* [PATCH 5.15 000/411] 5.15.210-rc1 review
@ 2026-06-16 14:53 Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 5.15 001/411] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
` (411 more replies)
0 siblings, 412 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 5.15.210 release.
There are 411 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 18 Jun 2026 14:49:57 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.210-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.210-rc1
Borislav Petkov (AMD) <bp@alien8.de>
x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
Ben Hutchings <benh@debian.org>
apparmor: validate default DFA states are in bounds
Ben Hutchings <benh@debian.org>
fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
Paolo Abeni <pabeni@redhat.com>
mptcp: close TOCTOU race while computing rcv_wnd
Will Deacon <will@kernel.org>
arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
Shanker Donthineni <sdonthineni@nvidia.com>
arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Mitigate TLBI errata on various Arm CPUs
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add C1-Premium definitions
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add C1-Ultra definitions
Shanker Donthineni <sdonthineni@nvidia.com>
arm64: cputype: Add NVIDIA Olympus definitions
Christian Göttsche <cgzones@googlemail.com>
selinux: enable genfscon labeling for securityfs
Aaron Erhardt <aer@tuxedocomputers.com>
ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
Jeff Layton <jlayton@kernel.org>
nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
Eric Biggers <ebiggers@kernel.org>
ksmbd: Compare MACs in constant time
Pengpeng Hou <pengpeng@iscas.ac.cn>
net/ipv6: ioam6: prevent schema length wraparound in trace fill
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: fix tp_num leak on kmalloc failure
Jiexun Wang <wangjiexun2025@gmail.com>
batman-adv: stop tp_meter sessions during mesh teardown
Tejun Heo <tj@kernel.org>
blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init
Julian Anastasov <ja@ssi.bg>
ipvs: skip ipv6 extension headers for csum checks
Yin Tirui <yintirui@huawei.com>
mm/huge_memory: update file PMD counter before folio_put()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/umem: Fix truncation for block sizes >= 4G
Leon Romanovsky <leon@kernel.org>
RDMA: Move DMA block iterator logic into dedicated files
Randy Dunlap <rdunlap@infradead.org>
RDMA/umem: fix kernel-doc warnings
Anton Leontev <leontyevantony@gmail.com>
hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
Davide Ornaghi <d.ornaghi97@gmail.com>
netfilter: nft_fib: fix stale stack leak via the OIFNAME register
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
Prasanna S <prasanna.s@oss.qualcomm.com>
serial: qcom-geni: fix UART_RX_PAR_EN bit position
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
tty: serial: qcom-geni-serial: align #define values
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
tty: serial: qcom-geni-serial: remove unused symbols
Myeonghun Pak <mhun512@gmail.com>
serial: altera_jtaguart: handle uart_add_one_port() failures
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
serial: altera_jtaguart: Use platform_get_irq_optional() to get the interrupt
Berkant Koc <me@berkoc.com>
drm/hyperv: validate resolution_count and fix WIN8 fallback
Michael Kelley <mikelley@microsoft.com>
drm/hyperv: Remove support for Hyper-V 2008 and 2008R2/Win7
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Check if power role change actually happened before handling
Michael Bommarito <michael.bommarito@gmail.com>
scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: f_hid: fix device reference leak in hidg_alloc()
John Keeping <john@metanate.com>
usb: gadget: f_hid: tidy error handling in hidg_alloc
Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
usb: dwc3: xilinx: fix error handling in zynqmp init error paths
Tudor Ambarus <tudor.ambarus@linaro.org>
tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
Tudor Ambarus <tudor.ambarus@linaro.org>
tty: serial: samsung: use u32 for register interactions
Thomas Gleixner <tglx@linutronix.de>
serial: samsung_tty: Use port lock wrappers
Minh Nguyen <minhnguyen.080505@gmail.com>
net: skbuff: fix missing zerocopy reference in pskb_carve helpers
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix ref bit initialization for single-channel parts
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: chemical: scd30: fix division by zero in write_raw
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: chemical: scd30: Use guard(mutex) to allow early returns
Antoniu Miclaus <antoniu.miclaus@analog.com>
iio: gyro: adis16260: fix division by zero in write_raw
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
Wayne Chang <waynec@nvidia.com>
phy: tegra: xusb: Fix per-pad high-speed termination calibration
Wayne Chang <waynec@nvidia.com>
phy: tegra: xusb: Disable trk clk when not in use
Zeng Heng <zengheng4@huawei.com>
arm64: tlb: Flush walk cache when unsharing PMD tables
Johan Hovold <johan@kernel.org>
spi: qup: fix error pointer deref after DMA setup failure
Yang Yingliang <yangyingliang@huawei.com>
spi: qup: switch to use modern name
Dawei Feng <dawei.feng@seu.edu.cn>
octeontx2-pf: avoid double free of pool->stack on AQ init failure
Sam Daly <sam@samdaly.ie>
octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
Shardul Bankar <shardul.b@mpiricsoftware.com>
mptcp: do not drop partial packets
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: drop nanoseconds width specifier
Li Xiasong <lixiasong1@huawei.com>
mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
Al Viro <viro@zeniv.linux.org.uk>
use less confusing names for iov_iter direction initializers
Justin Iurman <justin.iurman@gmail.com>
ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
Eric Dumazet <edumazet@google.com>
ipv6/addrconf: annotate data-races around devconf fields (II)
Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
ice: fix VF queue configuration with low MTU values
Michael Bommarito <michael.bommarito@gmail.com>
net: hsr: defer node table free until after RCU readers
Jiexun Wang <wangjiexun2025@gmail.com>
Bluetooth: serialize accept_q access
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: Init sk_peer_* on bt_sock_alloc
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: Consolidate code around sk_alloc into a helper function
Dawei Feng <dawei.feng@seu.edu.cn>
qed: fix double free in qed_cxt_tables_alloc()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
qed: Use the bitmap API to simplify some functions
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: MGMT: validate Add Extended Advertising Data length
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: hci_qca: Convert timeout from jiffies to ms
Safa Karakuş <safa.karakus@secunnix.com>
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: require net admin for CIFS SWN netlink
Ido Schimmel <idosch@nvidia.com>
genetlink: Use internal flags for multicast groups
Johan Hovold <johan@kernel.org>
spi: lantiq-ssc: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: st-ssc4: fix controller deregistration
Chao Yu <chao@kernel.org>
f2fs: fix false alarm of lockdep on cp_global_sem lock
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect file address mapping when inline inode is unwritten
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ADD_ADDR rtx: fix potential data-race
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: prio: skip closed subflows
Piyush Sachdeva <s.piyush1024@gmail.com>
smb: client: Use FullSessionKey for AES-256 encryption key derivation
Filipe Manana <fdmanana@suse.com>
btrfs: fix missing last_unlink_trans update when removing a directory
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate dacloffset before building DACL pointers
Ulf Hansson <ulf.hansson@linaro.org>
pmdomain: core: Fix detach procedure for virtual devices in genpd
Steven Rostedt <rostedt@goodmis.org>
tracing/probes: Limit size of event probe to 3K
Yochai Eisenrich <yochaie@sweet.security>
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
Johan Hovold <johan@kernel.org>
spi: topcliff-pch: fix controller deregistration
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: topcliff-pch: Convert to platform remove callback returning void
Thomas Zimmermann <tzimmermann@suse.de>
fbcon: Avoid OOB font access if console rotation fails
Sang-Heon Jeon <ekffu200098@gmail.com>
mm/hugetlb_cma: round up per_node before logging it
Johan Hovold <johan@kernel.org>
spi: uniphier: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: tegra20-sflash: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: tegra114: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: sun6i: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: zynq-qspi: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: ti-qspi: fix controller deregistration
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
spi: spi-ti-qspi: Convert to platform remove callback returning void
Johan Hovold <johan@kernel.org>
spi: sun4i: fix controller deregistration
Johan Hovold <johan@kernel.org>
spi: syncuacer: fix controller deregistration
Michal Kosiorek <mkosiorek121@gmail.com>
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: account for ESN high bits in async callbacks
Eric Biggers <ebiggers@google.com>
net: ipv6: stop checking crypto_ahash_alignmask
Eric Biggers <ebiggers@google.com>
net: ipv4: stop checking crypto_ahash_alignmask
Selvarasu Ganesan <selvarasu.g@samsung.com>
usb: dwc3: Move GUID programming after PHY initialization
Marek Szyprowski <m.szyprowski@samsung.com>
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
Amit Sunil Dhamne <amitsd@google.com>
usb: typec: tcpm: reset internal port states on soft reset AMS
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: validate the whole DACL before rewriting it in cifsacl
David Carlier <devnexen@gmail.com>
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
Thorsten Blum <thorsten.blum@linux.dev>
crypto: caam - guard HMAC key hex dumps in hash_digest_key
Thorsten Blum <thorsten.blum@linux.dev>
printk: add print_hex_dump_devel()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: aloop: Fix peer runtime UAF during format-change stop
Yang Xiuwei <yangxiuwei@kylinos.cn>
scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
Christoph Hellwig <hch@lst.de>
sd: rename the scsi_disk.dev field
Luis Chamberlain <mcgrof@kernel.org>
scsi: sd: Add error handling support for add_disk()
Bart Van Assche <bvanassche@acm.org>
scsi: core: pm: Rely on the device driver core for async power management
Max Kellermann <max.kellermann@ionos.com>
ceph: only d_add() negative dentries when they are unhashed
Junrui Luo <moonafterrain@outlook.com>
erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Thorsten Blum <thorsten.blum@linux.dev>
crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
Ard Biesheuvel <ardb@kernel.org>
crypto: nx - Migrate to scomp API
Gustavo A. R. Silva <gustavoars@kernel.org>
crypto: nx - Avoid -Wflex-array-member-not-at-end warning
Johan Hovold <johan@kernel.org>
can: ucan: fix devres lifetime
Julia Lawall <Julia.Lawall@inria.fr>
can: ucan: fix typos in comments
Shuvam Pandey <shuvampandey1@gmail.com>
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
Zilin Guan <zilin@seu.edu.cn>
hfsplus: fix held lock freed on hfsplus_fill_super()
Deepanshu Kartikey <kartikey406@gmail.com>
hfsplus: fix uninit-value by validating catalog record size
Seohyeon Maeng <bioloidgp@gmail.com>
udf: fix partition descriptor append bookkeeping
Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
mtd: spi-nor: sst: Fix write enable before AAI sequence
Shawn Lin <shawn.lin@rock-chips.com>
mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
Ryan Roberts <ryan.roberts@arm.com>
randomize_kstack: Maintain kstack_offset per task
Thomas Zimmermann <tzimmermann@suse.de>
fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
Zhengchuan Liang <zcliangcn@gmail.com>
net: bridge: use a stable FDB dst snapshot in RCU readers
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Limit the total number of nodes
Yuan Zhaoming <yuanzm2@lenovo.com>
net: mctp: fix don't require received header reserved bits to be zero
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Free the node during ctrl_cmd_bye()
Vignesh Viswanathan <quic_viswanat@quicinc.com>
net: qrtr: ns: Change servers radix tree to xarray
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
net: qrtr: ns: Limit the maximum number of lookups
Takashi Iwai <tiwai@suse.de>
ALSA: core: Fix potential data race at fasync handling
Joseph Salisbury <joseph.salisbury@oracle.com>
sched: Use u64 for bandwidth ratio calculations
Oliver Neukum <oneukum@suse.com>
media: rc: igorplugusb: heed coherency rules
Robert Beckett <bob.beckett@collabora.com>
nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
Tom Yan <tom.ty89@gmail.com>
nvme: fix interpretation of DMRSL
Gao Xiang <hsiangkao@linux.alibaba.com>
erofs: fix the out-of-bounds nameoff handling for trailing dirents
Thorsten Blum <thorsten.blum@linux.dev>
ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
Oliver Neukum <oneukum@suse.com>
media: rc: ttusbir: respect DMA coherency rules
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ALSA: aoa: i2sbus: clear stale prepared state
Takashi Iwai <tiwai@suse.de>
ALSA: aoa: Use guard() for mutex locks
Daniel Hodges <git@danielhodges.dev>
wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
thermal: core: Fix thermal zone governor cleanup issues
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: rtw88: check for PCI upstream bridge existence
Jimmy Hon <honyuenkwun@gmail.com>
rtw88: 8821ce: Disable PCIe ASPM L1 for 8821CE using chip ID
Anshuman Khandual <anshuman.khandual@arm.com>
arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
Bingquan Chen <patzilla007@gmail.com>
net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
Michael Bommarito <michael.bommarito@gmail.com>
ksmbd: require minimum ACE size in smb_check_perm_dacl()
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
Michael Bommarito <michael.bommarito@gmail.com>
smb: client: require a full NFS mode SID before reading mode bits
DaeMyung Kang <charsyam@gmail.com>
smb: server: fix max_connections off-by-one in tcp accept path
Michael Bommarito <michael.bommarito@gmail.com>
smb: server: fix active_num_conn leak on transport allocation failure
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
Lukas Wunner <lukas@wunner.de>
