_power_set_target_dc_state with same target state as a
parameter. When using wakeref this becomes a problem due to reference
counting. Fix this storing vbank status on last notification and use that
to ensure there are no more than one notification with same vblank status.
v2: ensure there is no subsequent notifications with same status
Fixes: aa451abcffb5 ("drm/i915/display: Prevent DC6 while vblank is enabled for Panel Replay")
Cc: <stable@vger.kernel.org> # v6.13+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Michał Grzelak <michal.grzelak@intel.com>
Link: https://patch.msgid.link/20260520104944.239797-2-jouni.hogander@intel.com
(cherry picked from commit 35485ac56d878192a3829a58cb26503125ec7104)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_display_core.h | 1
drivers/gpu/drm/i915/display/intel_display_irq.c | 8 +++++--
drivers/gpu/drm/i915/display/intel_display_types.h | 2 +
drivers/gpu/drm/i915/display/intel_psr.c | 24 +++++++--------------
4 files changed, 18 insertions(+), 17 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_display_core.h
+++ b/drivers/gpu/drm/i915/display/intel_display_core.h
@@ -472,6 +472,7 @@ struct intel_display {
u8 vblank_enabled;
int vblank_enable_count;
+ bool vblank_status_last_notified;
struct work_struct vblank_notify_work;
--- a/drivers/gpu/drm/i915/display/intel_display_irq.c
+++ b/drivers/gpu/drm/i915/display/intel_display_irq.c
@@ -1707,8 +1707,12 @@ static void intel_display_vblank_notify_
struct intel_display *display =
container_of(work, typeof(*display), irq.vblank_notify_work);
int vblank_enable_count = READ_ONCE(display->irq.vblank_enable_count);
+ bool vblank_status = !!vblank_enable_count;
- intel_psr_notify_vblank_enable_disable(display, vblank_enable_count);
+ if (display->irq.vblank_status_last_notified != vblank_status) {
+ intel_psr_notify_vblank_enable_disable(display, vblank_status);
+ display->irq.vblank_status_last_notified = vblank_status;
+ }
}
int bdw_enable_vblank(struct drm_crtc *_crtc)
@@ -1721,10 +1725,10 @@ int bdw_enable_vblank(struct drm_crtc *_
if (gen11_dsi_configure_te(crtc, true))
return 0;
+ spin_lock_irqsave(&display->irq.lock, irqflags);
if (crtc->vblank_psr_notify && display->irq.vblank_enable_count++ == 0)
schedule_work(&display->irq.vblank_notify_work);
- spin_lock_irqsave(&display->irq.lock, irqflags);
bdw_enable_pipe_irq(display, pipe, GEN8_PIPE_VBLANK);
spin_unlock_irqrestore(&display->irq.lock, irqflags);
--- a/drivers/gpu/drm/i915/display/intel_display_types.h
+++ b/drivers/gpu/drm/i915/display/intel_display_types.h
@@ -1690,6 +1690,8 @@ struct intel_psr {
bool pkg_c_latency_used;
u8 active_non_psr_pipes;
+
+ struct ref_tracker *vblank_wakeref;
};
struct intel_dp {
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -3982,14 +3982,20 @@ void intel_psr_notify_vblank_enable_disa
bool enable)
{
struct intel_encoder *encoder;
- bool block_dc_states = false;
for_each_intel_encoder_with_psr(display->drm, encoder) {
struct intel_dp *intel_dp = enc_to_intel_dp(encoder);
mutex_lock(&intel_dp->psr.lock);
- if (CAN_PANEL_REPLAY(intel_dp))
- block_dc_states = true;
+ if (CAN_PANEL_REPLAY(intel_dp)) {
+ if (enable)
+ intel_dp->psr.vblank_wakeref =
+ intel_display_power_get(display,
+ POWER_DOMAIN_DC_OFF);
+ else
+ intel_display_power_put(display, POWER_DOMAIN_DC_OFF,
+ intel_dp->psr.vblank_wakeref);
+ }
if (intel_dp->psr.enabled && !intel_dp->psr.panel_replay_enabled &&
intel_dp->psr.pkg_c_latency_used)
@@ -3997,18 +4003,6 @@ void intel_psr_notify_vblank_enable_disa
mutex_unlock(&intel_dp->psr.lock);
}
-
- /*
- * NOTE: intel_display_power_set_target_dc_state is used
- * only by PSR code for DC3CO handling. DC3CO target
- * state is currently disabled in * PSR code. If DC3CO
- * is taken into use we need take that into account here
- * as well.
- */
- if (block_dc_states)
- intel_display_power_set_target_dc_state(display, enable ?
- DC_STATE_DISABLE :
- DC_STATE_EN_UPTO_DC6);
}
static void
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 304/307] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 303/307] hwmon: (pmbus/adm1266) serialize NVMEM blackbox " Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 305/307] mm: perform all memfd seal checks in a single place Greg Kroah-Hartman
` (5 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdurrahman Hussain,
Bartosz Golaszewski, Guenter Roeck, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdurrahman Hussain <abdurrahman@nexthop.ai>
[ Upstream commit bab8c6fb5af8df7e753d196c1262cb78e92ca872 ]
adm1266_gpio_get(), adm1266_gpio_get_multiple(), and
adm1266_gpio_dbg_show() all issue PMBus reads against the device but
none of them take pmbus_lock. The pmbus_core framework holds
pmbus_lock around its own multi-transaction sequences (notably the
"set PAGE, then read paged register" pattern used by hwmon
attributes), so an unlocked GPIO accessor can land between a PAGE
write and the subsequent paged read in another thread and corrupt
either side's view of the device state machine.
Take pmbus_lock at the top of each of the three accessors via the
scope-based guard(). The lock is uncontended in the common case and
adds only a single mutex round-trip per call.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-6-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ open-coded each `guard(pmbus_lock)(data->client)` as explicit `pmbus_lock_interruptible()`/`pmbus_unlock()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/pmbus/adm1266.c | 40 ++++++++++++++++++++++++++++++++++------
1 file changed, 34 insertions(+), 6 deletions(-)
--- a/drivers/hwmon/pmbus/adm1266.c
+++ b/drivers/hwmon/pmbus/adm1266.c
@@ -173,7 +173,12 @@ static int adm1266_gpio_get(struct gpio_
else
pmbus_cmd = ADM1266_PDIO_STATUS;
+ ret = pmbus_lock_interruptible(data->client);
+ if (ret)
+ return ret;
+
ret = i2c_smbus_read_block_data(data->client, pmbus_cmd, read_buf);
+ pmbus_unlock(data->client);
if (ret < 0)
return ret;
if (ret < 2)
@@ -195,11 +200,19 @@ static int adm1266_gpio_get_multiple(str
unsigned int gpio_nr;
int ret;
+ ret = pmbus_lock_interruptible(data->client);
+ if (ret)
+ return ret;
+
ret = i2c_smbus_read_block_data(data->client, ADM1266_GPIO_STATUS, read_buf);
- if (ret < 0)
+ if (ret < 0) {
+ pmbus_unlock(data->client);
return ret;
- if (ret < 2)
+ }
+ if (ret < 2) {
+ pmbus_unlock(data->client);
return -EIO;
+ }
status = read_buf[0] + (read_buf[1] << 8);
@@ -210,10 +223,14 @@ static int adm1266_gpio_get_multiple(str
}
ret = i2c_smbus_read_block_data(data->client, ADM1266_PDIO_STATUS, read_buf);
- if (ret < 0)
+ if (ret < 0) {
+ pmbus_unlock(data->client);
return ret;
- if (ret < 2)
+ }
+ if (ret < 2) {
+ pmbus_unlock(data->client);
return -EIO;
+ }
status = read_buf[0] + (read_buf[1] << 8);
@@ -222,6 +239,8 @@ static int adm1266_gpio_get_multiple(str
set_bit(gpio_nr, bits);
}
+ pmbus_unlock(data->client);
+
return 0;
}
@@ -236,11 +255,16 @@ static void adm1266_gpio_dbg_show(struct
int ret;
int i;
+ if (pmbus_lock_interruptible(data->client))
+ return;
+
for (i = 0; i < ADM1266_GPIO_NR; i++) {
write_cmd = adm1266_gpio_mapping[i][1];
ret = adm1266_pmbus_block_xfer(data, ADM1266_GPIO_CONFIG, 1, &write_cmd, read_buf);
- if (ret != 2)
+ if (ret != 2) {
+ pmbus_unlock(data->client);
return;
+ }
gpio_config = read_buf[0];
seq_puts(s, adm1266_names[i]);
@@ -262,8 +286,10 @@ static void adm1266_gpio_dbg_show(struct
write_cmd = 0xFF;
ret = adm1266_pmbus_block_xfer(data, ADM1266_PDIO_CONFIG, 1, &write_cmd, read_buf);
- if (ret != 32)
+ if (ret != 32) {
+ pmbus_unlock(data->client);
return;
+ }
for (i = 0; i < ADM1266_PDIO_NR; i++) {
seq_puts(s, adm1266_names[ADM1266_GPIO_NR + i]);
@@ -286,6 +312,8 @@ static void adm1266_gpio_dbg_show(struct
seq_puts(s, ")\n");
}
+
+ pmbus_unlock(data->client);
}
static int adm1266_config_gpio(struct adm1266_data *data)
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 305/307] mm: perform all memfd seal checks in a single place
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 304/307] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses " Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 306/307] mm/memfd: fix spelling and grammatical issues Greg Kroah-Hartman
` (4 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Isaac J. Manjarres,
Hugh Dickins, Jann Horn, Kalesh Singh, Liam R. Howlett,
Muchun Song, Vlastimil Babka, Jeff Xu, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
[ Upstream commit fa00b8ef1803fe133b4897c25227aa0d298dd093 ]
We no longer actually need to perform these checks in the f_op->mmap()
hook any longer.
We already moved the operation which clears VM_MAYWRITE on a read-only
mapping of a write-sealed memfd in order to work around the restrictions
imposed by commit 5de195060b2e ("mm: resolve faulty mmap_region() error
path behaviour").
There is no reason for us not to simply go ahead and additionally check to
see if any pre-existing seals are in place here rather than defer this to
the f_op->mmap() hook.
By doing this we remove more logic from shmem_mmap() which doesn't belong
there, as well as doing the same for hugetlbfs_file_mmap(). We also
remove dubious shared logic in mm.h which simply does not belong there
either.
It makes sense to do these checks at the earliest opportunity, we know
these are shmem (or hugetlbfs) mappings whose relevant VMA flags will not
change from the invoking do_mmap() so there is simply no need to wait.
This also means the implementation of further memfd seal flags can be done
within mm/memfd.c and also have the opportunity to modify VMA flags as
necessary early in the mapping logic.
[lorenzo.stoakes@oracle.com: fix typos in !memfd inline stub]
Link: https://lkml.kernel.org/r/7dee6c5d-480b-4c24-b98e-6fa47dbd8a23@lucifer.local
Link: https://lkml.kernel.org/r/20241206212846.210835-1-lorenzo.stoakes@oracle.com
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Tested-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jann Horn <jannh@google.com>
Cc: Kalesh Singh <kaleshsingh@google.com>
Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Jeff Xu <jeffxu@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 3b041514cb6e ("memfd: deny writeable mappings when implying SEAL_WRITE")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hugetlbfs/inode.c | 5 ----
include/linux/memfd.h | 23 ++++++++++----------
include/linux/mm.h | 55 --------------------------------------------------
mm/memfd.c | 44 +++++++++++++++++++++++++++++++++++++++-
mm/mmap.c | 12 ++++++++--
mm/shmem.c | 6 -----
6 files changed, 63 insertions(+), 82 deletions(-)
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -96,7 +96,6 @@ static const struct fs_parameter_spec hu
static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
{
struct inode *inode = file_inode(file);
- struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
loff_t len, vma_len;
int ret;
struct hstate *h = hstate_file(file);
@@ -113,10 +112,6 @@ static int hugetlbfs_file_mmap(struct fi
vm_flags_set(vma, VM_HUGETLB | VM_DONTEXPAND);
vma->vm_ops = &hugetlb_vm_ops;
- ret = seal_check_write(info->seals, vma);
- if (ret)
- return ret;
-
/*
* page based offset in vm_pgoff could be sufficiently large to
* overflow a loff_t when converted to byte offset. This can
--- a/include/linux/memfd.h
+++ b/include/linux/memfd.h
@@ -7,7 +7,14 @@
#ifdef CONFIG_MEMFD_CREATE
extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned int arg);
struct folio *memfd_alloc_folio(struct file *memfd, pgoff_t idx);
-unsigned int *memfd_file_seals_ptr(struct file *file);
+/*
+ * Check for any existing seals on mmap, return an error if access is denied due
+ * to sealing, or 0 otherwise.
+ *
+ * We also update VMA flags if appropriate by manipulating the VMA flags pointed
+ * to by vm_flags_ptr.
+ */
+int memfd_check_seals_mmap(struct file *file, unsigned long *vm_flags_ptr);
#else
static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned int a)
{
@@ -17,19 +24,11 @@ static inline struct folio *memfd_alloc_
{
return ERR_PTR(-EINVAL);
}
-
-static inline unsigned int *memfd_file_seals_ptr(struct file *file)
+static inline int memfd_check_seals_mmap(struct file *file,
+ unsigned long *vm_flags_ptr)
{
- return NULL;
+ return 0;
}
#endif
-/* Retrieve memfd seals associated with the file, if any. */
-static inline unsigned int memfd_file_seals(struct file *file)
-{
- unsigned int *sealsp = memfd_file_seals_ptr(file);
-
- return sealsp ? *sealsp : 0;
-}
-
#endif /* __LINUX_MEMFD_H */
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -4140,61 +4140,6 @@ void mem_dump_obj(void *object);
static inline void mem_dump_obj(void *object) {}
#endif
-static inline bool is_write_sealed(int seals)
-{
- return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
-}
-
-/**
- * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
- * in which case writes should be disallowing moving
- * forwards.
- * @seals: the seals to check
- * @vm_flags: the VMA flags to check
- *
- * Returns whether readonly sealed, in which case writess should be disallowed
- * going forward.
- */
-static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
-{
- /*
- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
- * MAP_SHARED and read-only, take care to not allow mprotect to
- * revert protections on such mappings. Do this only for shared
- * mappings. For private mappings, don't need to mask
- * VM_MAYWRITE as we still want them to be COW-writable.
- */
- if (is_write_sealed(seals) &&
- ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
- return true;
-
- return false;
-}
-
-/**
- * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
- * handle them.
- * @seals: the seals to check
- * @vma: the vma to operate on
- *
- * Check whether F_SEAL_WRITE or F_SEAL_FUTURE_WRITE are set; if so, do proper
- * check/handling on the vma flags. Return 0 if check pass, or <0 for errors.
- */
-static inline int seal_check_write(int seals, struct vm_area_struct *vma)
-{
- if (!is_write_sealed(seals))
- return 0;
-
- /*
- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * write seals are active.
- */
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
- return -EPERM;
-
- return 0;
-}
-
#ifdef CONFIG_ANON_VMA_NAME
int madvise_set_anon_name(struct mm_struct *mm, unsigned long start,
unsigned long len_in,
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -197,7 +197,7 @@ static int memfd_wait_for_pins(struct ad
return error;
}
-unsigned int *memfd_file_seals_ptr(struct file *file)
+static unsigned int *memfd_file_seals_ptr(struct file *file)
{
if (shmem_file(file))
return &SHMEM_I(file_inode(file))->seals;
@@ -354,6 +354,48 @@ static int check_sysctl_memfd_noexec(uns
return 0;
}
+static inline bool is_write_sealed(unsigned int seals)
+{
+ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
+}
+
+static int check_write_seal(unsigned long *vm_flags_ptr)
+{
+ unsigned long vm_flags = *vm_flags_ptr;
+ unsigned long mask = vm_flags & (VM_SHARED | VM_WRITE);
+
+ /* If a private matting then writability is irrelevant. */
+ if (!(mask & VM_SHARED))
+ return 0;
+
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * write seals are active.
+ */
+ if (mask & VM_WRITE)
+ return -EPERM;
+
+ /*
+ * This is a read-only mapping, disallow mprotect() from making a
+ * write-sealed mapping writable in future.
+ */
+ *vm_flags_ptr &= ~VM_MAYWRITE;
+
+ return 0;
+}
+
+int memfd_check_seals_mmap(struct file *file, unsigned long *vm_flags_ptr)
+{
+ int err = 0;
+ unsigned int *seals_ptr = memfd_file_seals_ptr(file);
+ unsigned int seals = seals_ptr ? *seals_ptr : 0;
+
+ if (is_write_sealed(seals))
+ err = check_write_seal(vm_flags_ptr);
+
+ return err;
+}
+
SYSCALL_DEFINE2(memfd_create,
const char __user *, uname,
unsigned int, flags)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -369,8 +369,8 @@ unsigned long do_mmap(struct file *file,
if (file) {
struct inode *inode = file_inode(file);
- unsigned int seals = memfd_file_seals(file);
unsigned long flags_mask;
+ int err;
if (!file_mmap_ok(file, inode, pgoff, len))
return -EOVERFLOW;
@@ -410,8 +410,6 @@ unsigned long do_mmap(struct file *file,
vm_flags |= VM_SHARED | VM_MAYSHARE;
if (!(file->f_mode & FMODE_WRITE))
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
- else if (is_readonly_sealed(seals, vm_flags))
- vm_flags &= ~VM_MAYWRITE;
fallthrough;
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
@@ -431,6 +429,14 @@ unsigned long do_mmap(struct file *file,
default:
return -EINVAL;
}
+
+ /*
+ * Check to see if we are violating any seals and update VMA
+ * flags if necessary to avoid future seal violations.
+ */
+ err = memfd_check_seals_mmap(file, &vm_flags);
+ if (err)
+ return (unsigned long)err;
} else {
switch (flags & MAP_TYPE) {
case MAP_SHARED:
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2820,12 +2820,6 @@ out_nomem:
static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
{
struct inode *inode = file_inode(file);
- struct shmem_inode_info *info = SHMEM_I(inode);
- int ret;
-
- ret = seal_check_write(info->seals, vma);
- if (ret)
- return ret;
file_accessed(file);
/* This is anonymous shared memory if it is unlinked at the time of mmap */
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.18 315/315] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 314/315] drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 16:58 ` [PATCH 6.18 000/315] 6.18.35-rc1 review Pavel Machek
` (2 subsequent siblings)
316 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 928abe19fbf0127003abcb1ea69cabc1c897d0ab ]
A DIRECTORY entry's value field is used as the dir_offset for a
recursive call into __tb_property_parse_dir() with no depth counter.
A crafted peer that chains DIRECTORY entries into a back-reference
loop drives the parser until the kernel stack is exhausted and the
guard page fires. Any untrusted XDomain peer (cable, dock, in-line
inspector, adjacent host) that reaches the PROPERTIES_REQUEST
control-plane exchange can trigger this without authentication.
Thread a depth counter through tb_property_parse() and
__tb_property_parse_dir(), and reject blocks that exceed
TB_PROPERTY_MAX_DEPTH = 8. That is comfortably larger than any
observed legitimate XDomain layout.
Operators who do not need XDomain host-to-host discovery can disable
the path entirely with thunderbolt.xdomain=0 on the kernel command
line.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -35,10 +35,11 @@ struct tb_property_dir_entry {
};
#define TB_PROPERTY_ROOTDIR_MAGIC 0x55584401
+#define TB_PROPERTY_MAX_DEPTH 8
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
size_t block_len, unsigned int dir_offset, size_t dir_len,
- bool is_root);
+ bool is_root, unsigned int depth);
static inline void parse_dwdata(void *dst, const void *src, size_t dwords)
{
@@ -97,7 +98,8 @@ tb_property_alloc(const char *key, enum
}
static struct tb_property *tb_property_parse(const u32 *block, size_t block_len,
- const struct tb_property_entry *entry)
+ const struct tb_property_entry *entry,
+ unsigned int depth)
{
char key[TB_PROPERTY_KEY_SIZE + 1];
struct tb_property *property;
@@ -118,7 +120,7 @@ static struct tb_property *tb_property_p
switch (property->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
dir = __tb_property_parse_dir(block, block_len, entry->value,
- entry->length, false);
+ entry->length, false, depth + 1);
if (!dir) {
kfree(property);
return NULL;
@@ -163,13 +165,17 @@ static struct tb_property *tb_property_p
}
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
- size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root)
+ size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root,
+ unsigned int depth)
{
const struct tb_property_entry *entries;
size_t i, content_len, nentries;
unsigned int content_offset;
struct tb_property_dir *dir;
+ if (depth > TB_PROPERTY_MAX_DEPTH)
+ return NULL;
+
dir = kzalloc(sizeof(*dir), GFP_KERNEL);
if (!dir)
return NULL;
@@ -200,7 +206,7 @@ static struct tb_property_dir *__tb_prop
for (i = 0; i < nentries; i++) {
struct tb_property *property;
- property = tb_property_parse(block, block_len, &entries[i]);
+ property = tb_property_parse(block, block_len, &entries[i], depth);
if (!property) {
tb_property_free_dir(dir);
return NULL;
@@ -239,7 +245,7 @@ struct tb_property_dir *tb_property_pars
return NULL;
return __tb_property_parse_dir(block, block_len, 0, rootdir->length,
- true);
+ true, 0);
}
/**
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 306/307] mm/memfd: fix spelling and grammatical issues
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 305/307] mm: perform all memfd seal checks in a single place Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 307/307] memfd: deny writeable mappings when implying SEAL_WRITE Greg Kroah-Hartman
` (3 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Ye, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Ye <liuye@kylinos.cn>
[ Upstream commit 33c9b01ed2fcbc101cdfeb497f4581e981e7c1e7 ]
The comment "If a private mapping then writability is irrelevant" contains
a typo. It should be "If a private mapping then writability is
irrelevant". The comment "SEAL_EXEC implys SEAL_WRITE, making W^X from
the start." contains a typo. It should be "SEAL_EXEC implies SEAL_WRITE,
making W^X from the start."
Link: https://lkml.kernel.org/r/20250206060958.98010-1-liuye@kylinos.cn
Signed-off-by: Liu Ye <liuye@kylinos.cn>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 3b041514cb6e ("memfd: deny writeable mappings when implying SEAL_WRITE")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memfd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -286,7 +286,7 @@ static int memfd_add_seals(struct file *
}
/*
- * SEAL_EXEC implys SEAL_WRITE, making W^X from the start.
+ * SEAL_EXEC implies SEAL_WRITE, making W^X from the start.
*/
if (seals & F_SEAL_EXEC && inode->i_mode & 0111)
seals |= F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE;
@@ -364,7 +364,7 @@ static int check_write_seal(unsigned lon
unsigned long vm_flags = *vm_flags_ptr;
unsigned long mask = vm_flags & (VM_SHARED | VM_WRITE);
- /* If a private matting then writability is irrelevant. */
+ /* If a private mapping then writability is irrelevant. */
if (!(mask & VM_SHARED))
return 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* [PATCH 6.12 307/307] memfd: deny writeable mappings when implying SEAL_WRITE
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 306/307] mm/memfd: fix spelling and grammatical issues Greg Kroah-Hartman
@ 2026-06-07 10:01 ` Greg Kroah-Hartman
2026-06-07 17:00 ` [PATCH 6.12 000/307] 6.12.93-rc1 review Pavel Machek
` (2 subsequent siblings)
306 siblings, 0 replies; 630+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-07 10:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav (Google),
Pasha Tatashin, Jeff Xu, Baolin Wang, Brendan Jackman,
Greg Thelen, Hugh Dickins, Kees Cook, David Hildenbrand (Arm),
Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Pratyush Yadav (Google)" <pratyush@kernel.org>
[ Upstream commit 3b041514cb6eae45869b020f743c14d983363222 ]
When SEAL_EXEC is added, SEAL_WRITE is implied to make W^X. But the
implied seal is set after the check that makes sure the memfd can not have
any writable mappings. This means one can use SEAL_EXEC to apply
SEAL_WRITE while having writeable mappings.
This breaks the contract that SEAL_WRITE provides and can be used by an
attacker to pass a memfd that appears to be write sealed but can still be
modified arbitrarily.
Fix this by adding the implied seals before the call for
mapping_deny_writable() is done.
Link: https://lore.kernel.org/20260505133922.797635-1-pratyush@kernel.org
Fixes: c4f75bc8bd6b ("mm/memfd: add write seals when apply SEAL_EXEC to executable memfd")
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
Acked-by: Jeff Xu <jeffxu@google.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memfd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -273,6 +273,12 @@ static int memfd_add_seals(struct file *
goto unlock;
}
+ /*
+ * SEAL_EXEC implies SEAL_WRITE, making W^X from the start.
+ */
+ if (seals & F_SEAL_EXEC && inode->i_mode & 0111)
+ seals |= F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE;
+
if ((seals & F_SEAL_WRITE) && !(*file_seals & F_SEAL_WRITE)) {
error = mapping_deny_writable(file->f_mapping);
if (error)
@@ -285,12 +291,6 @@ static int memfd_add_seals(struct file *
}
}
- /*
- * SEAL_EXEC implies SEAL_WRITE, making W^X from the start.
- */
- if (seals & F_SEAL_EXEC && inode->i_mode & 0111)
- seals |= F_SEAL_SHRINK|F_SEAL_GROW|F_SEAL_WRITE|F_SEAL_FUTURE_WRITE;
-
*file_seals |= seals;
error = 0;
^ permalink raw reply [flat|nested] 630+ messages in thread
* Re: [PATCH 6.18 000/315] 6.18.35-rc1 review
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.18 315/315] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
@ 2026-06-07 16:58 ` Pavel Machek
2026-06-07 17:04 ` Miguel Ojeda
2026-06-07 20:40 ` Peter Schneider
316 siblings, 0 replies; 630+ messages in thread
From: Pavel Machek @ 2026-06-07 16:58 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 60243 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.18.35 release.
> There are 315 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
We see build problem here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/jobs/14732223960
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/2582906697
Best regards,
Pavel
arch/arm64/kvm/nested.c: In function 'kvm_init_nv_sysregs':
1807
12:45:08
arch/arm64/kvm/nested.c:1776:9: error: 'resx' undeclared (first use in this function); did you mean 'res1'?