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Eric Biggers <ebiggers@kernel.org>
net/tcp-md5: Fix MAC comparison to be constant-time
Longxuan Yu <ylong030@ucr.edu>
io_uring/poll: fix signed comparison in io_poll_get_ownership()
SeongJae Park <sj@kernel.org>
mm/damon/ops-common: call folio_test_lru() after folio_get()
Mingyu Wang <25181214217@stu.xidian.edu.cn>
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Use krealloc_array() in dal_vector_reserve()
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Limit XDomain response copy to actual frame size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Clamp XDomain response data copy to allocation size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Bound root directory content to block size
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: Reject zero-length property entries in validator
Wyatt Feng <bronzed_45_vested@icloud.com>
sctp: stream: fully roll back denied add-stream state
Zhao Zhang <zzhan461@ucr.edu>
sctp: diag: reject stale associations in dump_one path
Jisheng Zhang <jszhang@kernel.org>
mmc: sdhci: add signal voltage switch in sdhci_resume_host
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
Kamal Dasu <kamal.dasu@broadcom.com>
mmc: core: Fix host controller programming for fixed driver type
Yuqi Xu <xuyq21@lenovo.com>
net: rds: clear i_sends on setup unwind
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
net: mv643xx: fix OF node refcount
ZhaoJinming <zhaojinming@uniontech.com>
net: bonding: fix NULL pointer dereference in bond_do_ioctl()
Junrui Luo <moonafterrain@outlook.com>
misc: fastrpc: fix DMA address corruption due to find_vma misuse
Anandu Krishnan E <anandu.e@oss.qualcomm.com>
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
Yilin Zhu <zylzyl2333@gmail.com>
ipc/shm: serialize orphan cleanup with shm_nattch updates
Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
Zeyu WANG <zeyu.thomas.wang@gmail.com>
Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
Akhil R <akhilrajeev@nvidia.com>
i2c: tegra: Fix NOIRQ suspend/resume
Guillermo Rodríguez <guille.rodriguez@gmail.com>
i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
Jann Horn <jannh@google.com>
fuse: reject fuse_notify() pagecache ops on directories
Christian Brauner <brauner@kernel.org>
pidfd: refuse access to tasks that have started exiting harder
Michael Bommarito <michael.bommarito@gmail.com>
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
Kyle Meyer <kyle.meyer@hpe.com>
bnxt_en: Fix NULL pointer dereference
Raf Dickson <rafdog35@gmail.com>
vsock/vmci: fix sk_ack_backlog leak on failed handshake
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: sockopt: check timestamping ret value
Paolo Abeni <pabeni@redhat.com>
mptcp: fix retransmission loop when csum is enabled
Karl Mehltretter <kmehltretter@gmail.com>
ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
Yuho Choi <dbgh9129@gmail.com>
ARM: socfpga: Fix OF node refcount leak in SMP setup
Michael Bommarito <michael.bommarito@gmail.com>
RDMA/srp: bound SRP_RSP sense copy by the received length
Harry Wentland <harry.wentland@amd.com>
drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
Takashi Iwai <tiwai@suse.de>
ALSA: timer: Fix UAF at snd_timer_user_params()
HyeongJun An <sammiee5311@gmail.com>
USB: serial: kl5kusb105: fix bulk-out buffer overflow
Jack Wu <jackbb_wu@compal.com>
USB: serial: option: add usb-id for Dell Wireless DW5826e-m
Adrian Korwel <adriank20047@gmail.com>
USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
Adrian Korwel <adriank20047@gmail.com>
USB: serial: io_ti: fix heap overflow in get_manuf_info()
Wyatt Feng <bronzed_45_vested@icloud.com>
xfrm: espintcp: do not reuse an in-progress partial send
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
drm/i915/gem: Fix phys BO pread/pwrite with offset
Michael Bommarito <michael.bommarito@gmail.com>
Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
Tristan Madani <tristan@talencesecurity.com>
netfilter: nft_tunnel: fix use-after-free on object destroy
Alexander A. Klimov <grandmaster@al2klimov.de>
drm/vc4: fix krealloc() memory leak
Til Kaiser <mail@tk154.de>
net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
Til Kaiser <mail@tk154.de>
net: mvpp2: refill RX buffers before XDP or skb use
Lorenzo Bianconi <lorenzo@kernel.org>
net: mvpp2: Add metadata support for xdp mode
Til Kaiser <mail@tk154.de>
net: mvpp2: limit XDP frame size to the RX buffer
Til Kaiser <mail@tk154.de>
net: mvpp2: sync RX data at the hardware packet offset
Florian Westphal <fw@strlen.de>
netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
Xiang Mei <xmei5@asu.edu>
netfilter: nf_log: validate MAC header was set before dumping it
Kyle Zeng <kylebot@openai.com>
netfilter: x_tables: avoid leaking percpu counter pointers
Breno Leitao <leitao@debian.org>
rds: mark snapshot pages dirty in rds_info_getsockopt()
Eric Dumazet <edumazet@google.com>
ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
Weiming Shi <bestswngs@gmail.com>
net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
Kyle Zeng <kylebot@openai.com>
net: guard timestamp cmsgs to real error queue skbs
Michael Bommarito <michael.bommarito@gmail.com>
sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
Adrian Moreno <amorenoz@redhat.com>
net: openvswitch: fix possible kfree_skb of ERR_PTR
Kyle Zeng <kylebot@openai.com>
ipv6: sit: reload inner IPv6 header after GSO offloads
Mingyu Wang <25181214217@stu.xidian.edu.cn>
net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
Chenguang Zhao <zhaochenguang@kylinos.cn>
netlabel: validate unlabeled address and mask attribute lengths
Sanghyun Park <sanghyun.park.cnu@gmail.com>
xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
Mark Rutland <mark.rutland@arm.com>
arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
Mark Rutland <mark.rutland@arm.com>
arm64: tlb: Allow XZR argument to TLBI ops
Marc Zyngier <maz@kernel.org>
KVM: arm64: Remove VPIPT I-cache handling
Weiming Shi <bestswngs@gmail.com>
tun: free page on build_skb failure in tun_xdp_one()
Weiming Shi <bestswngs@gmail.com>
tap: free page on error paths in tap_get_user_xdp()
Jeff Layton <jlayton@kernel.org>
nfsd: don't ignore the return code of svc_proc_register()
Edward Lo <loyuantsung@gmail.com>
fs/ntfs3: Return error for inconsistent extended attributes
Tejas Bharambe <tejas.bharambe@outlook.com>
ext4: validate p_idx bounds in ext4_ext_correct_indexes
Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
time: Fix off-by-one in settimeofday() usec validation
Aleksandr Nogikh <nogikh@google.com>
signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
Xin Long <lucien.xin@gmail.com>
sctp: purge outqueue on stale COOKIE-ECHO handling
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
Eric Dumazet <edumazet@google.com>
ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
Eric Dumazet <edumazet@google.com>
ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
Bharath Reddy <kbreddy.rpbc@gmail.com>
Bluetooth: fix memory leak in error path of hci_alloc_dev()
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: bnep: reject short frames before parsing
Dudu Lu <phx0fer@gmail.com>
Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
SeungJu Cheon <suunj1331@gmail.com>
Bluetooth: RFCOMM: validate skb length in MCC handlers
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: MGMT: validate advertising TLV before type checks
Zhang Cen <rollkingzzc@gmail.com>
Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
David Thompson <davthompson@nvidia.com>
net: lan743x: permit VLAN-tagged packets up to configured MTU
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
Oscar Maes <oscmaes92@gmail.com>
pcnet32: stop holding device spin lock during napi_complete_done
Yicong Hui <yiconghui@gmail.com>
drm/imx: Fix three kernel-doc warnings in dcss-scaler.c
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
6lowpan: fix off-by-one in multicast context address compression
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: act_api: use RCU with deferred freeing for action lifecycle
Guangshuo Li <lgs201920130244@gmail.com>
dm cache policy smq: check allocation under invalidate lock
Yiming Qian <yimingqian591@gmail.com>
netfilter: bridge: make ebt_snat ARP rewrite writable
Florian Westphal <fw@strlen.de>
netfilter: conntrack_irc: fix possible out-of-bounds read
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: synproxy: add mutex to guard hook reference counting
Julian Anastasov <ja@ssi.bg>
ipvs: clear the svc scheduler ptr early on edit
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
tee: optee: prevent use-after-free when the client exits before the supplicant
Ido Schimmel <idosch@nvidia.com>
ipv6: mcast: Fix use-after-free when processing MLD queries
Mingyu Wang <25181214217@stu.xidian.edu.cn>
i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
Nathan Chancellor <nathan@kernel.org>
Disable -Wattribute-alias for clang-23 and newer
Nathan Chancellor <nathan@kernel.org>
compiler-clang.h: Add __diag infrastructure for clang
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix memory corruption with small endpoint
Kuniyuki Iwashima <kuniyu@google.com>
bpf: Free reuseport cBPF prog after RCU grace period.
Michal Pecio <michal.pecio@gmail.com>
usb: core: Fix SuperSpeed root hub wMaxPacketSize
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole handover lockup
Wei-Cheng Chen <weichengc@nvidia.com>
xhci: tegra: Fix ghost USB device on dual-role port unplug
Johan Hovold <johan@kernel.org>
USB: serial: digi_acceleport: fix memory corruption with small endpoints
Nathan Chancellor <nathan@kernel.org>
HID: core: Fix size_t specifier in hid_report_raw_event()
Benjamin Tissoires <bentiss@kernel.org>
HID: pass the buffer size to hid_report_raw_event
Vicki Pfau <vi@endrift.com>
HID: core: Add printk_ratelimited variants to hid_warn() etc
Johan Hovold <johan@kernel.org>
USB: serial: cypress_m8: fix memory corruption with small endpoint
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Switch to using channel reset
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix bootconsole handover lockup
Maciej W. Rozycki <macro@orcam.me.uk>
serial: dz: Fix bootconsole message clobbering at chip reset
Shitalkumar Gandhi <shital.gandhi45@gmail.com>
serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
Maciej W. Rozycki <macro@orcam.me.uk>
serial: zs: Fix swapped RI/DSR modem line transition counting
Hongling Zeng <zenghongling@kylinos.cn>
serial: sh-sci: fix memory region release in error path
Berkant Koc <me@berkoc.com>
drm/hyperv: validate VMBus packet size in receive callback
Michael Bommarito <michael.bommarito@gmail.com>
scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
Michael Bommarito <michael.bommarito@gmail.com>
scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
Michael Bommarito <michael.bommarito@gmail.com>
thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
Michael Bommarito <michael.bommarito@gmail.com>
usb: gadget: f_fs: copy only received bytes on short ep0 read
Seungjin Bae <eeodqql09@gmail.com>
usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
Guangshuo Li <lgs201920130244@gmail.com>
usb: gadget: net2280: Fix double free in probe error path
Johan Hovold <johan@kernel.org>
USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
Johan Hovold <johan@kernel.org>
USB: serial: mxuport: fix memory corruption with small endpoint
Johan Hovold <johan@kernel.org>
USB: serial: keyspan: fix missing indat transfer sanity check
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: cypress_m8: validate interrupt packet headers
Zhang Cen <rollkingzzc@gmail.com>
USB: serial: belkin_sa: validate interrupt status length
Wanquan Zhong <wanquan.zhong@fibocom.com>
USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
Jan Volckaert <janvolck@gmail.com>
USB: serial: option: add MeiG SRM813Q
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
Heitor Alves de Siqueira <halves@igalia.com>
usb: usbtmc: check URB actual_length for interrupt-IN notifications
Michael Bommarito <michael.bommarito@gmail.com>
usbip: vudc: Fix use after free bug in vudc_remove due to race condition
Sam Burkels <sam@1a38.nl>
usb: storage: Add quirks for PNY Elite Portable SSD
Stephen J. Fuhry <fuhrysteve@gmail.com>
USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
Michal Pecio <michal.pecio@gmail.com>
usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
Xu Yang <xu.yang_2@nxp.com>
usb: chipidea: core: convert ci_role_switch to local variable
Zhaoyang Yu <2426767509@qq.com>
tty: serial: pch_uart: add check for dma_alloc_coherent()
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
Nicolás Bazaes <contacto@bazaes.cl>
Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
Jingguo Tan <tanjingguo@huawei.com>
xfrm: esp: restore combined single-frag length gate
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: close stream only when running
Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
Michael Bommarito <michael.bommarito@gmail.com>
xfrm: ah: use skb_to_full_sk in async output callbacks
Maoyi Xie <maoyixie.tju@gmail.com>
xfrm: route MIGRATE notifications to caller's netns
Ashutosh Desai <ashutoshdesai993@gmail.com>
nfc: hci: fix out-of-bounds read in HCP header parsing
Arnd Bergmann <arnd@arndb.de>
iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
Lee Jones <lee@kernel.org>
HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
Kuniyuki Iwashima <kuniyu@google.com>
ip6: vti: Use ip6_tnl.net in vti6_changelink().
Zhengchuan Liang <zcliangcn@gmail.com>
xfrm: input: hold netns during deferred transport reinjection
Qi Tang <tpluszz77@gmail.com>
ipv6: validate extension header length before copying to cmsg
Maoyi Xie <maoyixie.tju@gmail.com>
ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
Zhengchuan Liang <zcliangcn@gmail.com>
ipv6: exthdrs: refresh nh after handling HAO option
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
Justin Iurman <justin.iurman@gmail.com>
ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
Junrui Luo <moonafterrain@outlook.com>
macsec: fix replay protection at XPN lower-PN wrap
Yuqi Xu <xuyq21@lenovo.com>
bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
Dmitry Torokhov <dmitry.torokhov@gmail.com>
Input: elan_i2c - validate firmware size before use
Dan Carpenter <error27@gmail.com>
usb: dwc2: Fix use after free in debug code
Peter Chen <peter.chen@cixtech.com>
usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
Yongchao Wu <yongchao.wu@autochips.com>