1808
12:45:08
1776 | resx.res0 = ZCR_ELx_RES0 | GENMASK_ULL(8, 4);
1809
12:45:08
| ^~~~
1810
12:45:08
| res1
1811
12:45:08
arch/arm64/kvm/nested.c:1776:9: note: each undeclared identifier is reported only once for each function it appears in
1812
12:45:08
arch/arm64/kvm/nested.c:1778:9: error: too few arguments to function 'set_sysreg_masks'
1813
12:45:08
1778 | set_sysreg_masks(kvm, ZCR_EL2, resx);
1814
12:45:08
| ^~~~~~~~~~~~~~~~
1815
12:45:08
arch/arm64/kvm/nested.c:1641:29: note: declared here
1816
12:45:08
1641 | static __always_inline void set_sysreg_masks(struct kvm *kvm, int sr, u64 res0, u64 res1)
1817
12:45:08
| ^~~~~~~~~~~~~~~~
1818
12:45:08
CC block/holder.o
1819
12:45:08
CC drivers/irqchip/irq-ls-scfg-msi.o
1820
12:45:09
make[4]: *** [scripts/Makefile.build:287: arch/arm64/kvm/nested.o]
Error 1
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Linux 6.18.35-rc1
>
> Michael Bommarito <michael.bommarito@gmail.com>
> thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
>
> Jouni Högander <jouni.hogander@intel.com>
> drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable
>
> Jassi Brar <jassisinghbrar@gmail.com>
> mailbox: Fix NULL message support in mbox_send_message()
>
> Wei-Cheng Chen <weichengc@nvidia.com>
> xhci: tegra: Fix ghost USB device on dual-role port unplug
>
> Robert Marko <robert.marko@sartura.hr>
> net: phy: micrel: fix LAN8814 QSGMII soft reset
>
> Qing Wang <wangqing7171@gmail.com>
> mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()
>
> Abdurrahman Hussain <abdurrahman@nexthop.ai>
> hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
>
> Abdurrahman Hussain <abdurrahman@nexthop.ai>
> hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
>
> Guenter Roeck <linux@roeck-us.net>
> hwmon: (pmbus) Add support for guarded PMBus lock
>
> Johan Hovold <johan@kernel.org>
> USB: serial: mct_u232: fix memory corruption with small endpoint
>
> Johan Hovold <johan@kernel.org>
> USB: serial: digi_acceleport: fix memory corruption with small endpoints
>
> Johan Hovold <johan@kernel.org>
> USB: serial: cypress_m8: fix memory corruption with small endpoint
>
> Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
> usb: dwc3: xilinx: fix error handling in zynqmp init error paths
>
> Shaomin Chen <eeesssooo020@gmail.com>
> xfrm: iptfs: reset runtime state when cloning SAs
>
> Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E
>
> Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> cpufreq: intel_pstate: Add and use hybrid_get_cpu_type()
>
> Paolo Abeni <pabeni@redhat.com>
> mptcp: reset rcv wnd on disconnect
>
> Paolo Abeni <pabeni@redhat.com>
> mptcp: cleanup fallback dummy mapping generation
>
> Dawei Feng <dawei.feng@seu.edu.cn>
> octeontx2-pf: avoid double free of pool->stack on AQ init failure
>
> Zeng Heng <zengheng4@huawei.com>
> arm64: tlb: Flush walk cache when unsharing PMD tables
>
> Shardul Bankar <shardul.b@mpiricsoftware.com>
> mptcp: do not drop partial packets
>
> Paolo Abeni <pabeni@redhat.com>
> mptcp: borrow forward memory from subflow
>
> Paolo Abeni <pabeni@redhat.com>
> mptcp: handle first subflow closing consistently
>
> David Carlier <devnexen@gmail.com>
> net: devmem: reject dma-buf bind with non-page-aligned size or SG length
>
> Matthieu Baerts (NGI0) <matttbe@kernel.org>
> selftests: mptcp: drop nanoseconds width specifier
>
> Shuai Zhang <shuai.zhang@oss.qualcomm.com>
> Bluetooth: hci_qca: Convert timeout from jiffies to ms
>
> Uwe Kleine-König <u.kleine-koenig@baylibre.com>
> Bluetooth: hci_qca: Migrate to serdev specific shutdown function
>
> Uwe Kleine-König <u.kleine-koenig@baylibre.com>
> serdev: Provide a bustype shutdown function
>
> David Howells <dhowells@redhat.com>
> rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
>
> David Howells <dhowells@redhat.com>
> rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
>
> Tom Lendacky <thomas.lendacky@amd.com>
> x86/mm: Disable broadcast TLB flush when PCID is disabled
>
> Lukas Wunner <lukas@wunner.de>
> platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
>
> David E. Box <david.e.box@linux.intel.com>
> platform/x86/intel/vsec: Make driver_data info const
>
> David E. Box <david.e.box@linux.intel.com>
> platform/x86/intel/vsec: Refactor base_addr handling
>
> Jacques Nilo <jnilo@free.fr>
> serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()
>
> Jacques Nilo <jnilo@free.fr>
> serial: 8250: dispatch SysRq character in serial8250_handle_irq()
>
> Jacques Nilo <jnilo@free.fr>
> serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)
>
> Maciej W. Rozycki <macro@orcam.me.uk>
> serial: zs: Convert to use a platform device
>
> Maciej W. Rozycki <macro@orcam.me.uk>
> serial: zs: Switch to using channel reset
>
> Maciej W. Rozycki <macro@orcam.me.uk>
> serial: zs: Fix bootconsole handover lockup
>
> Maciej W. Rozycki <macro@orcam.me.uk>
> serial: dz: Convert to use a platform device
>
> Maciej W. Rozycki <macro@orcam.me.uk>
> serial: dz: Fix bootconsole handover lockup
>
> Maciej W. Rozycki <macro@orcam.me.uk>
> serial: dz: Fix bootconsole message clobbering at chip reset
>
> Ziyi Guo <n7l8m4@u.northwestern.edu>
> drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO
>
> Christian König <christian.koenig@amd.com>
> drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx
>
> Michael Bommarito <michael.bommarito@gmail.com>
> drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO
>
> David Francis <David.Francis@amd.com>
> drm/amdkfd: Check for pdd drm file first in CRIU restore path
>
> Eric Huang <jinhuieric.huang@amd.com>
> drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
>
> Eric Huang <jinhuieric.huang@amd.com>
> drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
>
> Shitalkumar Gandhi <shital.gandhi45@gmail.com>
> serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
>
> Maciej W. Rozycki <macro@orcam.me.uk>
> serial: zs: Fix swapped RI/DSR modem line transition counting
>
> Hongling Zeng <zenghongling@kylinos.cn>
> serial: sh-sci: fix memory region release in error path
>
> Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
> serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
>
> Prasanna S <prasanna.s@oss.qualcomm.com>
> serial: qcom-geni: fix UART_RX_PAR_EN bit position
>
> Myeonghun Pak <mhun512@gmail.com>
> serial: altera_jtaguart: handle uart_add_one_port() failures
>
> Timur Kristóf <timur.kristof@gmail.com>
> drm/amd/pm/si: Disregard vblank time when no displays are connected
>
> Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
> drm/i915: Fix potential UAF in TTM object purge
>
> Jouni Högander <jouni.hogander@intel.com>
> drm/i915/psr: Block DC states on vblank enable when Panel Replay supported
>
> Zhenghang Xiao <kipreyyy@gmail.com>
> drm/gem: fix race between change_handle and handle_delete
>
> Berkant Koc <me@berkoc.com>
> drm/hyperv: validate VMBus packet size in receive callback
>
> Berkant Koc <me@berkoc.com>
> drm/hyperv: validate resolution_count and fix WIN8 fallback
>
> Alexandru Hossu <hossu.alexandru@gmail.com>
> scsi: target: iscsi: Validate CHAP_R length before base64 decode
>
> Michael Bommarito <michael.bommarito@gmail.com>
> scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
>
> Michael Bommarito <michael.bommarito@gmail.com>
> scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
>
> Michael Bommarito <michael.bommarito@gmail.com>
> scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
>
> Michael Bommarito <michael.bommarito@gmail.com>
> scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
>
> Michael Bommarito <michael.bommarito@gmail.com>
> thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
>
> Michael Bommarito <michael.bommarito@gmail.com>
> thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
>
> Michael Bommarito <michael.bommarito@gmail.com>
> usb: gadget: f_fs: serialize DMABUF cancel against request completion
>
> Michael Bommarito <michael.bommarito@gmail.com>
> usb: gadget: f_fs: copy only received bytes on short ep0 read
>
> Seungjin Bae <eeodqql09@gmail.com>
> usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
>
> Jeremy Erazo <mendozayt13@gmail.com>
> usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
>
> Guangshuo Li <lgs201920130244@gmail.com>
> usb: gadget: f_hid: fix device reference leak in hidg_alloc()
>
> Guangshuo Li <lgs201920130244@gmail.com>
> usb: gadget: net2280: Fix double free in probe error path
>
> Kai Aizen <kai.aizen.dev@gmail.com>
> usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
>
> Johan Hovold <johan@kernel.org>
> USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
>
> Johan Hovold <johan@kernel.org>
> USB: serial: mxuport: fix memory corruption with small endpoint
>
> Johan Hovold <johan@kernel.org>
> USB: serial: keyspan: fix missing indat transfer sanity check
>
> Zhang Cen <rollkingzzc@gmail.com>
> USB: serial: cypress_m8: validate interrupt packet headers
>
> Zhang Cen <rollkingzzc@gmail.com>
> USB: serial: belkin_sa: validate interrupt status length
>
> Wanquan Zhong <wanquan.zhong@fibocom.com>
> USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
>
> Jan Volckaert <janvolck@gmail.com>
> USB: serial: option: add MeiG SRM813Q
>
> Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
> usb: typec: ucsi: Don't update power_supply on power role change if not connected
>
> Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
> usb: typec: ucsi: Check if power role change actually happened before handling
>
> Sebastian Reichel <sebastian.reichel@collabora.com>
> usb: typec: tcpm: improve handling of DISCOVER_MODES failures
>
> Dan Carpenter <error27@gmail.com>
> usb: typec: tipd: Fix error code in tps6598x_probe()
>
> Heitor Alves de Siqueira <halves@igalia.com>
> usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
>
> Heitor Alves de Siqueira <halves@igalia.com>
> usb: usbtmc: check URB actual_length for interrupt-IN notifications
>
> Michael Bommarito <michael.bommarito@gmail.com>
> usbip: vudc: Fix use after free bug in vudc_remove due to race condition
>
> Sam Burkels <sam@1a38.nl>
> usb: storage: Add quirks for PNY Elite Portable SSD
>
> Stephen J. Fuhry <fuhrysteve@gmail.com>
> USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
>
> Wentao Liang <vulab@iscas.ac.cn>
> usb: musb: omap2430: Fix use-after-free in omap2430_probe()
>
> Michal Pecio <michal.pecio@gmail.com>
> usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
>
> Xu Yang <xu.yang_2@nxp.com>
> usb: chipidea: core: convert ci_role_switch to local variable
>
> Tudor Ambarus <tudor.ambarus@linaro.org>
> tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
>
> Zhaoyang Yu <2426767509@qq.com>
> tty: serial: pch_uart: add check for dma_alloc_coherent()
>
> Guangshuo Li <lgs201920130244@gmail.com>
> counter: Fix refcount leak in counter_alloc() error path
>
> Ian Abbott <abbotti@mev.co.uk>
> comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
>
> Ian Abbott <abbotti@mev.co.uk>
> comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
>
> Hongling Zeng <zenghongling@kylinos.cn>
> gpib: cb7210: Fix region leak when request_irq fails
>
> Nicolás Bazaes <contacto@bazaes.cl>
> Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
>
> Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
>
> Xiaolei Wang <xiaolei.wang@windriver.com>
> misc: rp1: Send IACK on IRQ activate to fix kdump/kexec
>
> Ali Ganiyev <ali.qaniyev@gmail.com>
> ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
>
> Dmitriy Zharov <contact@zharov.dev>
> Input: xpad - add support for ASUS ROG RAIKIRI II
>
> Qbeliw Tanaka <q.tanaka@gmx.com>
> Input: xpad - add "Nova 2 Lite" from GameSir
>
> Zhang Heng <zhangheng@kylinos.cn>
> ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP
>
> Jingguo Tan <tanjingguo@huawei.com>
> xfrm: esp: restore combined single-frag length gate
>
> Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
> ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
>
> Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
> ASoC: qcom: q6asm-dai: close stream only when running
>
> Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
> netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
>
> Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ALSA: firewire-motu: Protect register DSP event queue positions
>
> Geoffrey D. Bennett <g@b4.vu>
> ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
>
> Michael Bommarito <michael.bommarito@gmail.com>
> xfrm: ah: use skb_to_full_sk in async output callbacks
>
> Herbert Xu <herbert@gondor.apana.org.au>
> xfrm: ipcomp: Free destination pages on acomp errors
>
> Maoyi Xie <maoyixie.tju@gmail.com>
> xfrm: route MIGRATE notifications to caller's netns
>
> Ashutosh Desai <ashutoshdesai993@gmail.com>
> nfc: hci: fix out-of-bounds read in HCP header parsing
>
> Arnd Bergmann <arnd@arndb.de>
> iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
>
> Lee Jones <lee@kernel.org>
> HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
>
> Santhosh Kumar K <s-k6@ti.com>
> spi: spi-mem: avoid mutating op template in spi_mem_supports_op()
>
> Minh Nguyen <minhnguyen.080505@gmail.com>
> net: skbuff: fix missing zerocopy reference in pskb_carve helpers
>
> Kuniyuki Iwashima <kuniyu@google.com>
> ip6: vti: Use ip6_tnl.net in vti6_changelink().
>
> Michael Bommarito <michael.bommarito@gmail.com>
> l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname
>
> Zhengchuan Liang <zcliangcn@gmail.com>
> xfrm: input: hold netns during deferred transport reinjection
>
> Qi Tang <tpluszz77@gmail.com>
> ipv6: validate extension header length before copying to cmsg
>
> Maoyi Xie <maoyixie.tju@gmail.com>
> ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
>
> Zhengchuan Liang <zcliangcn@gmail.com>
> ipv6: exthdrs: refresh nh after handling HAO option
>
> Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
> ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
>
> Justin Iurman <justin.iurman@gmail.com>
> ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
>
> Junrui Luo <moonafterrain@outlook.com>
> macsec: fix replay protection at XPN lower-PN wrap
>
> Yuqi Xu <xuyq21@lenovo.com>
> bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
>
> Jason A. Donenfeld <Jason@zx2c4.com>
> wireguard: send: append trailer after expanding head
>
> Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
> x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
>
> Chaitanya Sabnis <chaitanya.msabnis@gmail.com>
> i2c: davinci: fix division by zero on missing clock-frequency
>
> Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Input: elan_i2c - validate firmware size before use
>
> Dan Carpenter <error27@gmail.com>
> usb: dwc2: Fix use after free in debug code
>
> Peter Chen <peter.chen@cixtech.com>
> usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
>
> Peter Chen <peter.chen@cixtech.com>
> usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
>
> Yongchao Wu <yongchao.wu@autochips.com>
> usb: cdns3: gadget: fix request skipping after clearing halt
>
> Johan Hovold <johan@kernel.org>
> USB: serial: omninet: fix memory corruption with small endpoint
>
> Benoît Monin <benoit.monin@bootlin.com>
> iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
>
> Felix Gu <ustc.gu@gmail.com>
> iio: buffer: hw-consumer: fix use-after-free in error path
>
> Aldo Conte <aldocontelk@gmail.com>
> iio: light: cm3323: fix reg_conf not being initialized correctly
>
> Antoniu Miclaus <antoniu.miclaus@analog.com>
> iio: chemical: scd30: fix division by zero in write_raw
>
> Pengpeng Hou <pengpeng@iscas.ac.cn>
> iio: chemical: mhz19b: reject oversized serial replies
>
> Svyatoslav Ryhel <clamor95@gmail.com>
> iio: Fix iio_multiply_value use in iio_read_channel_processed_scale
>
> Felix Gu <ustc.gu@gmail.com>
> iio: light: veml6070: Fix resource leak in probe error path
>
> Advait Dhamorikar <advaitd@mechasystems.com>
> iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
>
> Salah Triki <salah.triki@gmail.com>
> iio: temperature: tsys01: fix broken PROM checksum validation
>
> Sanjay Chitroda <sanjayembeddedse@gmail.com>
> iio: ssp_sensors: cancel delayed work_refresh on remove
>
> Antoniu Miclaus <antoniu.miclaus@analog.com>
> iio: gyro: adis16260: fix division by zero in write_raw
>
> David Carlier <devnexen@gmail.com>
> iio: gyro: itg3200: fix i2c read into the wrong stack location
>
> Radu Sabau <radu.sabau@analog.com>
> iio: adc: ad4695: Fix call ordering in offload buffer postenable
>
> Salah Triki <salah.triki@gmail.com>
> iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
>
> Salah Triki <salah.triki@gmail.com>
> iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
>
> Rodrigo Alencar <rodrigo.alencar@analog.com>
> iio: dac: ad5686: fix powerdown control on dual-channel devices
>
> Rodrigo Alencar <rodrigo.alencar@analog.com>
> iio: dac: ad5686: acquire lock when doing powerdown control
>
> Rodrigo Alencar <rodrigo.alencar@analog.com>
> iio: dac: ad5686: fix input raw value check
>
> Rodrigo Alencar <rodrigo.alencar@analog.com>
> iio: dac: ad5686: fix ref bit initialization for single-channel parts
>
> Salah Triki <salah.triki@gmail.com>
> iio: dac: max5821: fix return value check in powerdown sync
>
> Kim Seer Paller <kimseer.paller@analog.com>
> iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings
>
> David Carlier <devnexen@gmail.com>
> iio: adc: npcm: fix unbalanced clk_disable_unprepare()
>
> Christofer Jonason <christofer.jonason@guidelinegeo.com>
> iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
>
> Nathan Chancellor <nathan@kernel.org>
> Disable -Wattribute-alias for clang-23 and newer
>
> Sean Christopherson <seanjc@google.com>
> KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()
>
> Sean Christopherson <seanjc@google.com>
> KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
>
> Sean Christopherson <seanjc@google.com>
> KVM: SEV: Check PSC request indices against the actual size of the buffer
>
> Sean Christopherson <seanjc@google.com>
> KVM: SEV: Compute the correct max length of the in-GHCB scratch area
>
> Sean Christopherson <seanjc@google.com>
> KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
>
> Sean Christopherson <seanjc@google.com>
> KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
>
> Sean Christopherson <seanjc@google.com>
> KVM: SEV: Ignore Port I/O requests of length '0'
>
> Michael Roth <michael.roth@amd.com>
> KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
>
> Sean Christopherson <seanjc@google.com>
> KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
>
> Qiang Ma <maqianga@uniontech.com>
> KVM: arm64: PMU: Preserve AArch32 counter low bits
>
> Mark Brown <broonie@kernel.org>
> KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor
>
> Wentao Guan <guanwentao@uniontech.com>
> USB: cdc-acm: Fix bit overlap and move quirk definitions to header
>
> Alice Ryhl <aliceryhl@google.com>
> rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN
>
> Matthew Maurer <mmaurer@google.com>
> rust_binder: Avoid holding lock when dropping delivered_death
>
> Ben Hutchings <benh@debian.org>
> parport: Fix race between port and client registration
>
> Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Input: xpad - fix out-of-bounds access for Share button
>
> Doruk Tan Ozturk <doruk@0sec.ai>
> Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
>
> Shuai Zhang <shuai.zhang@oss.qualcomm.com>
> Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading
>
> Pavitra Jha <jhapavitra98@gmail.com>
> Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
>
> Muhammad Bilal <meatuni001@gmail.com>
> Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
>
> Muhammad Bilal <meatuni001@gmail.com>
> Bluetooth: ISO: fix UAF in iso_recv_frame
>
> Muhammad Bilal <meatuni001@gmail.com>
> Bluetooth: HIDP: fix missing length checks in hidp_input_report()
>
> Siwei Zhang <oss@fourdim.xyz>
> Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
>
> Siwei Zhang <oss@fourdim.xyz>
> Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
>
> Steve French <stfrench@microsoft.com>
> smb: client: fix uninitialized variable in smb2_writev_callback
>
> Stepan Ionichev <sozdayvek@gmail.com>
> auxdisplay: line-display: fix OOB read on zero-length message_store()
>
> Dev Jain <dev.jain@arm.com>
> mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one
>
> Pratyush Yadav (Google) <pratyush@kernel.org>
> memfd: deny writeable mappings when implying SEAL_WRITE
>
> Alexandre Ghiti <alex@ghiti.fr>
> mm: memcontrol: propagate NMI slab stats to memcg vmstats
>
> Linpu Yu <linpu5433@gmail.com>
> ipc: limit next_id allocation to the valid ID range
>
> SeongJae Park <sj@kernel.org>
> mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()
>
> Mikulas Patocka <mpatocka@redhat.com>
> hpfs: fix a crash if hpfs_map_dnode_bitmap fails
>
> Shuai Zhang <shuai.zhang@oss.qualcomm.com>
> Bluetooth: btusb: Allow firmware re-download when version matches
>
> hlleng <a909204013@gmail.com>
> HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
>
> Thomas Fourier <fourier.thomas@gmail.com>
> Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
>
> Henri A <contact@henrialfonso.com>
> media: rc: igorplugusb: fix control request setup packet
>
> Johan Hovold <johan@kernel.org>
> USB: serial: safe_serial: fix memory corruption with small endpoint
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: ucsi: validate connector number in ucsi_connector_change()
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: altmodes/displayport: validate count before reading Status Update VDO
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> usb: typec: ucsi: ccg: reject firmware images without a ':' record header
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> iio: pressure: bmp280: fix stack leak in bmp580 trigger handler
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> iio: imu: adis16550: fix stack leak in trigger handler
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
>
> Horatiu Vultur <horatiu.vultur@microchip.com>
> phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
>
> Jouni Högander <jouni.hogander@intel.com>
> drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
>
> Jouni Högander <jouni.hogander@intel.com>
> drm/i915/psr: Read Intel DPCD workaround register
>
> Jouni Högander <jouni.hogander@intel.com>
> drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
>
> Peter Oberparleiter <oberpar@linux.ibm.com>
> s390/cio: Restore GFP_DMA for CHSC allocation
>
> Andrei Vagin <avagin@google.com>
> Revert "x86/fpu: Refine and simplify the magic number check during signal return"
>
> Michael Bommarito <michael.bommarito@gmail.com>
> smb: client: validate the whole DACL before rewriting it in cifsacl
>
> Oliver Neukum <oneukum@suse.com>
> media: rc: ttusbir: fix inverted error logic
>
> Sean Young <sean@mess.org>
> media: rc: fix race between unregister and urb/irq callbacks
>
> Pavel Begunkov <asml.silence@gmail.com>
> net: skbuff: fix pskb_carve leaking zcopy pages
>
> Jiayuan Chen <jiayuan.chen@linux.dev>
> ipv6: fix possible infinite loop in fib6_select_path()
>
> Jiayuan Chen <jiayuan.chen@linux.dev>
> ipv6: fix possible infinite loop in rt6_fill_node()
>
> Jingguo Tan <tanjingguo@huawei.com>
> vsock/virtio: bind uarg before filling zerocopy skb
>
> Zhenghang Xiao <kipreyyy@gmail.com>
> sctp: fix race between sctp_wait_for_connect and peeloff
>
> Dipayaan Roy <dipayanroy@linux.microsoft.com>
> net: mana: Skip redundant detach on already-detached port
>
> Dipayaan Roy <dipayanroy@linux.microsoft.com>
> net: mana: Add NULL guards in teardown path to prevent panic on attach failure
>
> Marco Scardovi <scardracs@disroot.org>
> gpio: rockchip: teardown bugs and resource leaks
>
> Marco Scardovi <scardracs@disroot.org>
> gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
>
> Dan Carpenter <error27@gmail.com>
> gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
>
> Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
> gpio: adnp: fix flow control regression caused by scoped_guard()
>
> Heitor Alves de Siqueira <halves@igalia.com>
> Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
>
> Heitor Alves de Siqueira <halves@igalia.com>
> Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
>
> Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
>
> Zhenghang Xiao <kipreyyy@gmail.com>
> Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
>
> Chuck Lever <chuck.lever@oracle.com>
> net/handshake: Pass negative errno through handshake_complete()
>
> Chuck Lever <chuck.lever@oracle.com>
> nvme-tcp: store negative errno in queue->tls_err
>
> Chuck Lever <chuck.lever@oracle.com>
> net/handshake: Use spin_lock_bh for hn_lock
>
> Jijie Shao <shaojijie@huawei.com>
> net: hibmcge: disable Relaxed Ordering to fix RX packet corruption
>
> Jamal Hadi Salim <jhs@mojatatu.com>
> net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
>
> Rahul Chandelkar <rc@rexion.ai>
> ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: eeprom: add more safeties to EEPROM Netlink fallback
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: strset: fix header attribute index in ethnl_req_get_phydev()
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: tsinfo: fix uninitialized stats on the by-PHC path