usb: cdns3: gadget: fix request skipping after clearing halt
Johan Hovold <johan@kernel.org>
USB: serial: omninet: fix memory corruption with small endpoint
Felix Gu <ustc.gu@gmail.com>
iio: buffer: hw-consumer: fix use-after-free in error path
Aldo Conte <aldocontelk@gmail.com>
iio: light: cm3323: fix reg_conf not being initialized correctly
Advait Dhamorikar <advaitd@mechasystems.com>
iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
Salah Triki <salah.triki@gmail.com>
iio: temperature: tsys01: fix broken PROM checksum validation
Sanjay Chitroda <sanjayembeddedse@gmail.com>
iio: ssp_sensors: cancel delayed work_refresh on remove
David Carlier <devnexen@gmail.com>
iio: gyro: itg3200: fix i2c read into the wrong stack location
Salah Triki <salah.triki@gmail.com>
iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: send: append trailer after expanding head
Rodrigo Alencar <rodrigo.alencar@analog.com>
iio: dac: ad5686: fix input raw value check
Salah Triki <salah.triki@gmail.com>
iio: dac: max5821: fix return value check in powerdown sync
Christofer Jonason <christofer.jonason@guidelinegeo.com>
iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
Ben Hutchings <benh@debian.org>
parport: Fix race between port and client registration
Muhammad Bilal <meatuni001@gmail.com>
Bluetooth: HIDP: fix missing length checks in hidp_input_report()
Siwei Zhang <oss@fourdim.xyz>
Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
Linpu Yu <linpu5433@gmail.com>
ipc: limit next_id allocation to the valid ID range
Mikulas Patocka <mpatocka@redhat.com>
hpfs: fix a crash if hpfs_map_dnode_bitmap fails
Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Bluetooth: btusb: Allow firmware re-download when version matches
Thomas Fourier <fourier.thomas@gmail.com>
Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
Johan Hovold <johan@kernel.org>
USB: serial: safe_serial: fix memory corruption with small endpoint
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: altmodes/displayport: validate count before reading Status Update VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb: typec: ucsi: ccg: reject firmware images without a ':' record header
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
Stefan Metzmacher <metze@samba.org>
smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
Harini Katakam <harini.katakam@amd.com>
phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
Jiasheng Jiang <jiashengjiangcool@gmail.com>
RDMA/rxe: Fix double free in rxe_srq_from_init
Ben Hutchings <benh@debian.org>
Revert "RDMA/rxe: Fix double free in rxe_srq_from_init"
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
Suraj Kandpal <suraj.kandpal@intel.com>
drm/dp: Add eDP 1.5 bit definition
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Read Intel DPCD workaround register
Jouni Högander <jouni.hogander@intel.com>
drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
Duoming Zhou <duoming@zju.edu.cn>
wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: avoid double decrement of bla.num_requests
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: avoid empty VLAN responses
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: fix TOCTOU race for reported vlans
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: directly shut down timer on cleanup
Petr Machata <petrm@nvidia.com>
selftests: forwarding: lib: Add helpers for checksum handling
Sven Eckelmann <sven@narfation.org>
batman-adv: iv: recover OGM scheduling after forward packet error
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: reject oversized TVLV packets
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: abort OGM send on tvlv append failure
Sven Eckelmann <sven@narfation.org>
batman-adv: v: stop OGMv2 on disabled interface
Zhenghang Xiao <kipreyyy@gmail.com>
sctp: fix race between sctp_wait_for_connect and peeloff
Marco Scardovi <scardracs@disroot.org>
gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
Zhenghang Xiao <kipreyyy@gmail.com>
Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
Rahul Chandelkar <rc@rexion.ai>
ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
Jakub Kicinski <kuba@kernel.org>
ethtool: eeprom: add more safeties to EEPROM Netlink fallback
Oliver Hartkopp <socketcan@hartkopp.net>
bonding: refuse to enslave CAN devices
Zhao Dongdong <zhaodongdong@kylinos.cn>
Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: codecs: simple-mux: Fix enum control bounds check
Eric Dumazet <edumazet@google.com>
tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
Eric Dumazet <edumazet@google.com>
vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
Eric Dumazet <edumazet@google.com>
tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
Cássio Gabriel <cassiogabrielcontato@gmail.com>
ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
Eric Dumazet <edumazet@google.com>
ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
Breno Leitao <leitao@debian.org>
net/iucv: fix locking in .getsockopt
Alexandra Winter <wintera@linux.ibm.com>
net/smc: Do not re-initialize smc hashtables
Ilya Maximets <i.maximets@ovn.org>
net: netlink: don't set nsid on local notifications
Ilya Maximets <i.maximets@ovn.org>
net: netlink: fix sending unassigned nsid after assigned one
Weiming Shi <bestswngs@gmail.com>
tun: free page on short-frame rejection in tun_xdp_one()
Florian Westphal <fw@strlen.de>
netfilter: ebtables: fix OOB read in compat_mtw_from_user
Florian Westphal <fw@strlen.de>
netfilter: xt_cpu: prefer raw_smp_processor_id
Chris Mason <clm@meta.com>
netfilter: synproxy: refresh tcphdr after skb_ensure_writable
Carl Lee <carl.lee@amd.com>
nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
David Ahern <dahern@nvidia.com>
xfrm: Check for underflow in xfrm_state_mtu
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
Lee Jones <lee@kernel.org>
nfc: llcp: Fix use-after-free in llcp_sock_release()
Kevin Hao <haokexin@gmail.com>
net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
Vinicius Costa Gomes <vinicius.gomes@intel.com>
dmaengine: idxd: Fix not releasing workqueue on .release()
Carlos Eduardo Gallo Filho <gcarlos@disroot.org>
drm: Remove plane hsub/vsub alignment requirement for core helpers
Victor Nogueria <victor@mojatatu.com>
net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Jeremy Kerr <jk@codeconstruct.com.au>
net: mctp: ensure our nlmsg responses are initialised
Davide Caratti <dcaratti@redhat.com>
net/sched: cls_fw: fix NULL dereference of "old" filters before change()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
-------------
Diffstat:
Documentation/arm64/silicon-errata.rst | 46 ++++++
Makefile | 4 +-
arch/arm/include/asm/io.h | 15 +-
arch/arm/mach-socfpga/platsmp.c | 1 +
arch/arm64/Kconfig | 50 ++++++
arch/arm64/include/asm/cputype.h | 6 +
arch/arm64/include/asm/kvm_mmu.h | 4 +-
arch/arm64/include/asm/tlb.h | 2 +-
arch/arm64/include/asm/tlbflush.h | 55 +++++--
arch/arm64/kernel/cpu_errata.c | 34 +++-
arch/arm64/kernel/sys_compat.c | 2 +-
arch/arm64/kvm/hyp/nvhe/tlb.c | 41 +----
arch/arm64/kvm/hyp/vhe/tlb.c | 19 +--
arch/arm64/mm/mmu.c | 36 +++--
arch/x86/kernel/cpu/amd.c | 18 ++-
arch/x86/kernel/cpu/microcode/intel.c | 4 +-
block/blk-cgroup.c | 32 ++--
crypto/testmgr.c | 4 +-
drivers/base/power/domain.c | 10 +-
drivers/block/drbd/drbd_main.c | 2 +-
drivers/block/drbd/drbd_receiver.c | 2 +-
drivers/block/loop.c | 14 +-
drivers/block/nbd.c | 10 +-
drivers/bluetooth/btusb.c | 8 +-
drivers/bluetooth/hci_qca.c | 33 ++--
drivers/char/random.c | 4 +-
drivers/comedi/drivers/comedi_test.c | 5 +-
drivers/crypto/caam/caamalg_qi2.c | 4 +-
drivers/crypto/caam/caamhash.c | 4 +-
drivers/crypto/nx/nx-842.c | 47 +++---
drivers/crypto/nx/nx-842.h | 24 +--
drivers/crypto/nx/nx-common-powernv.c | 31 ++--
drivers/crypto/nx/nx-common-pseries.c | 33 ++--
drivers/dma/idxd/init.c | 1 -
drivers/dma/idxd/sysfs.c | 1 +
drivers/fsi/fsi-sbefifo.c | 6 +-
drivers/gpio/gpio-rockchip.c | 6 +-
.../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 +
drivers/gpu/drm/amd/display/dc/basics/vector.c | 4 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 54 ++++---
.../gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 3 +-
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 136 ++++++++++++----
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 ++
drivers/gpu/drm/i915/display/intel_psr.c | 34 +++-
drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 ++-
drivers/gpu/drm/imx/dcss/dcss-scaler.c | 3 +
drivers/gpu/drm/vc4/vc4_validate_shaders.c | 13 +-
drivers/hid/hid-core.c | 29 +++-
drivers/hid/hid-gfrm.c | 4 +-
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-vivaldi.c | 2 +-
drivers/hid/wacom_sys.c | 19 ++-
drivers/hid/wacom_wac.h | 1 +
drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
drivers/i2c/busses/i2c-stm32f7.c | 6 +-
drivers/i2c/busses/i2c-tegra.c | 53 +++---
drivers/i2c/i2c-dev.c | 9 +-
drivers/iio/adc/viperboard_adc.c | 4 +-
drivers/iio/adc/xilinx-xadc-core.c | 11 +-
drivers/iio/buffer/industrialio-hw-consumer.c | 4 +-
drivers/iio/chemical/scd30_core.c | 65 ++++----
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
drivers/iio/dac/ad5686.c | 8 +-
drivers/iio/dac/ad5686.h | 1 +
drivers/iio/dac/max5821.c | 9 +-
drivers/iio/gyro/adis16260.c | 3 +
drivers/iio/gyro/itg3200_buffer.c | 2 +-
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
drivers/iio/light/cm3323.c | 5 +-
drivers/iio/magnetometer/st_magn_core.c | 13 +-
drivers/iio/temperature/tsys01.c | 2 +-
drivers/infiniband/core/Makefile | 2 +-
drivers/infiniband/core/iter.c | 43 +++++
drivers/infiniband/core/verbs.c | 38 -----
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 +-
drivers/infiniband/hw/cxgb4/mem.c | 2 +-
drivers/infiniband/hw/efa/efa_verbs.c | 2 +-
drivers/infiniband/hw/hns/hns_roce_alloc.c | 2 +-
drivers/infiniband/hw/irdma/main.h | 2 +-
drivers/infiniband/hw/mlx4/mr.c | 1 +
drivers/infiniband/hw/mlx5/mem.c | 1 +
drivers/infiniband/hw/mlx5/mr.c | 1 +
drivers/infiniband/hw/mthca/mthca_provider.c | 2 +-
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2 +-
drivers/infiniband/hw/qedr/verbs.c | 2 +-
drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 2 +-
drivers/infiniband/sw/rxe/rxe_srq.c | 3 -
drivers/infiniband/ulp/isert/ib_isert.c | 6 +
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +-
drivers/infiniband/ulp/srp/ib_srp.c | 30 +++-
drivers/input/keyboard/atkbd.c | 15 ++
drivers/input/misc/ims-pcu.c | 2 +-
drivers/input/mouse/elan_i2c_core.c | 5 +
drivers/input/mouse/synaptics.c | 1 +
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
drivers/input/touchscreen/usbtouchscreen.c | 5 +
drivers/iommu/io-pgtable-arm-v7s.c | 18 ++-
drivers/isdn/mISDN/l1oip_core.c | 2 +-
drivers/md/dm-cache-policy-smq.c | 12 +-
drivers/media/rc/igorplugusb.c | 17 +-
drivers/media/rc/ttusbir.c | 13 +-
drivers/misc/fastrpc.c | 77 ++++++---
drivers/misc/vmw_vmci/vmci_queue_pair.c | 6 +-
drivers/mmc/core/mmc.c | 4 +-
drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
drivers/mmc/host/sdhci-of-dwcmshc.c | 17 +-
drivers/mmc/host/sdhci.c | 1 +
drivers/mtd/spi-nor/sst.c | 13 ++
drivers/net/bonding/bond_main.c | 10 +-
drivers/net/can/usb/ucan.c | 6 +-
drivers/net/ethernet/amd/pcnet32.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 2 +-
drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 75 +++++----
drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 5 +-
.../ethernet/marvell/octeontx2/nic/otx2_common.c | 2 +
drivers/net/ethernet/microchip/lan743x_main.c | 32 ++++
drivers/net/ethernet/microchip/lan743x_main.h | 1 +
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 26 +--
drivers/net/ethernet/ti/cpsw_new.c | 4 +-
drivers/net/hyperv/netvsc.c | 19 ++-
drivers/net/macsec.c | 3 +-
drivers/net/phy/mscc/mscc.h | 9 +-
drivers/net/phy/mscc/mscc_main.c | 38 +----
drivers/net/ppp/ppp_generic.c | 2 +-
drivers/net/tap.c | 2 +
drivers/net/tun.c | 5 +-
drivers/net/vxlan/vxlan_core.c | 4 +-
drivers/net/wireguard/send.c | 20 +--
.../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 +-
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 +
drivers/net/wireless/marvell/mwifiex/init.c | 2 +-
drivers/net/wireless/realtek/rtw88/pci.c | 3 +-
drivers/nfc/nxp-nci/i2c.c | 21 ++-
drivers/nvme/host/core.c | 8 +-
drivers/nvme/host/nvme.h | 1 +
drivers/nvme/host/tcp.c | 4 +-
drivers/nvme/target/io-cmd-file.c | 4 +-
drivers/nvme/target/tcp.c | 2 +-
drivers/parport/share.c | 11 +-
drivers/phy/tegra/xusb-tegra186.c | 38 +++--
drivers/phy/tegra/xusb.h | 1 +
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
drivers/scsi/hosts.c | 1 +
drivers/scsi/scsi.c | 8 -
drivers/scsi/scsi_pm.c | 44 +----
drivers/scsi/scsi_priv.h | 4 +-
drivers/scsi/scsi_scan.c | 17 ++
drivers/scsi/scsi_sysfs.c | 1 +
drivers/scsi/scsi_transport_fc.c | 77 ++++-----
drivers/scsi/sd.c | 30 ++--
drivers/scsi/sd.h | 9 +-
drivers/scsi/sg.c | 2 +-
drivers/slimbus/qcom-ngd-ctrl.c | 3 -
drivers/spi/spi-lantiq-ssc.c | 8 +-
drivers/spi/spi-qup.c | 165 +++++++++----------
drivers/spi/spi-st-ssc4.c | 8 +-
drivers/spi/spi-sun4i.c | 10 +-
drivers/spi/spi-sun6i.c | 9 +-
drivers/spi/spi-synquacer.c | 8 +-
drivers/spi/spi-tegra114.c | 8 +-
drivers/spi/spi-tegra20-sflash.c | 8 +-
drivers/spi/spi-ti-qspi.c | 15 +-
drivers/spi/spi-topcliff-pch.c | 11 +-
drivers/spi/spi-uniphier.c | 8 +-
drivers/spi/spi-zynq-qspi.c | 15 +-
drivers/staging/greybus/hid.c | 2 +-
drivers/target/iscsi/iscsi_target.c | 6 +-
drivers/target/iscsi/iscsi_target_nego.c | 7 +-
drivers/target/iscsi/iscsi_target_parameters.c | 62 +++++--
drivers/target/iscsi/iscsi_target_parameters.h | 2 +-
drivers/target/iscsi/iscsi_target_util.c | 4 +-
drivers/target/target_core_file.c | 2 +-
drivers/tee/optee/supp.c | 107 ++++++++----
drivers/thermal/thermal_core.c | 7 +-
drivers/thunderbolt/property.c | 38 +++--
drivers/thunderbolt/xdomain.c | 6 +-
drivers/tty/serial/altera_jtaguart.c | 18 ++-
drivers/tty/serial/dz.c | 58 ++++---
drivers/tty/serial/fsl_lpuart.c | 15 +-
drivers/tty/serial/pch_uart.c | 19 ++-
drivers/tty/serial/qcom_geni_serial.c | 75 ++++-----
drivers/tty/serial/samsung_tty.c | 88 +++++-----
drivers/tty/serial/sh-sci.c | 2 +-
drivers/tty/serial/zs.c | 40 ++---
drivers/tty/serial/zs.h | 2 +-
drivers/usb/cdns3/cdns3-gadget.c | 12 +-
drivers/usb/cdns3/cdns3-plat.c | 11 +-
drivers/usb/chipidea/core.c | 16 +-
drivers/usb/class/usbtmc.c | 14 ++
drivers/usb/core/config.c | 9 +-
drivers/usb/core/hcd.c | 4 +-
drivers/usb/core/quirks.c | 4 +
drivers/usb/dwc2/hcd.c | 4 +-
drivers/usb/dwc3/core.c | 12 +-
drivers/usb/dwc3/dwc3-xilinx.c | 20 +--
drivers/usb/gadget/function/f_fs.c | 2 +-
drivers/usb/gadget/function/f_hid.c | 20 +--
drivers/usb/gadget/udc/dummy_hcd.c | 4 +
drivers/usb/gadget/udc/net2280.c | 4 +-
drivers/usb/host/xhci-tegra.c | 76 +++++----
drivers/usb/serial/belkin_sa.c | 3 +
drivers/usb/serial/cypress_m8.c | 20 ++-
drivers/usb/serial/digi_acceleport.c | 23 ++-
drivers/usb/serial/io_ti.c | 11 ++
drivers/usb/serial/keyspan.c | 4 +
drivers/usb/serial/kl5kusb105.c | 4 +-
drivers/usb/serial/mct_u232.c | 26 +--
drivers/usb/serial/mxuport.c | 8 +
drivers/usb/serial/omninet.c | 9 +-
drivers/usb/serial/option.c | 12 +-
drivers/usb/serial/safe_serial.c | 11 ++
drivers/usb/storage/unusual_uas.h | 7 +
drivers/usb/typec/altmodes/displayport.c | 2 +
drivers/usb/typec/tcpm/tcpm.c | 2 +
drivers/usb/typec/tcpm/wcove.c | 13 +-
drivers/usb/typec/ucsi/displayport.c | 4 +
drivers/usb/typec/ucsi/ucsi.c | 7 +-
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +
drivers/usb/usbip/usbip_common.c | 2 +-
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 +-
drivers/vhost/net.c | 6 +-
drivers/vhost/scsi.c | 10 +-
drivers/vhost/vhost.c | 6 +-
drivers/vhost/vringh.c | 4 +-
drivers/vhost/vsock.c | 4 +-
drivers/video/fbdev/core/fb_defio.c | 152 +++++++++++++++--
drivers/video/fbdev/core/fbcon_rotate.c | 5 +-
drivers/video/fbdev/vt8500lcdfb.c | 2 +-
drivers/xen/pvcalls-back.c | 8 +-
fs/9p/vfs_addr.c | 4 +-
fs/9p/vfs_dir.c | 2 +-
fs/9p/xattr.c | 4 +-
fs/afs/cmservice.c | 2 +-
fs/afs/dir.c | 2 +-
fs/afs/file.c | 4 +-
fs/afs/internal.h | 4 +-
fs/afs/rxrpc.c | 10 +-
fs/afs/write.c | 4 +-
fs/aio.c | 4 +-
fs/btrfs/inode.c | 2 +
fs/btrfs/ioctl.c | 5 +-
fs/ceph/addr.c | 2 +-
fs/ceph/dir.c | 6 +-
fs/ceph/file.c | 4 +-
fs/cifs/cifsacl.c | 129 +++++++++++++--
fs/cifs/connect.c | 6 +-
fs/cifs/file.c | 4 +-
fs/cifs/ioctl.c | 2 +-
fs/cifs/netlink.c | 6 +-
fs/cifs/smb2ops.c | 10 +-
fs/cifs/smb2transport.c | 36 +++--
fs/cifs/smbdirect.c | 4 +-
fs/cifs/transport.c | 6 +-
fs/erofs/decompressor.c | 1 +
fs/erofs/dir.c | 30 ++--
fs/ext4/extents.c | 15 ++
fs/f2fs/data.c | 4 +-
fs/f2fs/f2fs.h | 5 +-
fs/f2fs/inline.c | 13 +-
fs/f2fs/segment.c | 6 +-
fs/f2fs/super.c | 20 ++-
fs/fcntl.c | 8 +-
fs/fuse/dev.c | 9 +-
fs/fuse/ioctl.c | 4 +-
fs/hfsplus/bfind.c | 51 ++++++
fs/hfsplus/catalog.c | 4 +-
fs/hfsplus/dir.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 9 ++
fs/hfsplus/super.c | 6 +-
fs/hpfs/alloc.c | 2 +-
fs/ksmbd/auth.c | 4 +-
fs/ksmbd/smb2pdu.c | 5 +-
fs/ksmbd/smbacl.c | 17 +-
fs/ksmbd/transport_tcp.c | 4 +-
fs/nfsd/nfs4xdr.c | 9 +-
fs/nfsd/nfsctl.c | 9 +-
fs/nfsd/state.h | 17 +-
fs/nfsd/stats.c | 4 +-
fs/nfsd/stats.h | 2 +-
fs/nfsd/vfs.c | 4 +-
fs/ntfs3/xattr.c | 1 +
fs/ocfs2/cluster/tcp.c | 2 +-
fs/orangefs/inode.c | 8 +-
fs/read_write.c | 12 +-
fs/seq_file.c | 2 +-
fs/splice.c | 10 +-
fs/udf/super.c | 4 +-
include/drm/drm_dp_helper.h | 1 +
include/drm/drm_fourcc.h | 5 +-
include/linux/compat.h | 4 +
include/linux/compiler-clang.h | 28 ++++
include/linux/compiler_attributes.h | 11 ++
include/linux/compiler_types.h | 4 +
include/linux/fb.h | 4 +-
include/linux/hid.h | 15 +-
include/linux/parport.h | 1 +
include/linux/printk.h | 13 ++
include/linux/randomize_kstack.h | 44 ++++-
include/linux/sched.h | 4 +
include/linux/syscalls.h | 4 +
include/linux/uio.h | 3 +
include/net/act_api.h | 1 +
include/net/bluetooth/bluetooth.h | 3 +
include/net/bluetooth/l2cap.h | 1 +
include/net/genetlink.h | 9 +-
include/net/ip_vs.h | 3 +-
include/net/mctp.h | 3 +
include/net/sock.h | 1 +
include/net/xfrm.h | 3 +-
include/rdma/ib_umem.h | 36 +----
include/rdma/ib_verbs.h | 48 ------
include/rdma/iter.h | 88 ++++++++++
init/main.c | 1 -
io_uring/io_uring.c | 2 +-
ipc/shm.c | 10 +-
ipc/util.c | 2 +-
kernel/fork.c | 2 +
kernel/pid.c | 8 +-
kernel/sched/core.c | 2 +-
kernel/sched/rt.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/signal.c | 1 +
kernel/time/time.c | 2 +-
kernel/trace/trace_probe.c | 6 +
kernel/trace/trace_probe.h | 4 +-
kernel/tracepoint.c | 2 +
lib/debugobjects.c | 2 +-
lib/mpi/mpicoder.c | 2 +-
mm/damon/vaddr.c | 4 +-
mm/huge_memory.c | 2 +
mm/hugetlb.c | 1 +
mm/madvise.c | 2 +-
mm/page_io.c | 2 +-
mm/process_vm_access.c | 2 +-
net/6lowpan/iphc.c | 4 +-
net/802/garp.c | 2 +-
net/802/mrp.c | 9 ++
net/9p/client.c | 2 +-
net/batman-adv/bat_iv_ogm.c | 82 ++++++++--
net/batman-adv/bat_v_ogm.c | 59 ++++---
net/batman-adv/bridge_loop_avoidance.c | 57 ++++---
net/batman-adv/main.c | 1 +
net/batman-adv/soft-interface.c | 1 +
net/batman-adv/tp_meter.c | 109 +++++++++----
net/batman-adv/tp_meter.h | 1 +
net/batman-adv/translation-table.c | 35 +++-
net/batman-adv/tvlv.c | 28 +++-
net/batman-adv/tvlv.h | 2 +-
net/batman-adv/types.h | 46 +++++-
net/bluetooth/6lowpan.c | 4 +-
net/bluetooth/a2mp.c | 2 +-
net/bluetooth/af_bluetooth.c | 144 ++++++++++++++---
net/bluetooth/bnep/core.c | 50 ++++--
net/bluetooth/bnep/sock.c | 10 +-
net/bluetooth/hci_event.c | 18 ++-
net/bluetooth/hci_sock.c | 10 +-
net/bluetooth/hci_sysfs.c | 6 +-
net/bluetooth/hidp/core.c | 23 ++-
net/bluetooth/hidp/sock.c | 10 +-
net/bluetooth/l2cap_core.c | 87 +++++++++-
net/bluetooth/l2cap_sock.c | 86 +++++-----
net/bluetooth/mgmt.c | 20 ++-
net/bluetooth/rfcomm/core.c | 69 +++++---
net/bluetooth/rfcomm/sock.c | 48 ++++--
net/bluetooth/sco.c | 19 ++-
net/bluetooth/smp.c | 2 +-
net/bridge/br_arp_nd_proxy.c | 8 +-
net/bridge/br_fdb.c | 28 ++--
net/bridge/netfilter/ebt_snat.c | 3 +
net/bridge/netfilter/ebtables.c | 30 ++++
net/ceph/messenger_v1.c | 4 +-
net/ceph/messenger_v2.c | 14 +-
net/compat.c | 2 +-
net/core/drop_monitor.c | 2 +-
net/core/filter.c | 17 +-
net/core/skbuff.c | 10 +-
net/ethtool/eeprom.c | 5 +-
net/hsr/hsr_framereg.c | 6 +-
net/ieee802154/6lowpan/tx.c | 5 +
net/ipv4/ah4.c | 31 ++--
net/ipv4/esp4.c | 4 +-
net/ipv4/ip_options.c | 4 +
net/ipv4/ip_tunnel_core.c | 22 ++-
net/ipv4/netfilter/arp_tables.c | 15 +-
net/ipv4/netfilter/ip_tables.c | 15 +-
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv4/sysctl_net_ipv4.c | 2 +-
net/ipv4/tcp.c | 4 +-
net/ipv4/tcp_ipv4.c | 5 +-
net/ipv6/addrconf.c | 47 +++---
net/ipv6/ah6.c | 29 ++--
net/ipv6/datagram.c | 54 ++++++-
net/ipv6/esp6.c | 4 +-
net/ipv6/exthdrs.c | 28 +++-
net/ipv6/ioam6.c | 12 +-
net/ipv6/ip6_input.c | 2 +-
net/ipv6/ip6_vti.c | 25 ++-
net/ipv6/mcast.c | 22 +--
net/ipv6/ndisc.c | 12 +-
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/ipv6/seg6_hmac.c | 8 +-
net/ipv6/sit.c | 1 +
net/ipv6/tcp_ipv6.c | 5 +-
net/iucv/af_iucv.c | 20 ++-
net/key/af_key.c | 6 +-
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 9 +-
net/mptcp/options.c | 29 ++--
net/mptcp/pm.c | 34 +++-
net/mptcp/pm_netlink.c | 31 +++-
net/mptcp/protocol.c | 26 ++-
net/mptcp/sockopt.c | 8 +-
net/netfilter/ipvs/ip_vs_ctl.c | 13 +-
net/netfilter/ipvs/ip_vs_proto_sctp.c | 18 +--
net/netfilter/ipvs/ip_vs_proto_tcp.c | 21 +--
net/netfilter/ipvs/ip_vs_proto_udp.c | 20 +--
net/netfilter/ipvs/ip_vs_sched.c | 14 +-
net/netfilter/ipvs/ip_vs_sync.c | 2 +-
net/netfilter/nf_conntrack_irc.c | 4 +-
net/netfilter/nf_conntrack_proto_tcp.c | 3 +-
net/netfilter/nf_log_syslog.c | 4 +-
net/netfilter/nf_synproxy_core.c | 26 ++-
net/netfilter/nft_exthdr.c | 3 +
net/netfilter/nft_fib.c | 6 +
net/netfilter/nft_tunnel.c | 2 +-
net/netfilter/xt_NFQUEUE.c | 2 +-
net/netfilter/xt_cpu.c | 2 +-
net/netlabel/netlabel_unlabeled.c | 30 ++--
net/netlink/af_netlink.c | 11 +-
net/netlink/genetlink.c | 4 +-
net/nfc/hci/core.c | 10 ++
net/nfc/llcp_core.c | 11 ++
net/nfc/llcp_sock.c | 2 +
net/nfc/nci/hci.c | 10 ++
net/openvswitch/datapath.c | 1 +
net/packet/af_packet.c | 25 +--
net/psample/psample.c | 2 +-
net/qrtr/af_qrtr.c | 4 +-
net/qrtr/ns.c | 180 ++++++++-------------
net/rds/ib_cm.c | 1 +
net/rds/ib_send.c | 2 +
net/rds/info.c | 2 +-
net/sched/act_api.c | 7 +-
net/sched/cls_fw.c | 6 +-
net/sched/sch_netem.c | 40 -----
net/sched/sch_sfb.c | 2 +-
net/sctp/diag.c | 17 +-
net/sctp/input.c | 8 +
net/sctp/sm_statefuns.c | 6 +-
net/sctp/socket.c | 2 +
net/sctp/stream.c | 6 +-
net/smc/af_smc.c | 4 +-
net/smc/smc_clc.c | 6 +-
net/socket.c | 23 +--
net/sunrpc/socklib.c | 6 +-
net/sunrpc/svcsock.c | 4 +-
net/sunrpc/xprtsock.c | 6 +-
net/tipc/topsrv.c | 2 +-
net/tls/tls_device.c | 4 +-
net/vmw_vsock/vmci_transport.c | 4 +-
net/xfrm/espintcp.c | 6 +-
net/xfrm/xfrm_input.c | 16 +-
net/xfrm/xfrm_policy.c | 15 +-
net/xfrm/xfrm_state.c | 35 ++--
net/xfrm/xfrm_user.c | 5 +-
security/apparmor/policy_unpack.c | 27 ++--
security/keys/keyctl.c | 4 +-
security/selinux/hooks.c | 3 +-
sound/aoa/codecs/onyx.c | 104 ++++--------
sound/aoa/codecs/tas.c | 113 +++++--------
sound/aoa/core/gpio-feature.c | 20 +--
sound/aoa/core/gpio-pmf.c | 26 ++-
sound/aoa/soundbus/i2sbus/core.c | 3 +
sound/aoa/soundbus/i2sbus/pcm.c | 143 ++++++++--------
sound/core/misc.c | 14 +-
sound/core/timer.c | 1 +
sound/drivers/aloop.c | 40 +++--
sound/pci/hda/patch_hdmi.c | 1 +
sound/soc/codecs/simple-mux.c | 2 +-
sound/soc/intel/boards/bytcht_es8316.c | 29 +++-
sound/soc/qcom/qdsp6/q6asm-dai.c | 43 ++---
tools/testing/selftests/net/forwarding/lib.sh | 56 +++++++
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +-
491 files changed, 4845 insertions(+), 2652 deletions(-)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 001/411] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
@ 2026-06-16 14:53 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 002/411] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
` (410 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream.
nexio_read_data() pulls data_len and x_len from a packed __be16 header
in the device's interrupt packet and then walks packet->data[0..x_len)
and packet->data[x_len..data_len) comparing each byte against a
threshold.
Both fields are 16-bit on the wire (max 65535). The existing
adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
packed header — so packet->data[] has 1017 valid bytes. read_data()
callbacks are not given urb->actual_length, and nothing else bounds the
walk.
A device that lies about its length can get a ~64 KiB out-of-bounds read
past the coherent DMA allocation. The first index whose byte exceeds
NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
reported touch coordinates, so adjacent kernel memory contents leak to
userspace as ABS_X / ABS_Y events. Far enough out, the read can also
hit an unmapped page and fault.
Fix this all by clamping data_len to the buffer's data[] capacity and
x_len to data_len.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/usbtouchscreen.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/touchscreen/usbtouchscreen.c
+++ b/drivers/input/touchscreen/usbtouchscreen.c
@@ -1061,6 +1061,11 @@ static int nexio_read_data(struct usbtou
if (x_len > 0xff)
x_len -= 0x80;
+ if (data_len > usbtouch->data_size - sizeof(*packet))
+ data_len = usbtouch->data_size - sizeof(*packet);
+ if (x_len > data_len)
+ x_len = data_len;
+
/* send ACK */
ret = usb_submit_urb(priv->ack, GFP_ATOMIC);
if (ret)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 002/411] net/sched: cls_fw: fix NULL dereference of "old" filters before change()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 5.15 001/411] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 003/411] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
` (409 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Davide Caratti,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 65782b2db7321d5f97c16718c4c7f6c7205a56be ]
Like pointed out by Sashiko [1], since commit ed76f5edccc9 ("net: sched:
protect filter_chain list with filter_chain_lock mutex") TC filters are
added to a shared block and published to datapath before their ->change()
function is called. This is a problem for cls_fw: an invalid filter
created with the "old" method can still classify some packets before it
is destroyed by the validation logic added by Xiang.
Therefore, insisting with repeated runs of the following script:
# ip link add dev crash0 type dummy
# ip link set dev crash0 up
# mausezahn crash0 -c 100000 -P 10 \
> -A 4.3.2.1 -B 1.2.3.4 -t udp "dp=1234" -q &
# sleep 1
# tc qdisc add dev crash0 egress_block 1 clsact
# tc filter add block 1 protocol ip prio 1 matchall \
> action skbedit mark 65536 continue
# tc filter add block 1 protocol ip prio 2 fw
# ip link del dev crash0
can still make fw_classify() hit the WARN_ON() in [2]:
WARNING: ./include/net/pkt_cls.h:88 at fw_classify+0x244/0x250 [cls_fw], CPU#18: mausezahn/1399
Modules linked in: cls_fw(E) act_skbedit(E)
CPU: 18 UID: 0 PID: 1399 Comm: mausezahn Tainted: G E 7.0.0-rc6-virtme #17 PREEMPT(full)
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Red Hat KVM, BIOS 1.16.3-2.el9 04/01/2014
RIP: 0010:fw_classify+0x244/0x250 [cls_fw]
Code: 5c 49 c7 45 00 00 00 00 00 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 5b b8 ff ff ff ff 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 90 <0f> 0b 90 eb a0 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffd1b7026bf8a8 EFLAGS: 00010202
RAX: ffff8c5ac9c60800 RBX: ffff8c5ac99322c0 RCX: 0000000000000004
RDX: 0000000000000001 RSI: ffff8c5b74d7a000 RDI: ffff8c5ac8284f40
RBP: ffffd1b7026bf8d0 R08: 0000000000000000 R09: ffffd1b7026bf9b0
R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000010000
R13: ffffd1b7026bf930 R14: ffff8c5ac8284f40 R15: 0000000000000000
FS: 00007fca40c37740(0000) GS:ffff8c5b74d7a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fca40e822a0 CR3: 0000000005ca0001 CR4: 0000000000172ef0
Call Trace:
<TASK>
tcf_classify+0x17d/0x5c0
tc_run+0x9d/0x150
__dev_queue_xmit+0x2ab/0x14d0
ip_finish_output2+0x340/0x8f0
ip_output+0xa4/0x250
raw_sendmsg+0x147d/0x14b0
__sys_sendto+0x1cc/0x1f0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x126/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fca40e822ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc248a42c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000055ef233289d0 RCX: 00007fca40e822ba
RDX: 000000000000001e RSI: 000055ef23328c30 RDI: 0000000000000003
RBP: 000055ef233289d0 R08: 00007ffc248a42d0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001e
R13: 00000000000186a0 R14: 0000000000000000 R15: 00007fca41043000
</TASK>
irq event stamp: 1045778
hardirqs last enabled at (1045784): [<ffffffff864ec042>] __up_console_sem+0x52/0x60
hardirqs last disabled at (1045789): [<ffffffff864ec027>] __up_console_sem+0x37/0x60
softirqs last enabled at (1045426): [<ffffffff874d48c7>] __alloc_skb+0x207/0x260
softirqs last disabled at (1045434): [<ffffffff874fe8f8>] __dev_queue_xmit+0x78/0x14d0
Then, because of the value in the packet's mark, dereference on 'q->handle'
with NULL 'q' occurs:
BUG: kernel NULL pointer dereference, address: 0000000000000038
[...]
RIP: 0010:fw_classify+0x1fe/0x250 [cls_fw]
[...]