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: tsconfig: fix missing ethnl_ops_complete()
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: pse-pd: fix missing ethnl_ops_complete()
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: tsconfig: fix reply error handling
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
>
> Ido Schimmel <idosch@nvidia.com>
> bridge: Fix sleep in atomic context in sysfs path
>
> Ido Schimmel <idosch@nvidia.com>
> bridge: Fix sleep in atomic context in netlink path
>
> Oliver Hartkopp <socketcan@hartkopp.net>
> bonding: refuse to enslave CAN devices
>
> Zhao Dongdong <zhaodongdong@kylinos.cn>
> Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
>
> Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
> drm/xe: Restore IDLEDLY regiter on engine reset
>
> Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ASoC: codecs: simple-mux: Fix enum control bounds check
>
> Sean Shen <grayhat@foxmail.com>
> ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
>
> Eric Dumazet <edumazet@google.com>
> tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
>
> Eric Dumazet <edumazet@google.com>
> vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
>
> Eric Dumazet <edumazet@google.com>
> tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
>
> Li Ming <ming.li@zohomail.com>
> cxl/test: Update mock dev array before calling platform_device_add()
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: cmis: validate fw->size against start_cmd_payload_size
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: cmis: validate start_cmd_payload_size from module
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: cmis: require exact CDB reply length
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: module: fix cleanup if socket used for flashing multiple devices
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: module: check fw_flash_in_progress under rtnl_lock
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: module: avoid racy updates to dev->ethtool bitfield
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: module: avoid leaking a netdev ref on module flash errors
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: module: call ethnl_ops_complete() on module flash errors
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: rss: avoid device context leak on reply-build failure
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: rss: fix hkey leak when indir_size is 0
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: rss: fix indir_table and hkey leak on get_rxfh failure
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: rss: fix falsely ignoring indir table updates
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: rss: add missing errno on RSS context delete
>
> Jakub Kicinski <kuba@kernel.org>
> ethtool: rss: avoid modifying the RSS context response
>
> Björn Töpel <bjorn@kernel.org>
> net: Avoid checksumming unreadable skb tail on trim
>
> Weiming Shi <bestswngs@gmail.com>
> net: team: fix NULL pointer dereference in team_xmit during mode change
>
> Marc Harvey <marcharvey@google.com>
> net: team: Rename port_disabled team mode op to port_tx_disabled
>
> Marc Harvey <marcharvey@google.com>
> net: team: Remove unused team_mode_op, port_enabled
>
> Alexander Stein <alexander.stein@ew.tq-group.com>
> gpio: mxc: fix irq_high handling
>
> Luka Gejak <luka.gejak@linux.dev>
> net: hsr: fix potential OOB access in supervision frame handling
>
> Prathamesh Deshpande <prathameshdeshpande7@gmail.com>
> net/mlx5: HWS: Reject unsupported remove-header action
>
> Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
>
> Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ALSA: pcm: oss: Fix setup list UAF on proc write error
>
> Eric Dumazet <edumazet@google.com>
> ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
>
> David Jeffery <djeffery@redhat.com>
> scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues
>
> Breno Leitao <leitao@debian.org>
> net/iucv: fix locking in .getsockopt
>
> Alexandra Winter <wintera@linux.ibm.com>
> net/smc: Do not re-initialize smc hashtables
>
> Ilya Maximets <i.maximets@ovn.org>
> net: netlink: don't set nsid on local notifications
>
> Ilya Maximets <i.maximets@ovn.org>
> net: netlink: fix sending unassigned nsid after assigned one
>
> Ziyu Zhang <ziyuzhang201@gmail.com>
> vsock: keep poll shutdown state consistent
>
> Weiming Shi <bestswngs@gmail.com>
> tun: free page on build_skb failure in tun_xdp_one()
>
> Weiming Shi <bestswngs@gmail.com>
> tun: free page on short-frame rejection in tun_xdp_one()
>
> Fernando Fernandez Mancera <fmancera@suse.de>
> netfilter: nf_tables: fix dst corruption in same register operation
>
> Florian Westphal <fw@strlen.de>
> netfilter: ebtables: fix OOB read in compat_mtw_from_user
>
> Florian Westphal <fw@strlen.de>
> netfilter: xt_cpu: prefer raw_smp_processor_id
>
> Chris Mason <clm@meta.com>
> netfilter: synproxy: refresh tcphdr after skb_ensure_writable
>
> Deepanshu Kartikey <kartikey406@gmail.com>
> kernel/fork: validate exit_signal in kernel_clone()
>
> Dhabaleshwar Das <dhabal123@gmail.com>
> accel/rocket: fix UAF via dangling GEM handle in create_bo
>
> Florian Schmaus <florian.schmaus@codasip.com>
> kunit: fix use-after-free in debugfs when using kunit.filter
>
> Liu Kai <lukace97@outlook.com>
> HID: remove duplicate hid_warn_ratelimited definition
>
> Hongtao Lee <lihongtao@kylinos.cn>
> tools/bootconfig: Fix buf leaks in apply_xbc
>
> Carl Lee <carl.lee@amd.com>
> nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
>
> David Ahern <dahern@nvidia.com>
> xfrm: Check for underflow in xfrm_state_mtu
>
> Lee Jones <lee@kernel.org>
> nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
>
> Lee Jones <lee@kernel.org>
> nfc: llcp: Fix use-after-free in llcp_sock_release()
>
> Mingzhe Zou <mingzhe.zou@easystack.cn>
> bcache: fix uninitialized closure object
>
> Victor Nogueria <victor@mojatatu.com>
> net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
>
> Usama Arif <usama.arif@linux.dev>
> xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
>
> Jeremy Kerr <jk@codeconstruct.com.au>
> net: mctp: ensure our nlmsg responses are initialised
>
> Davide Caratti <dcaratti@redhat.com>
> net/sched: cls_fw: fix NULL dereference of "old" filters before change()
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
>
>
> -------------
>
> Diffstat:
>
> Documentation/netlink/specs/handshake.yaml | 8 +
> Makefile | 4 +-
> arch/arm64/include/asm/kvm_host.h | 2 +-
> arch/arm64/include/asm/tlb.h | 2 +-
> arch/arm64/kvm/hyp/include/hyp/switch.h | 16 +-
> arch/arm64/kvm/nested.c | 5 +
> arch/arm64/kvm/pmu-emul.c | 4 +-
> arch/arm64/kvm/sys_regs.c | 11 +-
> arch/mips/dec/platform.c | 109 ++++++++++-
> arch/riscv/include/asm/syscall_wrapper.h | 4 +
> arch/x86/kernel/cpu/cpuid-deps.c | 1 +
> arch/x86/kernel/fpu/signal.c | 11 +-
> arch/x86/kernel/ftrace.c | 7 +
> arch/x86/kvm/svm/avic.c | 35 +++-
> arch/x86/kvm/svm/sev.c | 76 ++++---
> drivers/accel/rocket/rocket_gem.c | 17 +-
> drivers/android/binder/allocation.rs | 8 +
> drivers/android/binder/process.rs | 7 +-
> drivers/android/binder/transaction.rs | 11 +-
> drivers/auxdisplay/line-display.c | 2 +-
> drivers/bluetooth/btusb.c | 8 +-
> drivers/bluetooth/hci_qca.c | 42 ++--
> drivers/comedi/drivers/comedi_test.c | 5 +-
> drivers/counter/counter-core.c | 3 +-
> drivers/cpufreq/intel_pstate.c | 13 +-
> drivers/gpio/gpio-adnp.c | 4 +-
> drivers/gpio/gpio-mxc.c | 2 +-
> drivers/gpio/gpio-rockchip.c | 23 ++-
> drivers/gpio/gpio-virtuser.c | 4 +-
> drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 11 +-
> drivers/gpu/drm/amd/amdgpu/amdgpu_hmm.c | 1 +
> drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 +-
> drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 +-
> .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 8 +-
> drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +
> drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 +
> drivers/gpu/drm/bridge/sil-sii8620.c | 1 +
> drivers/gpu/drm/drm_gem.c | 2 +
> drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 113 +++++++++--
> drivers/gpu/drm/i915/display/intel_display_core.h | 1 +
> drivers/gpu/drm/i915/display/intel_display_irq.c | 8 +-
> drivers/gpu/drm/i915/display/intel_display_types.h | 3 +
> drivers/gpu/drm/i915/display/intel_dpcd.h | 15 ++
> drivers/gpu/drm/i915/display/intel_psr.c | 60 ++++--
> drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 28 +--
> drivers/gpu/drm/xe/xe_guc_ads.c | 5 +
> drivers/hid/hid-ids.h | 1 +
> drivers/hid/hid-picolcd_cir.c | 1 +
> drivers/hid/hid-quirks.c | 1 +
> drivers/hid/wacom_sys.c | 13 +-
> drivers/hid/wacom_wac.h | 1 +
> drivers/hwmon/pmbus/adm1266.c | 7 +
> drivers/hwmon/pmbus/pmbus.h | 5 +
> drivers/hwmon/pmbus/pmbus_core.c | 8 +
> drivers/i2c/busses/i2c-davinci.c | 2 +-
> drivers/iio/adc/ad4695.c | 23 +--
> drivers/iio/adc/mt6359-auxadc.c | 1 +
> drivers/iio/adc/npcm_adc.c | 25 +--
> drivers/iio/adc/viperboard_adc.c | 4 +-
> drivers/iio/adc/xilinx-xadc-core.c | 11 +-
> drivers/iio/buffer/industrialio-hw-consumer.c | 4 +-
> drivers/iio/chemical/mhz19b.c | 17 ++
> drivers/iio/chemical/scd30_core.c | 2 +-
> drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
> drivers/iio/dac/ad3530r.c | 54 +++--
> drivers/iio/dac/ad5686.c | 56 ++++--
> drivers/iio/dac/ad5686.h | 1 +
> drivers/iio/dac/max5821.c | 9 +-
> drivers/iio/gyro/adis16260.c | 3 +
> drivers/iio/gyro/itg3200_buffer.c | 2 +-
> drivers/iio/imu/adis16550.c | 2 +-
> drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
> drivers/iio/industrialio-buffer.c | 1 +
> drivers/iio/inkern.c | 6 +-
> drivers/iio/light/cm3323.c | 5 +-
> drivers/iio/light/veml6070.c | 14 +-
> drivers/iio/magnetometer/st_magn_core.c | 13 +-
> drivers/iio/pressure/bmp280-core.c | 2 +-
> drivers/iio/temperature/tsys01.c | 2 +-
> drivers/input/joystick/xpad.c | 14 +-
> drivers/input/misc/ims-pcu.c | 2 +-
> drivers/input/mouse/elan_i2c_core.c | 5 +
> drivers/input/mouse/synaptics.c | 1 +
> drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
> drivers/input/touchscreen/usbtouchscreen.c | 5 +
> drivers/iommu/io-pgtable-arm-v7s.c | 18 +-
> drivers/mailbox/mailbox.c | 15 +-
> drivers/mailbox/tegra-hsp.c | 2 +-
> drivers/md/bcache/super.c | 3 +-
> drivers/media/cec/core/cec-core.c | 2 +-
> drivers/media/common/siano/smsir.c | 1 +
> drivers/media/i2c/ir-kbd-i2c.c | 2 +
> drivers/media/pci/bt8xx/bttv-input.c | 3 +-
> drivers/media/pci/cx23885/cx23885-input.c | 1 +
> drivers/media/pci/cx88/cx88-input.c | 3 +-
> drivers/media/pci/dm1105/dm1105.c | 1 +
> drivers/media/pci/mantis/mantis_input.c | 1 +
> drivers/media/pci/saa7134/saa7134-input.c | 1 +
> drivers/media/pci/smipcie/smipcie-ir.c | 1 +
> drivers/media/pci/ttpci/budget-ci.c | 1 +
> drivers/media/rc/ati_remote.c | 6 +-
> drivers/media/rc/ene_ir.c | 2 +-
> drivers/media/rc/fintek-cir.c | 3 +-
> drivers/media/rc/igorplugusb.c | 3 +-
> drivers/media/rc/iguanair.c | 1 +
> drivers/media/rc/img-ir/img-ir-hw.c | 3 +-
> drivers/media/rc/img-ir/img-ir-raw.c | 3 +-
> drivers/media/rc/imon.c | 3 +-
> drivers/media/rc/ir-hix5hd2.c | 2 +-
> drivers/media/rc/ir_toy.c | 1 +
> drivers/media/rc/ite-cir.c | 2 +-
> drivers/media/rc/mceusb.c | 1 +
> drivers/media/rc/rc-ir-raw.c | 5 -
> drivers/media/rc/rc-loopback.c | 1 +
> drivers/media/rc/rc-main.c | 6 +-
> drivers/media/rc/redrat3.c | 4 +-
> drivers/media/rc/st_rc.c | 2 +-
> drivers/media/rc/streamzap.c | 7 +-
> drivers/media/rc/sunxi-cir.c | 1 +
> drivers/media/rc/ttusbir.c | 4 +-
> drivers/media/rc/winbond-cir.c | 2 +-
> drivers/media/rc/xbox_remote.c | 5 +-
> drivers/media/usb/au0828/au0828-input.c | 1 +
> drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 1 +
> drivers/media/usb/dvb-usb/dvb-usb-remote.c | 6 +-
> drivers/media/usb/em28xx/em28xx-input.c | 1 +
> drivers/misc/rp1/rp1_pci.c | 1 +
> drivers/net/bonding/bond_main.c | 6 +