Skip "old-style" classification on shared blocks, so that the NULL
dereference is fixed and WARN_ON() is not hit anymore in the short
lifetime of invalid cls_fw "old-style" filters.
[1] https://sashiko.dev/#/patchset/20260331050217.504278-1-xmei5%40asu.edu
[2] https://elixir.bootlin.com/linux/v7.0-rc6/source/include/net/pkt_cls.h#L86
Fixes: faeea8bbf6e9 ("net/sched: cls_fw: fix NULL pointer dereference on shared blocks")
Fixes: ed76f5edccc9 ("net: sched: protect filter_chain list with filter_chain_lock mutex")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/e39cbd3103a337f1e515d186fe697b4459d24757.1775661704.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_fw.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index a4ffee135c8557..60249d7b333af3 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -72,9 +72,13 @@ static int fw_classify(struct sk_buff *skb, const struct tcf_proto *tp,
}
}
} else {
- struct Qdisc *q = tcf_block_q(tp->chain->block);
+ struct Qdisc *q;
/* Old method: classify the packet using its skb mark. */
+ if (tcf_block_shared(tp->chain->block))
+ return -1;
+
+ q = tcf_block_q(tp->chain->block);
if (id && (TC_H_MAJ(id) == 0 ||
!(TC_H_MAJ(id ^ q->handle)))) {
res->classid = id;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 003/411] net: mctp: ensure our nlmsg responses are initialised
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 5.15 001/411] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 002/411] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 004/411] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
` (408 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Simon Horman,
Jakub Kicinski, Li hongliang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit a6a9bc544b675d8b5180f2718ec985ad267b5cbf ]
Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from
DEVCORE Research Team working with Trend Micro Zero Day Initiative
report that a RTM_GETNEIGH will return uninitalised data in the pad
bytes of the ndmsg data.
Ensure we're initialising the netlink data to zero, in the link, addr
and neigh response messages.
Fixes: 831119f88781 ("mctp: Add neighbour netlink interface")
Fixes: 06d2f4c583a7 ("mctp: Add netlink route management")
Fixes: 583be982d934 ("mctp: Add device handling and netlink interface")
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260209-dev-mctp-nlmsg-v1-1-f1e30c346a43@codeconstruct.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/device.c | 1 +
net/mctp/neigh.c | 1 +
net/mctp/route.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/net/mctp/device.c b/net/mctp/device.c
index aec7ffad2666ab..a11d5aca201c27 100644
--- a/net/mctp/device.c
+++ b/net/mctp/device.c
@@ -55,6 +55,7 @@ static int mctp_fill_addrinfo(struct sk_buff *skb, struct netlink_callback *cb,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ifa_family = AF_MCTP;
hdr->ifa_prefixlen = 0;
hdr->ifa_flags = 0;
diff --git a/net/mctp/neigh.c b/net/mctp/neigh.c
index bc75a263719c77..18a6be38f17211 100644
--- a/net/mctp/neigh.c
+++ b/net/mctp/neigh.c
@@ -217,6 +217,7 @@ static int mctp_fill_neigh(struct sk_buff *skb, u32 portid, u32 seq, int event,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->ndm_family = AF_MCTP;
hdr->ndm_ifindex = dev->ifindex;
hdr->ndm_state = 0; // TODO other state bits?
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 48d32bfd386363..a93796eb0a092c 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -1031,6 +1031,7 @@ static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt,
return -EMSGSIZE;
hdr = nlmsg_data(nlh);
+ memset(hdr, 0, sizeof(*hdr));
hdr->rtm_family = AF_MCTP;
/* we use the _len fields as a number of EIDs, rather than
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 004/411] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 003/411] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 005/411] drm: Remove plane hsub/vsub alignment requirement for core helpers Greg Kroah-Hartman
` (407 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Nogueria, Eric Dumazet,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueria <victor@mojatatu.com>
[ Upstream commit 1b9bc71153b01dbde8045b9edede4240f4f5520e ]
When sfb has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (sfb in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(sfb) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (sfb). And herein lies the problem.
- sfb will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 127.594489][ T453] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 127.594741][ T453] CPU: 2 UID: 0 PID: 453 Comm: ping Not tainted 7.1.0-rc1-00035-gac961974495b-dirty #793 PREEMPT(full)
[ 127.595059][ T453] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 127.595254][ T453] RIP: 0010:qfq_dequeue+0x35c/0x1650 [sch_qfq]
[ 127.595461][ T453] Code: 00 fc ff df 80 3c 02 00 0f 85 17 0e 00 00 4c 8d 73 48 48 89 9d b8 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 76 0c 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
[ 127.596081][ T453] RSP: 0018:ffff88810e5af440 EFLAGS: 00010216
[ 127.596337][ T453] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
[ 127.596623][ T453] RDX: 0000000000000009 RSI: 0000001880000000 RDI: ffff888104fd82b0
[ 127.596917][ T453] RBP: ffff888104fd8000 R08: ffff888104fd8280 R09: 1ffff110211893a3
[ 127.597165][ T453] R10: 1ffff110211893a6 R11: 1ffff110211893a7 R12: 0000001880000000
[ 127.597404][ T453] R13: ffff888104fd82b8 R14: 0000000000000048 R15: 0000000040000000
[ 127.597644][ T453] FS: 00007fc380cbfc40(0000) GS:ffff88816f2a8000(0000) knlGS:0000000000000000
[ 127.597956][ T453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 127.598160][ T453] CR2: 00005610aa9890a8 CR3: 000000010369e000 CR4: 0000000000750ef0
[ 127.598390][ T453] PKRU: 55555554
[ 127.598509][ T453] Call Trace:
[ 127.598629][ T453] <TASK>
[ 127.598718][ T453] ? mark_held_locks+0x40/0x70
[ 127.598890][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599053][ T453] sfb_dequeue+0x88/0x4d0
[ 127.599174][ T453] ? ktime_get+0x137/0x230
[ 127.599328][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599480][ T453] ? qdisc_peek_dequeued+0x7b/0x350 [sch_qfq]
[ 127.599670][ T453] ? srso_alias_return_thunk+0x5/0xfbef5
[ 127.599831][ T453] tbf_dequeue+0x6b1/0x1098 [sch_tbf]
[ 127.599988][ T453] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler")
Signed-off-by: Victor Nogueria <victor@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260430152957.194015-3-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_sfb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
index 497bc022fc0c10..45787f7d86477d 100644
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -439,7 +439,7 @@ static struct sk_buff *sfb_dequeue(struct Qdisc *sch)
struct Qdisc *child = q->qdisc;
struct sk_buff *skb;
- skb = child->dequeue(q->qdisc);
+ skb = qdisc_dequeue_peeked(child);
if (skb) {
qdisc_bstats_update(sch, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 005/411] drm: Remove plane hsub/vsub alignment requirement for core helpers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 004/411] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 006/411] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
` (406 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Eduardo Gallo Filho,
André Almeida, Thomas Zimmermann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Eduardo Gallo Filho <gcarlos@disroot.org>
[ Upstream commit f2f455981a34ce8ca88a41458c09494b387d344f ]
The drm_format_info_plane_{height,width} functions was implemented using
regular division for the plane size calculation, which cause issues [1][2]
when used on contexts where the dimensions are misaligned with relation
to the subsampling factors. So, replace the regular division by the
DIV_ROUND_UP macro.
This allows these functions to be used in more drivers, making further
work to bring more core presence on them possible.
[1] http://patchwork.freedesktop.org/patch/msgid/20170321181218.10042-3-ville.syrjala@linux.intel.com
[2] https://patchwork.freedesktop.org/patch/msgid/20211026225105.2783797-2-imre.deak@intel.com
Signed-off-by: Carlos Eduardo Gallo Filho <gcarlos@disroot.org>
Reviewed-by: André Almeida <andrealmeid@igalia.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20230926141519.9315-2-gcarlos@disroot.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/drm_fourcc.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/drm/drm_fourcc.h b/include/drm/drm_fourcc.h
index 22aa64d07c7905..78ef00b94a4635 100644
--- a/include/drm/drm_fourcc.h
+++ b/include/drm/drm_fourcc.h
@@ -22,6 +22,7 @@
#ifndef __DRM_FOURCC_H__
#define __DRM_FOURCC_H__
+#include <linux/math.h>
#include <linux/types.h>
#include <uapi/drm/drm_fourcc.h>
@@ -276,7 +277,7 @@ int drm_format_info_plane_width(const struct drm_format_info *info, int width,
if (plane == 0)
return width;
- return width / info->hsub;
+ return DIV_ROUND_UP(width, info->hsub);
}
/**
@@ -298,7 +299,7 @@ int drm_format_info_plane_height(const struct drm_format_info *info, int height,
if (plane == 0)
return height;
- return height / info->vsub;
+ return DIV_ROUND_UP(height, info->vsub);
}
const struct drm_format_info *__drm_format_info(u32 format);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 006/411] dmaengine: idxd: Fix not releasing workqueue on .release()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 005/411] drm: Remove plane hsub/vsub alignment requirement for core helpers Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 007/411] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
` (405 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Vinicius Costa Gomes,
Vinod Koul, Wenshan Lan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit 3d33de353b1ff9023d5ec73b9becf80ea87af695 ]
The workqueue associated with an DSA/IAA device is not released when
the object is freed.
Fixes: 47c16ac27d4c ("dmaengine: idxd: fix idxd conf_dev 'struct device' lifetime")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-7-7ed70658a9d1@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
[ Remove destroy_workqueue(idxd->wq) from the function idxd_remove() to
avoid the workqueue is released twice. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/idxd/init.c | 1 -
drivers/dma/idxd/sysfs.c | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index f2d27c6ec1ce88..698387103da738 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -829,7 +829,6 @@ static void idxd_remove(struct pci_dev *pdev)
pci_iounmap(pdev, idxd->reg_base);
iommu_dev_disable_feature(&pdev->dev, IOMMU_DEV_FEAT_SVA);
pci_disable_device(pdev);
- destroy_workqueue(idxd->wq);
perfmon_pmu_remove(idxd);
put_device(idxd_confdev(idxd));
}
diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c
index 489a9d8850764b..ee208dfdd0cb51 100644
--- a/drivers/dma/idxd/sysfs.c
+++ b/drivers/dma/idxd/sysfs.c
@@ -1271,6 +1271,7 @@ static void idxd_conf_device_release(struct device *dev)
{
struct idxd_device *idxd = confdev_to_idxd(dev);
+ destroy_workqueue(idxd->wq);
kfree(idxd->groups);
kfree(idxd->wqs);
kfree(idxd->engines);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 007/411] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 006/411] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 008/411] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
` (404 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Hao, Alexander Sverdlin,
Jakub Kicinski, Wenshan Lan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Hao <haokexin@gmail.com>
[ Upstream commit 9d724b34fbe13b71865ad0906a4be97571f19cf5 ]
If an error occurs during register_netdev() for the first MAC in
cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL,
cpsw->slaves[1].ndev would remain unchanged. This could later cause
cpsw_unregister_ports() to attempt unregistering the second MAC.
To address this, add a check for ndev->reg_state before calling
unregister_netdev(). With this change, setting cpsw->slaves[i].ndev
to NULL becomes unnecessary and can be removed accordingly.
Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Link: https://patch.msgid.link/20260205-cpsw-error-path-v1-2-6e58bae6b299@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/cpsw_new.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c
index 9d52b949ae3f95..bef2c71b905972 100644
--- a/drivers/net/ethernet/ti/cpsw_new.c
+++ b/drivers/net/ethernet/ti/cpsw_new.c
@@ -1447,7 +1447,8 @@ static void cpsw_unregister_ports(struct cpsw_common *cpsw)
int i = 0;
for (i = 0; i < cpsw->data.slaves; i++) {
- if (!cpsw->slaves[i].ndev)
+ if (!cpsw->slaves[i].ndev ||
+ cpsw->slaves[i].ndev->reg_state != NETREG_REGISTERED)
continue;
unregister_netdev(cpsw->slaves[i].ndev);
@@ -1467,7 +1468,6 @@ static int cpsw_register_ports(struct cpsw_common *cpsw)
if (ret) {
dev_err(cpsw->dev,
"cpsw: err registering net device%d\n", i);
- cpsw->slaves[i].ndev = NULL;
break;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 008/411] nfc: llcp: Fix use-after-free in llcp_sock_release()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 007/411] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 009/411] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
` (403 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, David Heidelberg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit f4268b466190dae95a7585f69b4f1f8ad097632c ]
llcp_sock_release() unconditionally unlinks the socket from the local
sockets list. However, if the socket is still in connecting state, it
is on the connecting list.
Fix this by checking the socket state and unlinking from the correct list.
Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections")
Signed-off-by: Lee Jones <lee@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-1-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 6e1fba2084930e..54af85d939c6b9 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -640,6 +640,8 @@ static int llcp_sock_release(struct socket *sock)
if (sock->type == SOCK_RAW)
nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+ else if (sk->sk_state == LLCP_CONNECTING)
+ nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
else
nfc_llcp_sock_unlink(&local->sockets, sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 009/411] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 008/411] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 010/411] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
` (402 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Simon Horman,
David Heidelberg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
[ Upstream commit b493ea2765cc17cb8aa7e7544a4b6dcb05b6ed77 ]
A race condition exists in the NFC LLCP connection state machine where
the connection acceptance packet (CC) can be processed concurrently with
socket release. This can lead to a use-after-free of the socket object.
When nfc_llcp_recv_cc() moves the socket from the connecting_sockets
list to the sockets list, it does so without holding the socket lock.
If llcp_sock_release() is executing concurrently, it might have already
unlinked the socket and dropped its references, which can result in
nfc_llcp_recv_cc() linking a freed socket into the live list.
Fix this by holding lock_sock() during the state transition and list
movement in nfc_llcp_recv_cc(). After acquiring the lock, check if
the socket is still hashed to ensure it hasn't already been unlinked
and marked for destruction by the release path. This aligns the locking
pattern with recv_hdlc() and recv_disc().
Fixes: a69f32af86e3 ("NFC: Socket linked list")
Signed-off-by: Lee Jones <lee@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260429134115.3558604-2-lee@kernel.org
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/llcp_core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index e04634f22b49f4..c7de44637e0187 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1225,6 +1225,15 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk = &llcp_sock->sk;
+ lock_sock(sk);
+
+ /* Check if socket was destroyed whilst waiting for the lock */
+ if (!sk_hashed(sk)) {
+ release_sock(sk);
+ nfc_llcp_sock_put(llcp_sock);
+ return;
+ }
+
/* Unlink from connecting and link to the client array */
nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
nfc_llcp_sock_link(&local->sockets, sk);
@@ -1236,6 +1245,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local,
sk->sk_state = LLCP_CONNECTED;
sk->sk_state_change(sk);
+ release_sock(sk);
+
nfc_llcp_sock_put(llcp_sock);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 010/411] xfrm: Check for underflow in xfrm_state_mtu
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 009/411] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 011/411] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
` (401 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Lin, David Ahern,
Steffen Klassert, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <dahern@nvidia.com>
[ Upstream commit 742b04d0550b0ec89dcbc99537ec88653bd1ad90 ]
Leo Lin reported OOB write issue in esp component:
xfrm_state_mtu() returns u32 but performs its arithmetic in unsigned
modulo-2^32 space using an attacker-influenced "header_len + authsize +
net_adj" subtracted from a small "mtu" argument. A nobody user can
install an IPv4 ESP tunnel SA with a large authentication key
(XFRMA_ALG_AUTH_TRUNC, e.g. hmac(sha512), 64-byte key, 64-byte trunc),
configure a small interface MTU (68 bytes), and set XFRMA_TFCPAD to a
large value. When a single UDP datagram is then sent through the
tunnel, xfrm_state_mtu() underflows to a near-2^32 value, and
esp_output() consumes it as a signed int via:
padto = min(x->tfcpad, xfrm_state_mtu(x, mtu_cached))
esp.tfclen = padto - skb->len (assigned to int)
esp.tfclen ends up negative (e.g. -207). It is sign-extended to size_t
when passed to memset() inside esp_output_fill_trailer(), producing a
~16 EB write of zeroes at skb_tail_pointer(skb). KASAN logs it as
"Write of size 18446744073709551537 at addr ffff888...".
Check for underflow and return 1. This causes the sendmsg attempt to
fail with ENETUNREACH.
Fixes: c5c252389374 ("[XFRM]: Optimize MTU calculation")
Reported-by: Leo Lin <leo@depthfirst.com>
Assisted-by: Codex:26.506.31004
Signed-off-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f7f568bfb93a80..9593fcc7508c94 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2581,10 +2581,14 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
const struct xfrm_type *type = READ_ONCE(x->type);
struct crypto_aead *aead;
u32 blksize, net_adj = 0;
+ u32 overhead, payload_mtu;
if (x->km.state != XFRM_STATE_VALID ||
- !type || type->proto != IPPROTO_ESP)
+ !type || type->proto != IPPROTO_ESP) {
+ if (mtu <= x->props.header_len)
+ return 1;
return mtu - x->props.header_len;
+ }
aead = x->data;
blksize = ALIGN(crypto_aead_blocksize(aead), 4);
@@ -2604,8 +2608,17 @@ u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
break;
}
- return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
- net_adj) & ~(blksize - 1)) + net_adj - 2;
+ overhead = x->props.header_len + crypto_aead_authsize(aead) + net_adj;
+ if (mtu <= overhead)
+ return 1;
+
+ payload_mtu = mtu - overhead;
+ payload_mtu &= ~(blksize - 1);
+ if (payload_mtu <= 2)
+ return 1;
+
+ return payload_mtu + net_adj - 2;
+
}
EXPORT_SYMBOL_GPL(xfrm_state_mtu);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 011/411] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 010/411] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 012/411] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
` (400 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carl Lee, Bartosz Golaszewski,
Mark Pearson, Luca Stefani, David Heidelberg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carl Lee <carl.lee@amd.com>
[ Upstream commit f23bf992d65a42007c517b060ca35cebdea3525a ]
Some ACPI-based platforms report incorrect IRQ trigger types (e.g.
IRQF_TRIGGER_HIGH), which can lead to interrupt storms.
Use the historically working rising-edge trigger on ACPI systems to
avoid this regression.
Device Tree-based systems continue to use the firmware-provided
trigger type.
Fixes: 57be33f85e36 ("nfc: nxp-nci: remove interrupt trigger type")
Signed-off-by: Carl Lee <carl.lee@amd.com>
Tested-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Tested-by: Luca Stefani <luca.stefani.ge1@gmail.com>
Link: https://patch.msgid.link/20260516-nfc-nxp-nci-i2c-restore-irq-trigger-fallback-v3-1-37ba4b6e9086@amd.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/nxp-nci/i2c.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index 22c498860c03d5..a0e665f958c4d5 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -16,6 +16,7 @@
#include <linux/delay.h>
#include <linux/i2c.h>
#include <linux/interrupt.h>
+#include <linux/irq.h>
#include <linux/module.h>
#include <linux/nfc.h>
#include <linux/gpio/consumer.h>
@@ -268,6 +269,7 @@ static int nxp_nci_i2c_probe(struct i2c_client *client,
{
struct device *dev = &client->dev;
struct nxp_nci_i2c_phy *phy;
+ unsigned long irqflags;
int r;
if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
@@ -304,9 +306,26 @@ static int nxp_nci_i2c_probe(struct i2c_client *client,
if (r < 0)
return r;
+ /*
+ * ACPI platforms may report incorrect IRQ trigger types
+ * (e.g. level-high), which can lead to interrupt storms.
+ *
+ * Use the historically stable rising-edge trigger for ACPI devices.
+ *
+ * On non-ACPI systems (e.g. Device Tree), prefer the firmware-
+ * provided trigger type, falling back to rising-edge if not set.
+ */
+ if (ACPI_COMPANION(dev)) {
+ irqflags = IRQF_TRIGGER_RISING;
+ } else {
+ irqflags = irq_get_trigger_type(client->irq);
+ if (!irqflags)
+ irqflags = IRQF_TRIGGER_RISING;
+ }
+
r = request_threaded_irq(client->irq, NULL,
nxp_nci_i2c_irq_thread_fn,
- IRQF_ONESHOT,
+ irqflags | IRQF_ONESHOT,
NXP_NCI_I2C_DRIVER_NAME, phy);
if (r < 0)
nfc_err(&client->dev, "Unable to register IRQ handler\n");
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 012/411] netfilter: synproxy: refresh tcphdr after skb_ensure_writable
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 011/411] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 013/411] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
` (399 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason,
Fernando Fernandez Mancera, Florian Westphal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
[ Upstream commit 92170e6afe927ab2792a3f71902845789c8e31b1 ]
synproxy_tstamp_adjust() rewrites the TCP timestamp option in place
and then patches the TCP checksum via inet_proto_csum_replace4() on
the caller-supplied tcphdr pointer. Both ipv4_synproxy_hook() and
ipv6_synproxy_hook() obtain that pointer with skb_header_pointer()
before calling in, so it may either alias skb->head directly or
point at the caller's on-stack _tcph buffer.
Between obtaining the pointer and using it, the function calls
skb_ensure_writable(skb, optend), which on a cloned or non-linear
skb invokes pskb_expand_head() and frees the old skb->head. After
that point the cached th is stale:
caller (ipv[46]_synproxy_hook)
th = skb_header_pointer(skb, ..., &_tcph)
synproxy_tstamp_adjust(skb, protoff, th, ...)
skb_ensure_writable(skb, optend)
pskb_expand_head() /* kfree(old skb->head) */
...
inet_proto_csum_replace4(&th->check, ...)
/* writes into freed head, or
into the caller's stack copy
leaving the on-wire checksum
stale */
The option bytes are written through skb->data and are fine; only
the checksum update goes through th and so lands in the wrong
place. The result is either a write into freed slab memory or a
packet leaving with a checksum that does not match its payload.
Fix by re-deriving th from skb->data + protoff immediately after
skb_ensure_writable() succeeds, so the subsequent checksum update
targets the linear, writable header.
Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_synproxy_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 049a88f0380117..cdb2c3e23af7ee 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -199,6 +199,8 @@ synproxy_tstamp_adjust(struct sk_buff *skb, unsigned int protoff,
if (skb_ensure_writable(skb, optend))
return 0;
+ th = (struct tcphdr *)(skb->data + protoff);
+
while (optoff < optend) {
unsigned char *op = skb->data + optoff;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 013/411] netfilter: xt_cpu: prefer raw_smp_processor_id
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 012/411] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 014/411] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
` (398 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+690d3e3ffa7335ac10eb,
Florian Westphal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit c376f07e16c02239ed44cabb97145d03f65b4d15 ]
With PREEMPT_RCU we get splat:
BUG: using smp_processor_id() in preemptible [..]
caller is cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
CPU: 1 .. Comm: syz.3.1377 #0 PREEMPT(full)
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
check_preemption_disabled+0xd3/0xe0 lib/smp_processor_id.c:47
cpu_mt+0x53/0xd0 net/netfilter/xt_cpu.c:37
[..]
Just use raw version instead.
This is similar to 14d14a5d2957 ("netfilter: nft_meta: use raw_smp_processor_id()").
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: syzbot+690d3e3ffa7335ac10eb@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_cpu.c b/net/netfilter/xt_cpu.c
index 3bdc302a0f9137..9cb259902a586b 100644
--- a/net/netfilter/xt_cpu.c
+++ b/net/netfilter/xt_cpu.c
@@ -34,7 +34,7 @@ static bool cpu_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_cpu_info *info = par->matchinfo;
- return (info->cpu == smp_processor_id()) ^ info->invert;
+ return (info->cpu == raw_smp_processor_id()) ^ info->invert;
}
static struct xt_match cpu_mt_reg __read_mostly = {
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 014/411] netfilter: ebtables: fix OOB read in compat_mtw_from_user
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 013/411] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 015/411] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
` (397 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Luxiao Xu, Ren Wei, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit f438d1786d657d57790c5d138d6db3fc9fdac392 ]
Luxiao Xu says:
The function compat_mtw_from_user() converts ebtables extensions from
32-bit user structures to kernel native structures. However, it lacks
proper validation of the user-supplied match_size/target_size.
When certain extensions are processed, the kernel-side translation
logic may perform memory accesses based on the extension's expected
size. If the user provides a size smaller than what the extension
requires, it results in an out-of-bounds read as reported by KASAN.
This fix introduces a check to ensure match_size is at least as large
as the extension's required compatsize. This covers matches, watchers,
and targets, while maintaining compatibility with standard targets.
AFAIU this is relevant for matches that need to go though
match->compat_from_user() call. Those that use plain memcpy with the
user-provided size are ok because the caller checks that size vs the
start of the next rule entry offset (which itself is checked vs. total
size copied from userspace).
The ->compat_from_user() callbacks assume they can read compatsize bytes,
so they need this extra check.
Based on an earlier patch from Luxiao Xu.
Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebtables.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index c74efcc2b4996d..2083facfc87d9b 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1951,6 +1951,25 @@ enum compat_mwt {
EBT_COMPAT_TARGET,
};
+static bool match_size_ok(const struct xt_match *match, unsigned int match_size)
+{
+ u16 csize;
+
+ if (match->matchsize == -1) /* cannot validate ebt_among */
+ return true;
+
+ csize = match->compatsize ? : match->matchsize;
+
+ return match_size >= csize;
+}
+
+static bool tgt_size_ok(const struct xt_target *tgt, unsigned int tgt_size)
+{
+ u16 csize = tgt->compatsize ? : tgt->targetsize;
+
+ return tgt_size >= csize;
+}
+
static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
enum compat_mwt compat_mwt,
struct ebt_entries_buf_state *state,
@@ -1976,6 +1995,11 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
if (IS_ERR(match))
return PTR_ERR(match);
+ if (!match_size_ok(match, match_size)) {
+ module_put(match->me);
+ return -EINVAL;
+ }
+
off = ebt_compat_match_offset(match, match_size);
if (dst) {
if (match->compat_from_user)
@@ -1995,6 +2019,12 @@ static int compat_mtw_from_user(const struct compat_ebt_entry_mwt *mwt,
mwt->u.revision);
if (IS_ERR(wt))
return PTR_ERR(wt);
+
+ if (!tgt_size_ok(wt, match_size)) {
+ module_put(wt->me);
+ return -EINVAL;
+ }
+
off = xt_compat_target_offset(wt);
if (dst) {
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 015/411] tun: free page on short-frame rejection in tun_xdp_one()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 014/411] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 016/411] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
` (396 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit f4feb1e20058e407cb00f45aff47f5b7e19a6bbf ]
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Fixes: 049584807f1d ("tun: add missing verification for short frame")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260520160020.375349-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 5c9e7d0beffa26..803cb4722dbf4a 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2422,8 +2422,10 @@ static int tun_xdp_one(struct tun_struct *tun,
bool skb_xdp = false;
struct page *page;
- if (unlikely(datasize < ETH_HLEN))
+ if (unlikely(datasize < ETH_HLEN)) {
+ put_page(virt_to_head_page(xdp->data));
return -EINVAL;
+ }
xdp_prog = rcu_dereference(tun->xdp_prog);
if (xdp_prog) {
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 016/411] net: netlink: fix sending unassigned nsid after assigned one
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 015/411] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 017/411] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
` (395 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilya Maximets, Nicolas Dichtel,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 70f8592ee90585272018a725054b6eb2ab7e99ca ]
If the current skb is not shared, it is re-used directly for all the
sockets subscribed to the notification. If we have remote all-nsid
socket receiving a message first, then the 'nsid_is_set' will be
set to 'true'. If the nsid is NOT_ASSIGNED for the next socket in
the list, the 'nsid_is_set' will remain 'true' and the negative value
is be delivered to the user space. All subsequent nsid values will be
delivered as well, since there is no code path that sets the flag
back to 'false'.
Fix that by always dropping the flag to 'false' first.
Fixes: 7212462fa6fd ("netlink: don't send unknown nsid")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-2-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 65eb164d00c40d..12e765fcbd747d 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1482,6 +1482,7 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+ NETLINK_CB(p->skb2).nsid_is_set = false;
NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
NETLINK_CB(p->skb2).nsid_is_set = true;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 017/411] net: netlink: dont set nsid on local notifications
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 016/411] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 018/411] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
` (394 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Perin, Ilya Maximets,
Nicolas Dichtel, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 88b126b39f9757e9debc322d4679239e9af089c7 ]
In most cases, notifications on sockets with NETLINK_LISTEN_ALL_NSID
do not contain NSID in their ancillary data in case the event is local
to the listener.
However, when a self-referential NSID is allocated for a namespace,
every local notification starts sending this ID to the user space.
This is problematic, because the listener cannot tell if those
notifications are local or not anymore without making extra requests
to figure out if the provided NSID is local or not. The listener
can also not figure out the local NSID beforehand as it can be
allocated at any point in time by other processes, changing the
structure of the future notifications for everyone.
The value is practically not useful, since it's the namespace's own
ID that the application has to obtain from other sources in order to
figure out if it's the same or not. So, for the application it's
just an extra busy work with no benefits. Moreover, applications
that do not know about this quirk may be mishandling notifications
with NSID set as notifications from remote namespaces. This is the
case for ovs-vswitchd and the iproute2's 'ip monitor' that stops
printing 'current' and starts printing the nsid number mid-session.
Lack of clear documentation for this behavior is also not helping.
A search though open-source projects doesn't reveal any projects
that use NETNSA_NSID_NOT_ASSIGNED and rely on metadata to contain
self-referential NSIDs (expected, since the value is not useful).
Quite the opposite, as already mentioned, there are few applications
that rely on NSID to not be present in local events.
Since the value is not useful and actively harmful in some cases,
let's not report it for local events, making the notifications more
consistent.
Also adding some blank lines for readability.
Fixes: 59324cf35aba ("netlink: allow to listen "all" netns")
Reported-by: Matteo Perin <matteo.perin@canonical.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260520172317.175168-3-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 12e765fcbd747d..731c53178eb559 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1482,10 +1482,14 @@ static void do_one_broadcast(struct sock *sk,
p->skb2 = NULL;
goto out;
}
+
NETLINK_CB(p->skb2).nsid_is_set = false;
- NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
- if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
- NETLINK_CB(p->skb2).nsid_is_set = true;
+ if (!net_eq(sock_net(sk), p->net)) {
+ NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
+ if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
+ NETLINK_CB(p->skb2).nsid_is_set = true;
+ }
+
val = netlink_broadcast_deliver(sk, p->skb2);
if (val < 0) {
netlink_overrun(sk);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 018/411] net/smc: Do not re-initialize smc hashtables
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 017/411] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 019/411] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
` (393 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Halil Pasic, Alexandra Winter,
Mahanta Jambigi, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Winter <wintera@linux.ibm.com>
[ Upstream commit 9e4389b0038781f19f97895186ed941ff8ac1678 ]
INIT_HLIST_HEAD(&smc_v*_hashinfo.ht) are called after smc_nl_init(),
proto_register() and sock_register(). This can lead to smc_v*_hashinfo.ht
being reset even though hash entries already exist and are being used,
possibly resulting in a corrupted list.
Remove unnecessary and dangerous re-initialisation of smc_v*_hashinfo.ht in
smc_init(); it is implicitly initialised to zero anyhow. Add
HLIST_HEAD_INIT to the definitions for clarity.
Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets")
Suggested-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
Link: https://patch.msgid.link/20260521145639.10317-1-wintera@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 5425c46a2e7c71..6b60a5dd240dd1 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -123,10 +123,12 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
static struct smc_hashinfo smc_v4_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v4_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
static struct smc_hashinfo smc_v6_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(smc_v6_hashinfo.lock),
+ .ht = HLIST_HEAD_INIT,
};
int smc_hash_sk(struct sock *sk)
@@ -2938,8 +2940,6 @@ static int __init smc_init(void)
pr_err("%s: sock_register fails with %d\n", __func__, rc);
goto out_proto6;
}
- INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
- INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
rc = smc_ib_register_client();
if (rc) {
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 019/411] net/iucv: fix locking in .getsockopt
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 018/411] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 020/411] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
` (392 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanislav Fomichev, Breno Leitao,
Alexandra Winter, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 3589d20a666caf30ad100c960a2de7de390fce88 ]
Mirror iucv_sock_setsockopt() and wrap the whole switch in
lock_sock()/release_sock(). The pre-existing SO_MSGLIMIT-only lock
becomes redundant and is removed.
Any AF_IUCV HIPER user can potentially crash the kernel by racing
recvmsg() with getsockopt(SO_MSGSIZE): the SO_MSGSIZE arm dereferences
iucv->hs_dev->mtu after iucv_sock_close() (called from the racing
recvmsg()) has set hs_dev to NULL, producing a NULL pointer dereference
oops.
Suggested-by: Stanislav Fomichev <sdf.kernel@gmail.com>
Fixes: 51363b8751a6 ("af_iucv: allow retrieval of maximum message size")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Tested-by: Alexandra Winter <wintera@linux.ibm.com>
Link: https://patch.msgid.link/20260521-af_iucv_fix2-v1-1-f16b1c510aa9@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/iucv/af_iucv.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index e6cb3e1cbbf9b8..3188d719a2e42d 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -1533,7 +1533,7 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
struct sock *sk = sock->sk;
struct iucv_sock *iucv = iucv_sk(sk);
unsigned int val;
- int len;
+ int len, rc;
if (level != SOL_IUCV)
return -ENOPROTOOPT;
@@ -1546,26 +1546,34 @@ static int iucv_sock_getsockopt(struct socket *sock, int level, int optname,
len = min_t(unsigned int, len, sizeof(int));
+ rc = 0;
+
+ lock_sock(sk);
switch (optname) {
case SO_IPRMDATA_MSG:
val = (iucv->flags & IUCV_IPRMDATA) ? 1 : 0;
break;
case SO_MSGLIMIT:
- lock_sock(sk);
val = (iucv->path != NULL) ? iucv->path->msglim /* connected */
: iucv->msglimit; /* default */
- release_sock(sk);
break;
case SO_MSGSIZE:
- if (sk->sk_state == IUCV_OPEN)
- return -EBADFD;
+ if (sk->sk_state == IUCV_OPEN) {
+ rc = -EBADFD;
+ break;
+ }
val = (iucv->hs_dev) ? iucv->hs_dev->mtu -
sizeof(struct af_iucv_trans_hdr) - ETH_HLEN :
0x7fffffff;
break;
default:
- return -ENOPROTOOPT;
+ rc = -ENOPROTOOPT;
+ break;
}
+ release_sock(sk);
+
+ if (rc)
+ return rc;
if (put_user(len, optlen))
return -EFAULT;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 020/411] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 019/411] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 021/411] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
` (391 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Eric Dumazet, Cong Wang,
Jason Xing, Jiayuan Chen, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 87a1e0fe7776da7ab411be332b4be58ac8840d10 ]
ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
too soon.
Only after unregister_net_sysctl_table() we can be sure no threads can possibly
use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260521122147.3584624-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/sysctl_net_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 1f22e72074fdca..a7d335ab000403 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -1415,10 +1415,10 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
{
struct ctl_table *table;
- kfree(net->ipv4.sysctl_local_reserved_ports);
table = net->ipv4.ipv4_hdr->ctl_table_arg;
unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
kfree(table);
+ kfree(net->ipv4.sysctl_local_reserved_ports);
}
static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 021/411] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 020/411] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 022/411] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
` (390 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit afb2a3a9d8369d18122a0d7cd294eba9a98259c6 ]
byt_cht_es8316_init() enables MCLK before configuring the codec sysclk
and creating the headset jack. If either of those later steps fails, the
function returns without disabling MCLK, leaving the clock enabled after
card registration fails.
Track whether this driver enabled MCLK and disable it on the init error
paths. Add the matching DAI link exit callback so the same clock enable
is also balanced when ASoC cleans up a successfully initialized link.
Fixes: a03bdaa565cb ("ASoC: Intel: add machine driver for BYT/CHT + ES8316")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260519-asoc-bytcht-es8316-mclk-leak-v1-1-b4a11cdc2afd@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcht_es8316.c | 29 ++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c
index 923e69c7695c29..d54bc667175f50 100644
--- a/sound/soc/intel/boards/bytcht_es8316.c
+++ b/sound/soc/intel/boards/bytcht_es8316.c
@@ -39,6 +39,7 @@ struct byt_cht_es8316_private {
struct gpio_desc *speaker_en_gpio;
struct device *codec_dev;
bool speaker_en;
+ bool mclk_enabled;
};
enum {
@@ -169,6 +170,15 @@ static struct snd_soc_jack_pin byt_cht_es8316_jack_pins[] = {
},
};
+static void byt_cht_es8316_disable_mclk(struct byt_cht_es8316_private *priv)
+{
+ if (!priv->mclk_enabled)
+ return;
+
+ clk_disable_unprepare(priv->mclk);
+ priv->mclk_enabled = false;
+}
+
static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
{
struct snd_soc_component *codec = asoc_rtd_to_codec(runtime, 0)->component;
@@ -225,12 +235,14 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ret = clk_prepare_enable(priv->mclk);
if (ret)
dev_err(card->dev, "unable to enable MCLK\n");
+ else
+ priv->mclk_enabled = true;
ret = snd_soc_dai_set_sysclk(asoc_rtd_to_codec(runtime, 0), 0, 19200000,
SND_SOC_CLOCK_IN);
if (ret < 0) {
dev_err(card->dev, "can't set codec clock %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
ret = snd_soc_card_jack_new(card, "Headset",
@@ -239,13 +251,25 @@ static int byt_cht_es8316_init(struct snd_soc_pcm_runtime *runtime)
ARRAY_SIZE(byt_cht_es8316_jack_pins));
if (ret) {
dev_err(card->dev, "jack creation failed %d\n", ret);
- return ret;
+ goto err_disable_mclk;
}
snd_jack_set_key(priv->jack.jack, SND_JACK_BTN_0, KEY_PLAYPAUSE);
snd_soc_component_set_jack(codec, &priv->jack, NULL);
return 0;
+
+err_disable_mclk:
+ byt_cht_es8316_disable_mclk(priv);
+ return ret;
+}
+
+static void byt_cht_es8316_exit(struct snd_soc_pcm_runtime *runtime)
+{
+ struct snd_soc_card *card = runtime->card;
+ struct byt_cht_es8316_private *priv = snd_soc_card_get_drvdata(card);
+
+ byt_cht_es8316_disable_mclk(priv);
}
static int byt_cht_es8316_codec_fixup(struct snd_soc_pcm_runtime *rtd,
@@ -355,6 +379,7 @@ static struct snd_soc_dai_link byt_cht_es8316_dais[] = {
.dpcm_playback = 1,
.dpcm_capture = 1,
.init = byt_cht_es8316_init,
+ .exit = byt_cht_es8316_exit,
SND_SOC_DAILINK_REG(ssp2_port, ssp2_codec, platform),
},
};
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 022/411] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 021/411] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 023/411] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
` (389 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b4bc94353050b1fa7b702bd4c6600710dd926cff ]
Sashiko found that iptunnel_pmtud_build_icmp() and
iptunnel_pmtud_build_icmpv6() were caching ip_hdr() and ipv6_hdr()
before an skb_cow() call which can reallocate skb->head.
Fix this possible UAF by initializing the local variables
after the skb_cow() call.
Remove skb_reset_network_header() calls which were not needed.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525201335.2361845-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 3737188ba4e1e5..4d80bbcd15d5a4 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -194,7 +194,7 @@ EXPORT_SYMBOL_GPL(iptunnel_handle_offloads);
*/
static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
{
- const struct iphdr *iph = ip_hdr(skb);
+ const struct iphdr *iph;
struct icmphdr *icmph;
struct iphdr *niph;
struct ethhdr eh;
@@ -208,7 +208,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, 576 - sizeof(*niph) - sizeof(*icmph));
if (err)
@@ -218,7 +217,7 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
err = skb_cow(skb, sizeof(*niph) + sizeof(*icmph) + ETH_HLEN);
if (err)
return err;
-
+ iph = ip_hdr(skb);
icmph = skb_push(skb, sizeof(*icmph));
*icmph = (struct icmphdr) {
.type = ICMP_DEST_UNREACH,
@@ -290,7 +289,7 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
{
- const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+ const struct ipv6hdr *ip6h;
struct icmp6hdr *icmp6h;
struct ipv6hdr *nip6h;
struct ethhdr eh;
@@ -305,7 +304,6 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
skb_copy_bits(skb, skb_mac_offset(skb), &eh, ETH_HLEN);
pskb_pull(skb, ETH_HLEN);
- skb_reset_network_header(skb);
err = pskb_trim(skb, IPV6_MIN_MTU - sizeof(*nip6h) - sizeof(*icmp6h));
if (err)
@@ -316,6 +314,7 @@ static int iptunnel_pmtud_build_icmpv6(struct sk_buff *skb, int mtu)
if (err)
return err;
+ ip6h = ipv6_hdr(skb);
icmp6h = skb_push(skb, sizeof(*icmp6h));
*icmp6h = (struct icmp6hdr) {
.icmp6_type = ICMPV6_PKT_TOOBIG,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 023/411] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 022/411] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 024/411] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
` (388 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Stefano Brivio,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7d9ef0cb271555d8cf39fefe6c981e1493b25ecf ]
skb_tunnel_check_pmtu() can change skb->head.
Reusing old_iph afer skb_tunnel_check_pmtu() can cause an UAF.
Use instead ip_hdr(skb) as done in drivers/net/bareudp.c
and drivers/net/geneve.c.
Found by Sashiko.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Link: https://patch.msgid.link/20260525203642.2389723-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vxlan/vxlan_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index bd2b44071781ca..7967b429dfcf5f 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -2753,7 +2753,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
vni, md, flags, udp_sum);
@@ -2816,7 +2816,7 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
goto out_unlock;
}
- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
+ tos = ip_tunnel_ecn_encap(tos, ip_hdr(skb), skb);
ttl = ttl ? : ip6_dst_hoplimit(ndst);
skb_scrub_packet(skb, xnet);
err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr),
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 024/411] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 023/411] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 025/411] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
` (387 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damiano Melotti, Eric Dumazet,
Kuniyuki Iwashima, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 509323077ef79a26ba0c60bb556e45c12c398b2d ]
In some cases, iptunnel_pmtud_check_icmp() can be called while
skb transport header is not set.
This triggers an out-of-bound access, because
(typeof(skb->transport_header))~0U is 65535.
Access the icmp header based on IPv4 network header,
after making sure icmp->type is present in skb linear part.
Note that iptunnel_pmtud_check_icmpv6()) is fine.
Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260522115512.1519110-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_tunnel_core.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
index 4d80bbcd15d5a4..f535b875a02b88 100644
--- a/net/ipv4/ip_tunnel_core.c
+++ b/net/ipv4/ip_tunnel_core.c
@@ -262,7 +262,6 @@ static int iptunnel_pmtud_build_icmp(struct sk_buff *skb, int mtu)
*/
static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
{
- const struct icmphdr *icmph = icmp_hdr(skb);
const struct iphdr *iph = ip_hdr(skb);
if (mtu < 576 || iph->frag_off != htons(IP_DF))
@@ -273,9 +272,17 @@ static int iptunnel_pmtud_check_icmp(struct sk_buff *skb, int mtu)
ipv4_is_lbcast(iph->saddr) || ipv4_is_multicast(iph->saddr))
return 0;
- if (iph->protocol == IPPROTO_ICMP && icmp_is_err(icmph->type))
- return 0;
+ if (iph->protocol == IPPROTO_ICMP) {
+ const struct icmphdr *icmph;
+ if (!pskb_network_may_pull(skb, iph->ihl * 4 +
+ offsetofend(struct icmphdr, type)))
+ return 0;
+ iph = ip_hdr(skb);
+ icmph = (void *)iph + iph->ihl * 4;
+ if (icmp_is_err(icmph->type))
+ return 0;
+ }
return iptunnel_pmtud_build_icmp(skb, mtu);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 025/411] ASoC: codecs: simple-mux: Fix enum control bounds check
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 024/411] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 026/411] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
` (386 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cássio Gabriel, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit f63ad68e18d774a5d15cd7e405ead63f6b322679 ]
simple_mux_control_put() rejects values greater than e->items, but
enum control values are zero based. For the two-entry mux used by this
driver, valid values are 0 and 1, so value 2 must be rejected as well.
Accepting e->items can store an invalid mux state, pass it to the GPIO
setter, and pass it on to the DAPM mux update path where it is used as
an index into the enum text array.
Use the same >= e->items check used by the ASoC enum helpers.
Fixes: 342fbb7578d1 ("ASoC: add simple-mux")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260527-asoc-simple-mux-enum-bounds-v1-1-3f805b9fc671@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/simple-mux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/simple-mux.c b/sound/soc/codecs/simple-mux.c
index e0a09dadfa7cf0..344bc61b9dc26a 100644
--- a/sound/soc/codecs/simple-mux.c
+++ b/sound/soc/codecs/simple-mux.c
@@ -40,7 +40,7 @@ static int simple_mux_control_put(struct snd_kcontrol *kcontrol,
struct snd_soc_component *c = snd_soc_dapm_to_component(dapm);
struct simple_mux *priv = snd_soc_component_get_drvdata(c);
- if (ucontrol->value.enumerated.item[0] > e->items)
+ if (ucontrol->value.enumerated.item[0] >= e->items)
return -EINVAL;
if (priv->mux == ucontrol->value.enumerated.item[0])
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 026/411] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 025/411] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 027/411] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
` (385 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhao Dongdong,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Dongdong <zhaodongdong@kylinos.cn>
[ Upstream commit 3c40d381ce04f9575a5d8b542898183c3b4b38dc ]
The skb_clone() function can return NULL if memory allocation fails.
send_mcast_pkt() calls skb_clone() without checking the return value, which
can lead to a NULL pointer dereference in send_pkt() when it dereferences
skb->data.
Add a NULL check after skb_clone() and skip the peer if the clone fails.
Fixes: 18722c247023 ("Bluetooth: Enable 6LoWPAN support for BT LE devices")
Signed-off-by: Zhao Dongdong <zhaodongdong@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/6lowpan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
index b70d3a38fdedc1..26bc594182ea08 100644
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -485,6 +485,8 @@ static int send_mcast_pkt(struct sk_buff *skb, struct net_device *netdev)
int ret;
local_skb = skb_clone(skb, GFP_ATOMIC);
+ if (!local_skb)
+ continue;
BT_DBG("xmit %s to %pMR type %u IP %pI6c chan %p",
netdev->name,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 027/411] bonding: refuse to enslave CAN devices
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 026/411] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 028/411] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
` (384 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8ed98cbd0161632bce95,
Oliver Hartkopp, Jay Vosburgh, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
[ Upstream commit 8ba68464e4787b6a7ec938826e16124df20fd23d ]
syzbot reported a kernel paging request crash in
can_rx_unregister() inside net/can/af_can.c. The crash occurs
because a virtual CAN device (vxcan) is being enslaved to a
bonding master.
During the enslavement process, the bonding driver mutates
and modifies the network device states to fit an Ethernet-like
aggregation model. However, CAN devices operate on a completely
different Layer 2 architecture, relying on the CAN mid-layer
private data structure (can_ml_priv) instead of standard
Ethernet structures. Since bonding does not initialize or
maintain these CAN structures, subsequent operations on the
half-enslaved interface (such as closing associated sockets
via isotp_release) lead to a null-pointer dereference when
accessing the CAN receiver lists.