> drivers/net/ethernet/hisilicon/hibmcge/hbg_main.c | 3 +
> .../ethernet/marvell/octeontx2/nic/otx2_common.c | 2 +
> .../mellanox/mlx5/core/steering/hws/fs_hws.c | 4 +-
> drivers/net/ethernet/microsoft/mana/mana_en.c | 78 +++++---
> drivers/net/macsec.c | 3 +-
> drivers/net/phy/micrel.c | 15 +-
> drivers/net/phy/mscc/mscc.h | 8 +-
> drivers/net/phy/mscc/mscc_main.c | 23 +--
> drivers/net/team/team_core.c | 51 +++--
> drivers/net/team/team_mode_loadbalance.c | 4 +-
> drivers/net/tun.c | 5 +-
> drivers/net/vxlan/vxlan_core.c | 4 +-
> drivers/net/wireguard/send.c | 20 +-
> drivers/nfc/nxp-nci/i2c.c | 21 +-
> drivers/nvme/host/tcp.c | 2 +-
> drivers/parport/share.c | 11 +-
> drivers/platform/x86/intel/vsec.c | 91 ++++-----
> drivers/s390/cio/chsc.c | 4 +-
> drivers/s390/cio/chsc_sch.c | 20 +-
> drivers/s390/cio/scm.c | 2 +-
> drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
> drivers/scsi/scsi_lib.c | 27 ++-
> drivers/scsi/scsi_transport_fc.c | 77 ++++----
> drivers/spi/spi-mem.c | 15 +-
> drivers/staging/gpib/cb7210/cb7210.c | 10 +-
> drivers/staging/media/av7110/av7110_ir.c | 1 +
> drivers/target/iscsi/iscsi_target.c | 5 +-
> drivers/target/iscsi/iscsi_target_auth.c | 19 +-
> drivers/target/iscsi/iscsi_target_nego.c | 7 +-
> drivers/target/iscsi/iscsi_target_parameters.c | 62 ++++--
> drivers/target/iscsi/iscsi_target_parameters.h | 2 +-
> drivers/thunderbolt/property.c | 32 ++-
> drivers/tty/serdev/core.c | 21 ++
> drivers/tty/serial/8250/8250_dw.c | 2 +-
> drivers/tty/serial/8250/8250_port.c | 7 +-
> drivers/tty/serial/altera_jtaguart.c | 7 +-
> drivers/tty/serial/dz.c | 171 ++++++++--------
> drivers/tty/serial/fsl_lpuart.c | 15 +-
> drivers/tty/serial/pch_uart.c | 19 +-
> drivers/tty/serial/qcom_geni_serial.c | 16 +-
> drivers/tty/serial/samsung_tty.c | 8 -
> drivers/tty/serial/sh-sci.c | 2 +-
> drivers/tty/serial/zs.c | 218 ++++++++-------------
> drivers/tty/serial/zs.h | 1 -
> drivers/usb/cdns3/cdns3-gadget.c | 12 +-
> drivers/usb/cdns3/cdns3-plat.c | 11 +-
> drivers/usb/chipidea/core.c | 16 +-
> drivers/usb/class/cdc-acm.c | 2 -
> drivers/usb/class/cdc-acm.h | 2 +
> drivers/usb/class/usbtmc.c | 14 ++
> drivers/usb/core/config.c | 9 +-
> drivers/usb/core/quirks.c | 4 +
> drivers/usb/dwc2/hcd.c | 4 +-
> drivers/usb/dwc3/dwc3-xilinx.c | 27 +--
> drivers/usb/gadget/composite.c | 5 +-
> drivers/usb/gadget/function/f_fs.c | 26 ++-
> drivers/usb/gadget/function/f_hid.c | 3 +-
> drivers/usb/gadget/function/f_uvc.c | 28 ++-
> drivers/usb/gadget/udc/dummy_hcd.c | 4 +
> drivers/usb/gadget/udc/net2280.c | 4 +-
> drivers/usb/host/xhci-tegra.c | 77 ++++----
> drivers/usb/musb/omap2430.c | 3 +-
> drivers/usb/serial/belkin_sa.c | 3 +
> drivers/usb/serial/cypress_m8.c | 20 +-
> drivers/usb/serial/digi_acceleport.c | 23 ++-
> drivers/usb/serial/keyspan.c | 4 +
> drivers/usb/serial/mct_u232.c | 26 ++-
> drivers/usb/serial/mxuport.c | 8 +
> drivers/usb/serial/omninet.c | 9 +-
> drivers/usb/serial/option.c | 9 +-
> drivers/usb/serial/safe_serial.c | 11 ++
> drivers/usb/storage/unusual_uas.h | 7 +
> drivers/usb/typec/altmodes/displayport.c | 2 +
> drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +
> drivers/usb/typec/tcpm/tcpm.c | 117 ++++++-----
> drivers/usb/typec/tcpm/wcove.c | 13 +-
> drivers/usb/typec/tipd/core.c | 1 +
> drivers/usb/typec/ucsi/displayport.c | 4 +
> drivers/usb/typec/ucsi/ucsi.c | 24 ++-
> drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +
> drivers/usb/usbip/vudc_dev.c | 1 +
> drivers/usb/usbip/vudc_transfer.c | 3 +-
> fs/hpfs/alloc.c | 2 +-
> fs/smb/client/cifsacl.c | 116 ++++++++---
> fs/smb/client/smb2pdu.c | 2 +-
> fs/smb/server/smb2pdu.c | 11 ++
> fs/smb/server/smbacl.c | 8 +-
> include/kunit/test.h | 1 +
> include/linux/compat.h | 4 +
> include/linux/compiler-clang.h | 6 +
> include/linux/compiler_attributes.h | 11 ++
> include/linux/compiler_types.h | 4 +
> include/linux/hid.h | 2 -
> include/linux/if_team.h | 3 +-
> include/linux/intel_vsec.h | 4 +-
> include/linux/mailbox_controller.h | 3 +
> include/linux/parport.h | 1 +
> include/linux/serdev.h | 1 +
> include/linux/serial_core.h | 12 ++
> include/linux/syscalls.h | 4 +
> include/media/rc-core.h | 2 -
> include/net/netfilter/nf_tables.h | 7 +
> include/net/xfrm.h | 3 +-
> ipc/util.c | 2 +-
> kernel/fork.c | 11 +-
> lib/debugobjects.c | 2 +-
> lib/kunit/executor.c | 19 +-
> lib/kunit/test.c | 1 +
> mm/damon/sysfs-schemes.c | 8 +-
> mm/memcontrol.c | 6 +
> mm/memfd.c | 12 +-
> mm/rmap.c | 2 +
> mm/slab_common.c | 2 +
> mm/slub.c | 1 +
> net/bluetooth/6lowpan.c | 2 +
> net/bluetooth/hci_conn.c | 4 +-
> net/bluetooth/hci_sync.c | 16 +-
> net/bluetooth/hidp/core.c | 23 ++-
> net/bluetooth/iso.c | 12 +-
> net/bluetooth/l2cap_core.c | 41 +++-
> net/bluetooth/l2cap_sock.c | 16 +-
> net/bridge/br_netlink.c | 17 +-
> net/bridge/br_switchdev.c | 1 -
> net/bridge/br_sysfs_if.c | 30 ++-
> net/bridge/netfilter/ebtables.c | 30 +++
> net/core/devmem.c | 11 ++
> net/core/filter.c | 2 +-
> net/core/skbuff.c | 45 ++++-
> net/ethtool/cmis.h | 4 +-
> net/ethtool/cmis_cdb.c | 9 +-
> net/ethtool/cmis_fw_update.c | 44 +++--
> net/ethtool/coalesce.c | 6 +
> net/ethtool/eeprom.c | 10 +-
> net/ethtool/linkstate.c | 6 +-
> net/ethtool/module.c | 41 ++--
> net/ethtool/netlink.c | 4 +-
> net/ethtool/netlink.h | 4 +-
> net/ethtool/pse-pd.c | 10 +-
> net/ethtool/rss.c | 37 ++--
> net/ethtool/strset.c | 2 +-
> net/ethtool/tsconfig.c | 15 +-
> net/ethtool/tsinfo.c | 19 +-
> net/handshake/genl.c | 3 +-
> net/handshake/genl.h | 1 +
> net/handshake/handshake-test.c | 2 +-
> net/handshake/handshake.h | 4 +-
> net/handshake/netlink.c | 6 +-
> net/handshake/request.c | 16 +-
> net/handshake/tlshd.c | 6 +-
> net/hsr/hsr_forward.c | 4 +-
> net/ipv4/ah4.c | 2 +-
> net/ipv4/esp4.c | 4 +-
> net/ipv4/ip_tunnel_core.c | 22 ++-
> net/ipv4/sysctl_net_ipv4.c | 2 +-
> net/ipv6/ah6.c | 2 +-
> net/ipv6/datagram.c | 54 ++++-
> net/ipv6/esp6.c | 4 +-
> net/ipv6/exthdrs.c | 6 +-
> net/ipv6/ip6_vti.c | 23 ++-
> net/ipv6/route.c | 5 +
> net/iucv/af_iucv.c | 20 +-
> net/key/af_key.c | 6 +-
> net/l2tp/l2tp_core.c | 11 +-
> net/mctp/device.c | 1 +
> net/mctp/neigh.c | 1 +
> net/mctp/route.c | 1 +
> net/mptcp/fastopen.c | 4 +-
> net/mptcp/mib.c | 1 -
> net/mptcp/mib.h | 1 -
> net/mptcp/protocol.c | 65 ++++--
> net/mptcp/protocol.h | 31 ++-
> net/mptcp/subflow.c | 8 +-
> net/netfilter/nf_conntrack_proto_tcp.c | 3 +-
> net/netfilter/nf_synproxy_core.c | 2 +
> net/netfilter/nft_bitwise.c | 18 +-
> net/netfilter/nft_byteorder.c | 13 +-
> net/netfilter/xt_cpu.c | 2 +-
> net/netlink/af_netlink.c | 11 +-
> net/nfc/hci/core.c | 10 +
> net/nfc/llcp_core.c | 11 ++
> net/nfc/llcp_sock.c | 2 +
> net/nfc/nci/hci.c | 10 +
> net/rxrpc/ar-internal.h | 14 +-
> net/rxrpc/call_event.c | 22 +--
> net/rxrpc/call_object.c | 2 +
> net/rxrpc/conn_event.c | 30 ++-
> net/rxrpc/insecure.c | 8 +-
> net/rxrpc/recvmsg.c | 68 +++++--
> net/rxrpc/rxgk.c | 147 ++++++--------
> net/rxrpc/rxgk_app.c | 46 ++---
> net/rxrpc/rxgk_common.h | 66 +++----
> net/rxrpc/rxkad.c | 115 ++++-------
> net/sched/cls_fw.c | 6 +-
> net/sched/sch_netem.c | 40 ----
> net/sched/sch_sfb.c | 2 +-
> net/sctp/socket.c | 2 +
> net/smc/af_smc.c | 4 +-
> net/vmw_vsock/af_vsock.c | 49 +++--
> net/vmw_vsock/hyperv_transport.c | 9 +-
> net/vmw_vsock/virtio_transport_common.c | 26 ++-
> net/vmw_vsock/vmci_transport.c | 8 +-
> net/xfrm/xfrm_input.c | 16 +-
> net/xfrm/xfrm_ipcomp.c | 12 +-
> net/xfrm/xfrm_iptfs.c | 29 ++-
> net/xfrm/xfrm_policy.c | 17 +-
> net/xfrm/xfrm_state.c | 23 ++-
> net/xfrm/xfrm_user.c | 5 +-
> sound/core/oss/pcm_oss.c | 18 +-
> .../motu/motu-register-dsp-message-parser.c | 11 +-
> sound/hda/codecs/realtek/alc269.c | 1 +
> sound/soc/codecs/simple-mux.c | 2 +-
> sound/soc/intel/boards/bytcht_es8316.c | 29 ++-
> sound/soc/qcom/qdsp6/q6asm-dai.c | 43 ++--
> sound/usb/mixer_scarlett2.c | 33 +++-
> tools/bootconfig/main.c | 4 +-
> tools/testing/cxl/test/cxl.c | 105 ++++------
> tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +-
> tools/testing/selftests/net/mptcp/mptcp_lib.sh | 10 +-
> 346 files changed, 3284 insertions(+), 1733 deletions(-)
>
>
--
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 630+ messages in thread
* Re: [PATCH 6.12 000/307] 6.12.93-rc1 review
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-06-07 10:01 ` [PATCH 6.12 307/307] memfd: deny writeable mappings when implying SEAL_WRITE Greg Kroah-Hartman
@ 2026-06-07 17:00 ` Pavel Machek
2026-06-07 17:32 ` Miguel Ojeda
2026-06-07 19:45 ` Peter Schneider
306 siblings, 0 replies; 630+ messages in thread
From: Pavel Machek @ 2026-06-07 17:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 505 bytes --]
Hi!
> This is the start of the stable review cycle for the 6.12.93 release.
> There are 307 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.12.y
Tested-by: Pavel Machek (CIP) <pavel@nabladev.com>
Best regards,
Pavel
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 630+ messages in thread
* Re: [PATCH 6.18 000/315] 6.18.35-rc1 review
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-06-07 16:58 ` [PATCH 6.18 000/315] 6.18.35-rc1 review Pavel Machek
@ 2026-06-07 17:04 ` Miguel Ojeda
2026-06-07 20:40 ` Peter Schneider
316 siblings, 0 replies; 630+ messages in thread
From: Miguel Ojeda @ 2026-06-07 17:04 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda, Marc Zyngier, Joey Gouly, Suzuki K Poulose,
Oliver Upton, Zenghui Yu, Fuad Tabba, Will Deacon,
Catalin Marinas, Steffen Eiden, Mark Rutland, kvmarm,
linux-arm-kernel, kvm
On Sun, 07 Jun 2026 11:56:27 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.35 release.
> There are 315 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 09 Jun 2026 09:56:45 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
arm32 builds fine too.
However, on arm64 I am seeing:
arch/arm64/kvm/nested.c:1776:2: error: use of undeclared identifier 'resx'
1776 | resx.res0 = ZCR_ELx_RES0 | GENMASK_ULL(8, 4);
| ^
arch/arm64/kvm/nested.c:1777:2: error: use of undeclared identifier 'resx'
1777 | resx.res1 = ZCR_ELx_RES1;
| ^
arch/arm64/kvm/nested.c:1778:33: error: use of undeclared identifier 'resx'
1778 | set_sysreg_masks(kvm, ZCR_EL2, resx);
| ^
Due to commit 10206eaad1b9 ("KVM: arm64: Correctly cap ZCR_EL2 provided
by a guest hypervisor") here.
`resx` indeed doesn't exist, and it seems like it was added by commits
0879478913dd ("KVM: arm64: Introduce data structure tracking both RES0
and RES1 bits") etc., which are in 7.0, from this series:
https://lore.kernel.org/all/20260202184329.2724080-1-maz@kernel.org/
So either we make a targeted backport or backport some commits, no?
I hope that help!
Cc: Mark Brown <broonie@kernel.org>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Joey Gouly <joey.gouly@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: Oliver Upton <oupton@kernel.org>
Cc: Zenghui Yu <yuzenghui@huawei.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Will Deacon <will@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Steffen Eiden <seiden@linux.ibm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: kvmarm@lists.linux.dev
Cc: linux-arm-kernel@lists.infradead.org
Cc: kvm@vger.kernel.org
Cheers,
Miguel
^ permalink raw reply [flat|nested] 630+ messages in thread
* Re: [PATCH 6.12 000/307] 6.12.93-rc1 review
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-06-07 17:00 ` [PATCH 6.12 000/307] 6.12.93-rc1 review Pavel Machek
@ 2026-06-07 17:32 ` Miguel Ojeda
2026-06-07 19:45 ` Peter Schneider
306 siblings, 0 replies; 630+ messages in thread
From: Miguel Ojeda @ 2026-06-07 17:32 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda, Kito Xu (veritas501), Victor Nogueira, Paolo Abeni,
Jamal Hadi Salim, Jiri Pirko, netdev
On Sun, 07 Jun 2026 11:56:37 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.12.93 release.
> There are 307 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 09 Jun 2026 09:56:47 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
arm32 also builds fine.
On arm64, I am seeing:
net/sched/act_mirred.c:451:43: warning: variable 'm_eaction' is uninitialized when used here [-Wuninitialized]
451 | is_redirect = tcf_mirred_is_act_redirect(m_eaction);
| ^~~~~~~~~
net/sched/act_mirred.c:429:18: note: initialize the variable 'm_eaction' to silence this warning
429 | int i, m_eaction;
| ^
| = 0
due to commit a01fbdecc3a2 ("net/sched: act_mirred: Fix return code in
early mirred redirect error paths") here.
And that one seems to be missing at least the assignment to the variable
that happened in commit a005fa5d7502 ("net/sched: act_mirred: Fix
blockcast recursion bypass leading to stack overflow").
I hope this helps!
Cc: Kito Xu (veritas501) <hxzene@gmail.com>
Cc: Victor Nogueira <victor@mojatatu.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: netdev@vger.kernel.org
Cheers,
Miguel
^ permalink raw reply [flat|nested] 630+ messages in thread
* Re: [PATCH 6.18 141/315] KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor
2026-06-07 9:58 ` [PATCH 6.18 141/315] KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor Greg Kroah-Hartman
@ 2026-06-07 17:47 ` Marc Zyngier
0 siblings, 0 replies; 630+ messages in thread
From: Marc Zyngier @ 2026-06-07 17:47 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, Mark Brown
On Sun, 07 Jun 2026 10:58:48 +0100,
Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> 6.18-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Mark Brown <broonie@kernel.org>
>
> commit 83726330748981372bde86ed5411d7b306612991 upstream.
>
> ZCR_EL2 can be updated by a VHE guest hypervisor either using ZCR_EL2
> (which traps) or ZCR_EL1 (which does not trap). KVM handles both in
> different way:
>
> - on ZCR_EL2 trap, ZCR_EL2.LEN is immediately capped at the VM's own
> VL limit. This has the potential to break existing SW that relies
> on the full LEN field to be stateful.
>
> - on ZCR_EL1 access, we do absolutely nothing.
>
> On restoring the SVE context for an L2 guest, we directly restore the
> guest hypervisor's view of ZCR_EL2 into the physical ZCR_EL2. If the
> guest's view of the register was updated using the ZCR_EL2 accessor,
> the value has already been sanitised (with the caveat mentioned above).
>
> But if the guest used ZCR_EL1, the raw value is written into the HW,
> and the L2 guest can now access VLs that it shouldn't.
>
> Fix all the above by moving the VL capping to the restore points,
> ensuring that:
>
> - the HW is always programmed with a capped value, irrespective of
> the accessor being used,
>
> - the ZCR_EL2.LEN field is always completely stateful, irrespective
> of the accessor being used.
>
> Additionally, move ZCR_EL2 to be a sanitised register, ensuring that
> only the LEN field is actually stateful. This requires some creative
> construction of the RES0 mask, as the sysreg generation script does
> not yet generate RAZ/WI fields.
>
> Fixes: b3d29a823099 ("KVM: arm64: nv: Handle ZCR_EL2 traps")
> Signed-off-by: Mark Brown <broonie@kernel.org>
> Cc: stable@vger.kernel.org
> Link: https://patch.msgid.link/20260529-kvm-arm64-fix-zcr-len-nv-v2-1-86cad51992bd@kernel.org
> [maz: rewrote commit message, tidy up access_zcr_el2()]
> Signed-off-by: Marc Zyngier <maz@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
As pointed out by Miguel at [1], this doesn't backport cleanly before
7.0. I'll provide a backport separately, so please drop this for now.
Thanks,
M.
[1] https://lore.kernel.org/r/20260607170440.90814-1-ojeda@kernel.org
--
Jazz isn't dead. It just smells funny.
^ permalink raw reply [flat|nested] 630+ messages in thread
* Re: [PATCH 6.12 000/307] 6.12.93-rc1 review
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-06-07 17:32 ` Miguel Ojeda
@ 2026-06-07 19:45 ` Peter Schneider
306 siblings, 0 replies; 630+ messages in thread
From: Peter Schneider @ 2026-06-07 19:45 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 07.06.2026 um 11:56 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.12.93 release.
> There are 307 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 630+ messages in thread
* Re: [PATCH 6.18 000/315] 6.18.35-rc1 review
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-06-07 17:04 ` Miguel Ojeda
@ 2026-06-07 20:40 ` Peter Schneider
316 siblings, 0 replies; 630+ messages in thread
From: Peter Schneider @ 2026-06-07 20:40 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 07.06.2026 um 11:56 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.18.35 release.
> There are 315 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 630+ messages in thread
end of thread, other threads:[~2026-06-07 20:40 UTC | newest]
Thread overview: 630+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-07 9:56 [PATCH 6.12 000/307] 6.12.93-rc1 review Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 001/307] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 002/307] drm/v3d: Fix use-after-free of CPU job query arrays on error path Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 003/307] drm/v3d: Release indirect CSD GEM reference on CPU job free Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 004/307] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 005/307] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 006/307] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 007/307] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 008/307] bcache: fix uninitialized closure object Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 009/307] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 010/307] arm64: Introduce esr_is_ubsan_brk() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 011/307] arm64: debug: clean up single_step_handler logic Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 012/307] arm64: refactor aarch32_break_handler() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 013/307] arm64: debug: call software breakpoint handlers statically Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 014/307] arm64: debug: call step " Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 015/307] arm64: debug: remove break/step handler registration infrastructure Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 016/307] arm64: entry: Add entry and exit functions for debug exceptions Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 017/307] arm64: debug: split hardware breakpoint exception entry Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 018/307] arm64: debug: refactor reinstall_suspended_bps() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 019/307] arm64: debug: split single stepping exception entry Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 020/307] arm64: debug: split hardware watchpoint " Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 021/307] arm64: debug: split brk64 " Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.12 022/307] arm64: debug: split bkpt32 " Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 023/307] arm64: debug: remove debug exception registration infrastructure Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 024/307] arm64: debug: always unmask interrupts in el0_softstp() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 025/307] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 026/307] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 027/307] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 028/307] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 029/307] kunit: fix use-after-free in debugfs when using kunit.filter Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 030/307] kernel/fork: validate exit_signal in kernel_clone() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 031/307] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 032/307] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 033/307] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 034/307] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 035/307] tun: free page on build_skb failure " Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 036/307] vsock: keep poll shutdown state consistent Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 037/307] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 038/307] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 039/307] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 040/307] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 041/307] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 042/307] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 043/307] ALSA: pcm: oss: Fix setup list UAF on proc write error Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 044/307] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 045/307] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 046/307] accel/ivpu: prevent uninitialized data bug in debugfs Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 047/307] gpio: mxc: fix irq_high handling Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 048/307] net: Avoid checksumming unreadable skb tail on trim Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 049/307] ethtool: rss: fix hkey leak when indir_size is 0 Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 050/307] ethtool: module: avoid leaking a netdev ref on module flash errors Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 051/307] ethtool: module: check fw_flash_in_progress under rtnl_lock Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 052/307] ethtool: module: fix cleanup if socket used for flashing multiple devices Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 053/307] ethtool: cmis: require exact CDB reply length Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 054/307] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 055/307] net: ethtool: Add new parameters and a function to support EPL Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 056/307] net: ethtool: Add support for writing firmware blocks using EPL payload Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 057/307] ethtool: cmis: validate start_cmd_payload_size from module Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 058/307] ethtool: cmis: validate fw->size against start_cmd_payload_size Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 059/307] cxl/test: Update mock dev array before calling platform_device_add() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 060/307] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 061/307] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 062/307] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 063/307] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 064/307] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 065/307] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 066/307] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 067/307] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 068/307] ethtool: pse-pd: fix missing ethnl_ops_complete() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 069/307] ethtool: strset: fix header attribute index in ethnl_req_get_phydev() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 070/307] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 071/307] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 072/307] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 074/307] net/sched: fix packet loop on netem when duplicate is on Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 075/307] net/sched: act_mirred: Move the recursion counter struct netdev_xmit Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 076/307] net/sched: act_mirred: add loop detection Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 077/307] net: Introduce skb tc depth field to track packet loops Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 078/307] net/sched: Fix ethx:ingress -> ethy:egress -> ethx:ingress mirred loop Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 079/307] net/sched: act_mirred: Fix return code in early mirred redirect error paths Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 080/307] net/handshake: Use spin_lock_bh for hn_lock Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 081/307] nvme-tcp: store negative errno in queue->tls_err Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 082/307] net/handshake: Pass negative errno through handshake_complete() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 083/307] remove pointless includes of <linux/fdtable.h> Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 084/307] net/handshake: Take a long-lived file reference at submit Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 085/307] net/handshake: Drain pending requests at net namespace exit Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 086/307] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 088/307] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 089/307] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 090/307] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 091/307] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 092/307] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 093/307] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 094/307] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 095/307] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 096/307] perf: Fix dangling cgroup pointer in cpuctx Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 097/307] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 098/307] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 099/307] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 100/307] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 101/307] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 102/307] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 103/307] batman-adv: tp_meter: avoid role confusion in tp_list Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 104/307] s390/cio: Restore GFP_DMA for CHSC allocation Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 105/307] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 106/307] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 107/307] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 108/307] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 109/307] mm/page_alloc: clear page->private in free_pages_prepare() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 110/307] media: rc: fix race between unregister and urb/irq callbacks Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 111/307] media: rc: ttusbir: fix inverted error logic Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 112/307] inet: frags: add inet_frag_queue_flush() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 113/307] inet: frags: flush pending skbs in fqdir_pre_exit() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 114/307] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 115/307] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 116/307] HID: core: introduce hid_safe_input_report() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 117/307] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 118/307] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 119/307] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 120/307] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 121/307] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 122/307] arm64: io: Rename ioremap_prot() to __ioremap_prot() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 123/307] arm64: io: Extract user memory type in ioremap_prot() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 124/307] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 125/307] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 126/307] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 127/307] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 128/307] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 129/307] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 130/307] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 131/307] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 132/307] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 133/307] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 134/307] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 135/307] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 136/307] media: rc: igorplugusb: fix control request setup packet Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 137/307] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 138/307] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 139/307] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 140/307] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 141/307] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 142/307] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 143/307] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 144/307] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 145/307] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 146/307] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 147/307] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 148/307] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 149/307] Input: xpad - fix out-of-bounds access for Share button Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 150/307] parport: Fix race between port and client registration Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 151/307] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 152/307] KVM: arm64: PMU: Preserve AArch32 counter low bits Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 153/307] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 154/307] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 155/307] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 156/307] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 157/307] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 158/307] KVM: SEV: Check PSC request indices against the actual size of the buffer Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 159/307] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 160/307] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 161/307] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 162/307] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 163/307] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 164/307] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 165/307] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 166/307] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 167/307] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 168/307] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 169/307] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 170/307] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 171/307] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 172/307] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 173/307] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 174/307] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 175/307] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 176/307] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 177/307] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 178/307] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 179/307] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 180/307] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 181/307] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 182/307] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 183/307] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 184/307] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 185/307] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 186/307] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 187/307] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 188/307] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 189/307] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 190/307] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 191/307] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 192/307] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 193/307] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 194/307] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 195/307] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 196/307] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 197/307] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 198/307] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 199/307] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 200/307] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 201/307] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.12 202/307] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 203/307] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 204/307] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 205/307] Input: xpad - add "Nova 2 Lite" from GameSir Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 206/307] Input: xpad - add support for ASUS ROG RAIKIRI II Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 207/307] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 208/307] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 209/307] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 210/307] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 211/307] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 212/307] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 213/307] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 215/307] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 216/307] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 217/307] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 218/307] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 219/307] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 220/307] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 221/307] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 222/307] usb: typec: tcpm: improve handling of DISCOVER_MODES failures Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 223/307] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 224/307] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 225/307] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 226/307] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 227/307] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 228/307] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 229/307] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 230/307] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 231/307] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 232/307] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 233/307] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 234/307] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 235/307] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 236/307] usb: gadget: f_fs: serialize DMABUF cancel against request completion Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 237/307] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 238/307] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 239/307] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 240/307] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 241/307] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 242/307] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 243/307] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 244/307] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 245/307] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 246/307] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 247/307] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 248/307] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 249/307] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 250/307] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 251/307] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 252/307] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 253/307] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 254/307] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 255/307] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 256/307] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 257/307] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 258/307] serial: dz: Convert to use a platform device Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 259/307] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 260/307] serial: zs: Switch to using channel reset Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 261/307] serial: zs: Convert to use a platform device Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 262/307] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 263/307] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 264/307] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 265/307] iommu: Skip PASID validation for devices without PASID capability Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 266/307] x86/boot: Disable stack protector for early boot code Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 267/307] x86/kexec: Disable KCOV instrumentation after load_segments() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 268/307] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 269/307] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 270/307] serdev: Provide a bustype shutdown function Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 271/307] Bluetooth: hci_qca: Migrate to serdev specific " Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 272/307] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 273/307] ALSA: scarlett2: Return ENOSPC for out-of-bounds flash writes Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 274/307] ALSA: scarlett2: Allow flash writes ending at segment boundary Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 275/307] mm/memory: fix spurious warning when unmapping device-private/exclusive pages Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 276/307] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 277/307] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 278/307] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 279/307] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 280/307] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 281/307] ring-buffer: Flush and stop persistent ring buffer on panic Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 282/307] mptcp: cleanup fallback dummy mapping generation Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 283/307] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 284/307] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 285/307] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 286/307] mptcp: introduce the mptcp_init_skb helper Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 287/307] mptcp: handle first subflow closing consistently Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 288/307] mptcp: do not drop partial packets Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 289/307] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 290/307] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 291/307] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 292/307] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 293/307] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 294/307] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 295/307] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 296/307] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 297/307] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 298/307] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 299/307] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 300/307] x86/alternatives: Rename apply_relocation() to text_poke_apply_relocation() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 301/307] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 302/307] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 303/307] hwmon: (pmbus/adm1266) serialize NVMEM blackbox " Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 304/307] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses " Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 305/307] mm: perform all memfd seal checks in a single place Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 306/307] mm/memfd: fix spelling and grammatical issues Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.12 307/307] memfd: deny writeable mappings when implying SEAL_WRITE Greg Kroah-Hartman
2026-06-07 17:00 ` [PATCH 6.12 000/307] 6.12.93-rc1 review Pavel Machek
2026-06-07 17:32 ` Miguel Ojeda
2026-06-07 19:45 ` Peter Schneider
-- strict thread matches above, loose matches on Subject: below --
2026-06-07 9:56 [PATCH 6.18 000/315] 6.18.35-rc1 review Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 001/315] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 002/315] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 003/315] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 004/315] xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 005/315] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 006/315] bcache: fix uninitialized closure object Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 007/315] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 008/315] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 009/315] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 010/315] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 011/315] tools/bootconfig: Fix buf leaks in apply_xbc Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 012/315] HID: remove duplicate hid_warn_ratelimited definition Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 013/315] kunit: fix use-after-free in debugfs when using kunit.filter Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 014/315] accel/rocket: fix UAF via dangling GEM handle in create_bo Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 015/315] kernel/fork: validate exit_signal in kernel_clone() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 016/315] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 017/315] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 018/315] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 019/315] netfilter: nf_tables: fix dst corruption in same register operation Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 020/315] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 021/315] tun: free page on build_skb failure " Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 022/315] vsock: keep poll shutdown state consistent Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 023/315] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 024/315] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 025/315] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 026/315] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 027/315] scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 028/315] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 029/315] ALSA: pcm: oss: Fix setup list UAF on proc write error Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 030/315] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 031/315] net/mlx5: HWS: Reject unsupported remove-header action Greg Kroah-Hartman
2026-06-07 9:56 ` [PATCH 6.18 032/315] net: hsr: fix potential OOB access in supervision frame handling Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 033/315] gpio: mxc: fix irq_high handling Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 034/315] net: team: Remove unused team_mode_op, port_enabled Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 035/315] net: team: Rename port_disabled team mode op to port_tx_disabled Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 036/315] net: team: fix NULL pointer dereference in team_xmit during mode change Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 037/315] net: Avoid checksumming unreadable skb tail on trim Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 038/315] ethtool: rss: avoid modifying the RSS context response Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 039/315] ethtool: rss: add missing errno on RSS context delete Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 040/315] ethtool: rss: fix falsely ignoring indir table updates Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 041/315] ethtool: rss: fix indir_table and hkey leak on get_rxfh failure Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 042/315] ethtool: rss: fix hkey leak when indir_size is 0 Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 043/315] ethtool: rss: avoid device context leak on reply-build failure Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 044/315] ethtool: module: call ethnl_ops_complete() on module flash errors Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 045/315] ethtool: module: avoid leaking a netdev ref " Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 046/315] ethtool: module: avoid racy updates to dev->ethtool bitfield Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 047/315] ethtool: module: check fw_flash_in_progress under rtnl_lock Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 048/315] ethtool: module: fix cleanup if socket used for flashing multiple devices Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 049/315] ethtool: cmis: require exact CDB reply length Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 050/315] ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 051/315] ethtool: cmis: validate start_cmd_payload_size from module Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 052/315] ethtool: cmis: validate fw->size against start_cmd_payload_size Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 053/315] cxl/test: Update mock dev array before calling platform_device_add() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 054/315] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 055/315] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 056/315] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 057/315] ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 058/315] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 059/315] drm/xe: Restore IDLEDLY regiter on engine reset Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 060/315] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 061/315] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 062/315] bridge: Fix sleep in atomic context in netlink path Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 063/315] bridge: Fix sleep in atomic context in sysfs path Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 064/315] ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 065/315] ethtool: tsconfig: fix reply error handling Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 066/315] ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 067/315] ethtool: pse-pd: fix missing ethnl_ops_complete() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 068/315] ethtool: tsconfig: " Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 069/315] ethtool: tsinfo: fix uninitialized stats on the by-PHC path Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 070/315] ethtool: tsinfo: dont pass ERR_PTR to genlmsg_cancel on prepare failure Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 071/315] ethtool: strset: fix header attribute index in ethnl_req_get_phydev() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 072/315] ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 073/315] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 074/315] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 075/315] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 076/315] net: hibmcge: disable Relaxed Ordering to fix RX packet corruption Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 077/315] net/handshake: Use spin_lock_bh for hn_lock Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.12 073/307] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 078/315] nvme-tcp: store negative errno in queue->tls_err Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 079/315] net/handshake: Pass negative errno through handshake_complete() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 080/315] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 081/315] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 082/315] Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 083/315] Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 084/315] gpio: adnp: fix flow control regression caused by scoped_guard() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 085/315] gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 086/315] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 087/315] gpio: rockchip: teardown bugs and resource leaks Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 088/315] net: mana: Add NULL guards in teardown path to prevent panic on attach failure Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 089/315] net: mana: Skip redundant detach on already-detached port Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 090/315] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 091/315] vsock/virtio: bind uarg before filling zerocopy skb Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.12 087/307] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
2026-06-07 9:57 ` [PATCH 6.18 092/315] ipv6: fix possible infinite loop in rt6_fill_node() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 093/315] ipv6: fix possible infinite loop in fib6_select_path() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 094/315] net: skbuff: fix pskb_carve leaking zcopy pages Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 095/315] media: rc: fix race between unregister and urb/irq callbacks Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 096/315] media: rc: ttusbir: fix inverted error logic Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 097/315] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 098/315] Revert "x86/fpu: Refine and simplify the magic number check during signal return" Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 099/315] s390/cio: Restore GFP_DMA for CHSC allocation Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 100/315] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 101/315] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 102/315] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 103/315] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 104/315] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 105/315] iio: imu: adis16550: fix stack leak in trigger handler Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 106/315] iio: pressure: bmp280: fix stack leak in bmp580 " Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 107/315] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 108/315] usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 109/315] usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 110/315] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 111/315] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 112/315] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 113/315] usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 114/315] usb: typec: ucsi: validate connector number in ucsi_connector_change() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 115/315] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 116/315] media: rc: igorplugusb: fix control request setup packet Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 117/315] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 118/315] HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 119/315] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 120/315] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 121/315] mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 122/315] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 123/315] mm: memcontrol: propagate NMI slab stats to memcg vmstats Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 124/315] memfd: deny writeable mappings when implying SEAL_WRITE Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 125/315] mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 126/315] auxdisplay: line-display: fix OOB read on zero-length message_store() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 127/315] smb: client: fix uninitialized variable in smb2_writev_callback Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 128/315] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 129/315] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 130/315] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 131/315] Bluetooth: ISO: fix UAF in iso_recv_frame Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 132/315] Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 133/315] Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 134/315] Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 135/315] Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 136/315] Input: xpad - fix out-of-bounds access for Share button Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 137/315] parport: Fix race between port and client registration Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 138/315] rust_binder: Avoid holding lock when dropping delivered_death Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 139/315] rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 140/315] USB: cdc-acm: Fix bit overlap and move quirk definitions to header Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 141/315] KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor Greg Kroah-Hartman
2026-06-07 17:47 ` Marc Zyngier
2026-06-07 9:58 ` [PATCH 6.18 142/315] KVM: arm64: PMU: Preserve AArch32 counter low bits Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 143/315] KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 144/315] KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 145/315] KVM: SEV: Ignore Port I/O requests of length 0 Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 146/315] KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 147/315] KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 148/315] KVM: SEV: Compute the correct max length of the in-GHCB scratch area Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 149/315] KVM: SEV: Check PSC request indices against the actual size of the buffer Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 150/315] KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 151/315] KVM: SEV: Dont explicitly pass PSC buffer to snp_begin_psc() Greg Kroah-Hartman
2026-06-07 9:58 ` [PATCH 6.18 152/315] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 153/315] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 154/315] iio: adc: npcm: fix unbalanced clk_disable_unprepare() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 155/315] iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 156/315] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 157/315] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 158/315] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 159/315] iio: dac: ad5686: acquire lock when doing powerdown control Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 160/315] iio: dac: ad5686: fix powerdown control on dual-channel devices Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 161/315] iio: adc: mt6359: fix unchecked return value in mt6358_read_imp Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 162/315] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 163/315] iio: adc: ad4695: Fix call ordering in offload buffer postenable Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 164/315] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 165/315] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 166/315] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 167/315] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 168/315] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 169/315] iio: light: veml6070: Fix resource leak in probe error path Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 170/315] iio: Fix iio_multiply_value use in iio_read_channel_processed_scale Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 171/315] iio: chemical: mhz19b: reject oversized serial replies Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 172/315] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 173/315] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 174/315] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 175/315] iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 176/315] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 177/315] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 178/315] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 179/315] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 180/315] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 181/315] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 182/315] i2c: davinci: fix division by zero on missing clock-frequency Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 183/315] x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 184/315] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 185/315] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 186/315] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 187/315] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 188/315] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 189/315] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 190/315] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 191/315] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 192/315] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 193/315] l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 194/315] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 195/315] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 196/315] spi: spi-mem: avoid mutating op template in spi_mem_supports_op() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 197/315] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 198/315] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 199/315] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 200/315] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 201/315] xfrm: ipcomp: Free destination pages on acomp errors Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 202/315] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 203/315] ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 204/315] ALSA: firewire-motu: Protect register DSP event queue positions Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 205/315] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 206/315] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 207/315] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 208/315] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 209/315] ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 210/315] Input: xpad - add "Nova 2 Lite" from GameSir Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 211/315] Input: xpad - add support for ASUS ROG RAIKIRI II Greg Kroah-Hartman
2026-06-07 9:59 ` [PATCH 6.18 212/315] ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 213/315] misc: rp1: Send IACK on IRQ activate to fix kdump/kexec Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 214/315] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 215/315] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 216/315] gpib: cb7210: Fix region leak when request_irq fails Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 217/315] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 218/315] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.12 214/307] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 219/315] counter: Fix refcount leak in counter_alloc() error path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 220/315] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 221/315] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 222/315] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 223/315] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 224/315] usb: musb: omap2430: Fix use-after-free in omap2430_probe() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 225/315] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 226/315] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 227/315] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 228/315] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 229/315] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 230/315] usb: typec: tipd: Fix error code in tps6598x_probe() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 231/315] usb: typec: tcpm: improve handling of DISCOVER_MODES failures Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 232/315] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 233/315] usb: typec: ucsi: Dont update power_supply on power role change if not connected Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 234/315] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 235/315] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 236/315] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 237/315] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 238/315] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 239/315] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 240/315] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 241/315] usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 242/315] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 243/315] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 244/315] usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 245/315] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 246/315] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 247/315] usb: gadget: f_fs: serialize DMABUF cancel against request completion Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 248/315] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 249/315] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 250/315] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 251/315] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 252/315] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 253/315] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 254/315] scsi: target: iscsi: Validate CHAP_R length before base64 decode Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 255/315] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 256/315] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 257/315] drm/gem: fix race between change_handle and handle_delete Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 258/315] drm/i915/psr: Block DC states on vblank enable when Panel Replay supported Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 259/315] drm/i915: Fix potential UAF in TTM object purge Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 260/315] drm/amd/pm/si: Disregard vblank time when no displays are connected Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 261/315] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 262/315] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 263/315] serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 264/315] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 265/315] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 266/315] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 267/315] drm/amdkfd: fix NULL pointer bug in svm_range_set_attr Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 268/315] drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 269/315] drm/amdkfd: Check for pdd drm file first in CRIU restore path Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 270/315] drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 271/315] drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx Greg Kroah-Hartman
2026-06-07 10:00 ` [PATCH 6.18 272/315] drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 273/315] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 274/315] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 275/315] serial: dz: Convert to use a platform device Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 276/315] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 277/315] serial: zs: Switch to using channel reset Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 278/315] serial: zs: Convert to use a platform device Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 279/315] serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave) Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 280/315] serial: 8250: dispatch SysRq character in serial8250_handle_irq() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 281/315] serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 282/315] platform/x86/intel/vsec: Refactor base_addr handling Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 283/315] platform/x86/intel/vsec: Make driver_data info const Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 284/315] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 285/315] x86/mm: Disable broadcast TLB flush when PCID is disabled Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 286/315] rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 287/315] rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 288/315] serdev: Provide a bustype shutdown function Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 289/315] Bluetooth: hci_qca: Migrate to serdev specific " Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 290/315] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 291/315] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 292/315] net: devmem: reject dma-buf bind with non-page-aligned size or SG length Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 293/315] mptcp: handle first subflow closing consistently Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 294/315] mptcp: borrow forward memory from subflow Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 295/315] mptcp: do not drop partial packets Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 296/315] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 297/315] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 298/315] mptcp: cleanup fallback dummy mapping generation Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 299/315] mptcp: reset rcv wnd on disconnect Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 300/315] cpufreq: intel_pstate: Add and use hybrid_get_cpu_type() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 301/315] cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 302/315] xfrm: iptfs: reset runtime state when cloning SAs Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 303/315] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 304/315] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 305/315] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 306/315] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 307/315] hwmon: (pmbus) Add support for guarded PMBus lock Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 308/315] hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 309/315] hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses " Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 310/315] mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache() Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 311/315] net: phy: micrel: fix LAN8814 QSGMII soft reset Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 312/315] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 314/315] drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable Greg Kroah-Hartman
2026-06-07 10:01 ` [PATCH 6.18 315/315] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
2026-06-07 16:58 ` [PATCH 6.18 000/315] 6.18.35-rc1 review Pavel Machek
2026-06-07 17:04 ` Miguel Ojeda
2026-06-07 20:40 ` Peter Schneider
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.