Bonding CAN interfaces is architecturally invalid as CAN lacks
MAC addresses, ARP capabilities, and standard Ethernet
link-layer mechanisms. While generic loopback devices are
blocked globally in net/core/dev.c, virtual CAN devices
bypass this check because they do not carry the IFF_LOOPBACK
flag, despite acting as local software-loopbacks.
Fix this by explicitly blocking network devices of type
ARPHRD_CAN from being enslaved at the very beginning of
bond_enslave(). This prevents illegal state mutations,
eliminates the resulting KASAN crashes, and avoids potential
memory leaks from incomplete socket cleanups.
As the CAN support has been added a long time after bonding
the Fixes-tag points to the introduction of ARPHRD_CAN that
would have needed a specific handling in bonding_main.c.
Fixes: cd05acfe65ed ("[CAN]: Allocate protocol numbers for PF_CAN")
Reported-by: syzbot+8ed98cbd0161632bce95@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8ed98cbd0161632bce95
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20260526-bonding-candev-v1-1-ba1df400918a@hartkopp.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 5321d9dca698a9..42ad34b308b924 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1776,6 +1776,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
int link_reporting;
int res = 0, i;
+ if (slave_dev->type == ARPHRD_CAN) {
+ BOND_NL_ERR(bond_dev, extack,
+ "CAN devices cannot be enslaved");
+ return -EPERM;
+ }
+
if (slave_dev->flags & IFF_MASTER &&
!netif_is_bond_master(slave_dev)) {
BOND_NL_ERR(bond_dev, extack,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 028/411] ethtool: eeprom: add more safeties to EEPROM Netlink fallback
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 027/411] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 029/411] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
` (383 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 67cfdd9210b99f260b3e0afeb9525e0acc7be31e ]
The Netlink fallback path for reading module EEPROM
(fallback_set_params()) validates that offset < eeprom_len,
but does not check that offset + length stays within eeprom_len.
The ioctl equivalent (ethtool_get_any_eeprom() in ioctl.c) has
always enforced both bounds:
if (eeprom.offset + eeprom.len > total_len)
return -EINVAL;
This could lead to surprises in both drivers and device FW.
Add the missing offset + length validation to fallback_set_params(),
mirroring the ioctl.
Similarly - ethtool core in general, and ethtool_get_any_eeprom()
in particular tries to zero-init all buffers passed to the drivers
to avoid any extra work of zeroing things out. eeprom_fallback()
uses a plain kmalloc(), change it to zalloc.
Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Link: https://patch.msgid.link/20260526153533.2779187-11-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/eeprom.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
index 49c0a2a77f02de..6ce40f95d8aba5 100644
--- a/net/ethtool/eeprom.c
+++ b/net/ethtool/eeprom.c
@@ -43,6 +43,9 @@ static int fallback_set_params(struct eeprom_req_info *request,
if (offset >= modinfo->eeprom_len)
return -EINVAL;
+ if (length > modinfo->eeprom_len - offset)
+ return -EINVAL;
+
eeprom->cmd = ETHTOOL_GMODULEEEPROM;
eeprom->len = length;
eeprom->offset = offset;
@@ -69,7 +72,7 @@ static int eeprom_fallback(struct eeprom_req_info *request,
if (err < 0)
return err;
- data = kmalloc(eeprom.len, GFP_KERNEL);
+ data = kzalloc(eeprom.len, GFP_KERNEL);
if (!data)
return -ENOMEM;
err = ethtool_get_module_eeprom_call(dev, &eeprom, data);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 029/411] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 028/411] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 030/411] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
` (382 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rahul Chandelkar, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rahul Chandelkar <rc@rexion.ai>
[ Upstream commit 9d5e7a46a9f6d8f503b41bfefef70659845f1679 ]
ipv6_rpl_srh_decompress() computes:
outhdr->hdrlen = (((n + 1) * sizeof(struct in6_addr)) >> 3);
hdrlen is __u8. For n >= 127 the result exceeds 255 and silently
truncates. With n=127 (cmpri=15, cmpre=15, pad=0, hdrlen=16):
(128 * 16) >> 3 = 256, truncated to 0 as __u8
The caller in ipv6_rpl_srh_rcv() then places the compressed header
at buf + ((ohdr->hdrlen + 1) << 3). With hdrlen=0 this is buf + 8,
but the decompressed region occupies buf[0..2055] (8-byte header
plus 128 full addresses). The compressed header overlaps the
decompressed data, and ipv6_rpl_srh_compress() writes into this
overlap, corrupting the routing header of the forwarded packet.
The existing guard at exthdrs.c:546 checks (n + 1) > 255, which
prevents n+1 from overflowing unsigned char (the segments_left
field), but does not prevent the computed hdrlen from overflowing
__u8. n=127 passes because 128 <= 255, yet hdrlen=256 does not
fit.
Tighten the bound to (n + 1) > 127. This caps n at 126, giving
hdrlen = (127 * 16) >> 3 = 254, which fits in __u8. The compressed
header then lands at buf + ((254 + 1) << 3) = buf + 2040, exactly
past the decompressed region (buf[0..2039]). No overlap. 127
segments is well beyond any realistic RPL deployment.
Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr")
Signed-off-by: Rahul Chandelkar <rc@rexion.ai>
Link: https://patch.msgid.link/20260525154031.2290876-1-rc@rexion.ai
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/exthdrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 343b957e6337ab..a25dfa59ca2196 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -557,7 +557,7 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
* unsigned char which is segments_left field. Should not be
* higher than that.
*/
- if (r || (n + 1) > 255) {
+ if (r || (n + 1) > 127) {
kfree_skb(skb);
return -1;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 030/411] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 029/411] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 031/411] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
` (381 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ji-Soo Chung, Gerlinde, zyc zyc,
Manas Ghandat, Stephen Hemminger, Jamal Hadi Salim, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit eda0b7f203bb166c98d1418b204135bd566ac83b ]
This reverts commit ec8e0e3d7adef940cdf9475e2352c0680189d14e.
The original patch rejects any tree containing two netems when
either has duplication set, even when they sit on unrelated classes
of the same classful parent. That broke configurations that have
worked since netem was introduced.
The re-entrancy problem the original commit was trying to solve is
handled by later patch using tc_depth flag.
Doing this revert will (re)expose the original bug with multiple
netem duplication. When this patch is backported make sure
and get the full series.
Fixes: ec8e0e3d7ade ("net/sched: Restrict conditions for adding duplicating netems to qdisc tree")
Reported-by: Ji-Soo Chung <jschung2@proton.me>
Reported-by: Gerlinde <lrGerlinde@mailfence.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220774
Reported-by: zyc zyc <zyc199902@zohomail.cn>
Closes: https://lore.kernel.org/all/19adda5a1e2.12410b78222774.9191120410578703463@zohomail.cn/
Reported-by: Manas Ghandat <ghandatmanas@gmail.com>
Closes: https://lore.kernel.org/netdev/f69b2c8f-8325-4c2e-a011-6dbc089f30e4@gmail.com/
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260525122556.973584-3-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 40 ----------------------------------------
1 file changed, 40 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 3e3bced82c564d..3dc6411b0a33c7 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -985,41 +985,6 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
return 0;
}
-static const struct Qdisc_class_ops netem_class_ops;
-
-static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
- struct netlink_ext_ack *extack)
-{
- struct Qdisc *root, *q;
- unsigned int i;
-
- root = qdisc_root_sleeping(sch);
-
- if (sch != root && root->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
- goto err;
- }
-
- if (!qdisc_dev(root))
- return 0;
-
- hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
- if (sch != q && q->ops->cl_ops == &netem_class_ops) {
- if (duplicates ||
- ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
- goto err;
- }
- }
-
- return 0;
-
-err:
- NL_SET_ERR_MSG(extack,
- "netem: cannot mix duplicating netems with other netems in tree");
- return -EINVAL;
-}
-
/* Parse netlink message to set options */
static int netem_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
@@ -1087,11 +1052,6 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
q->gap = qopt->gap;
q->counter = 0;
q->loss = qopt->loss;
-
- ret = check_netem_in_tree(sch, qopt->duplicate, extack);
- if (ret)
- goto unlock;
-
q->duplicate = qopt->duplicate;
/* for compatibility with earlier versions.
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 031/411] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 030/411] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 032/411] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
` (380 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit 00e1950716c6ed67d74777b2db286b0fa23b4be9 ]
l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.
A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).
Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a5db427c13de20..7e3825c1b10b95 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6422,14 +6422,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
BT_DBG("result 0x%4.4x", result);
- if (!result)
+ if (!result) {
+ list_for_each_entry(chan, &conn->chan_l, list) {
+ if (chan->ident == cmd->ident)
+ chan->ident = 0;
+ }
return 0;
+ }
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
if (chan->ident != cmd->ident)
continue;
- l2cap_chan_hold(chan);
+ if (!l2cap_chan_hold_unless_zero(chan))
+ continue;
l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 032/411] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 031/411] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 033/411] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
` (379 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 41c2713b204e6cb6a94587bc6bf6935107df5479 ]
If dcid is received for an already-assigned destination CID the spec
requires that both channels to be discarded, but calling l2cap_chan_del
may invalidate the tmp cursor created by list_for_each_entry_safe and
in fact it is the wrong procedure as the chan->dcid may be assigned
previously it really needs to be disconnected.
Calling l2cap_chan_clone directly may still lead to l2cap_chan_del so
instead schedule l2cap_chan_timeout with delay 0 to close the channel
asynchronously.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7e3825c1b10b95..38ac75f85144be 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6222,6 +6222,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
cmd_len -= sizeof(*rsp);
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+ struct l2cap_chan *orig;
u16 dcid;
if (chan->ident != cmd->ident ||
@@ -6243,8 +6244,10 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
+ orig = __l2cap_get_chan_by_dcid(conn, dcid);
+
/* Check if dcid is already in use */
- if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
+ if (dcid && orig) {
/* If a device receives a
* L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
* already-assigned Destination CID, then both the
@@ -6253,10 +6256,24 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
*/
l2cap_chan_del(chan, ECONNREFUSED);
l2cap_chan_unlock(chan);
- chan = __l2cap_get_chan_by_dcid(conn, dcid);
- l2cap_chan_lock(chan);
- l2cap_chan_del(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
+
+ /* Check that the dcid channel mode is
+ * L2CAP_MODE_EXT_FLOWCTL since this procedure is only
+ * valid for that mode and shouldn't disconnect a dcid
+ * in other modes.
+ */
+ if (orig->mode == L2CAP_MODE_EXT_FLOWCTL) {
+ l2cap_chan_lock(orig);
+ /* Disconnect the original channel as it may be
+ * considered connected since dcid has already
+ * been assigned; don't call l2cap_chan_close
+ * directly since that could lead to
+ * l2cap_chan_del and then removing the channel
+ * from the list while we're iterating over it.
+ */
+ __set_chan_timer(orig, 0);
+ l2cap_chan_unlock(orig);
+ }
continue;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 033/411] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 032/411] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 034/411] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
` (378 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Scardovi, Bartosz Golaszewski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Scardovi <scardracs@disroot.org>
[ Upstream commit 3e46c18d5d87f063a93ae0fe7662fbf6660459d5 ]
The bank->clk was previously obtained via of_clk_get() and manually
prepared/enabled. However, it was missing a corresponding clk_put() in
both the error paths and the remove function, leading to a reference leak.
Convert the allocation to devm_clk_get_enabled(), which also properly
propagates failures from clk_prepare_enable() that were previously ignored.
The GPIO bank device uses the same OF node as the previous of_clk_get()
call, so devm_clk_get_enabled(dev, NULL) correctly resolves the same
clock provider entry.
Fix the reference leak and simplify the code by removing the manual
clk_disable_unprepare() calls in the probe error paths and in the
remove function.
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Assisted-by: Antigravity:gemini-3.5-flash
Signed-off-by: Marco Scardovi <scardracs@disroot.org>
Link: https://patch.msgid.link/20260526171050.12785-2-scardracs@disroot.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-rockchip.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c
index d331745da1a3a8..df2eefc1554a01 100644
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -649,11 +649,10 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
if (!bank->irq)
return -EINVAL;
- bank->clk = of_clk_get(bank->of_node, 0);
+ bank->clk = devm_clk_get_enabled(bank->dev, NULL);
if (IS_ERR(bank->clk))
return PTR_ERR(bank->clk);
- clk_prepare_enable(bank->clk);
id = readl(bank->reg_base + gpio_regs_v2.version_id);
/* If not gpio v2, that is default to v1. */
@@ -663,7 +662,6 @@ static int rockchip_get_bank_data(struct rockchip_pin_bank *bank)
bank->db_clk = of_clk_get(bank->of_node, 1);
if (IS_ERR(bank->db_clk)) {
dev_err(bank->dev, "cannot find debounce clk\n");
- clk_disable_unprepare(bank->clk);
return -EINVAL;
}
} else {
@@ -737,7 +735,6 @@ static int rockchip_gpio_probe(struct platform_device *pdev)
ret = rockchip_gpiolib_register(bank);
if (ret) {
- clk_disable_unprepare(bank->clk);
mutex_unlock(&bank->deferred_lock);
return ret;
}
@@ -773,7 +770,6 @@ static int rockchip_gpio_remove(struct platform_device *pdev)
{
struct rockchip_pin_bank *bank = platform_get_drvdata(pdev);
- clk_disable_unprepare(bank->clk);
gpiochip_remove(&bank->gpio_chip);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 034/411] sctp: fix race between sctp_wait_for_connect and peeloff
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 033/411] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 035/411] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
` (377 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhenghang Xiao, Xin Long,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhenghang Xiao <kipreyyy@gmail.com>
[ Upstream commit f14fe6395a8b3d961a61e138ad7b36ba3626dd4e ]
sctp_wait_for_connect() drops and re-acquires the socket lock while
waiting for the association to reach ESTABLISHED state. During this
window, another thread can peeloff the association to a new socket via
getsockopt(SCTP_SOCKOPT_PEELOFF), changing asoc->base.sk. After
re-acquiring the old socket lock, sctp_wait_for_connect() returns
success without noticing the migration — the caller then accesses
the association under the wrong lock in sctp_datamsg_from_user().
Add the same sk != asoc->base.sk check that sctp_wait_for_sndbuf()
already has, returning an error if the association was migrated while
we slept.
Fixes: 668c9beb9020 ("sctp: implement assign_number for sctp_stream_interleave")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260527032411.60959-1-kipreyyy@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 11040232ee937b..136b122d87c5a6 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9369,6 +9369,8 @@ static int sctp_wait_for_connect(struct sctp_association *asoc, long *timeo_p)
release_sock(sk);
current_timeo = schedule_timeout(current_timeo);
lock_sock(sk);
+ if (sk != asoc->base.sk)
+ goto do_error;
*timeo_p = current_timeo;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 035/411] batman-adv: v: stop OGMv2 on disabled interface
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 034/411] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 036/411] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
` (376 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f8ce8b8331a1bc44ad4905886a482214d428b253 upstream.
When a batadv_hard_iface is disabled, its mesh_iface pointer is set to
NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via
batadv_v_ogm_queue_on_if() for interfaces that have since lost their
mesh_iface association. This results in a NULL pointer dereference when
batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the
now NULL hard_iface->mesh_iface to retrieve the batadv_priv.
It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that
it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was
called.
Cc: stable@kernel.org
Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
[ switch to old "mesh_iface" name "soft_iface" ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_v_ogm.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index c357cf72396ebe..74295915653336 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -116,14 +116,14 @@ static void batadv_v_ogm_start_timer(struct batadv_priv *bat_priv)
/**
* batadv_v_ogm_send_to_if() - send a batman ogm using a given interface
+ * @bat_priv: the bat priv with all the mesh interface information
* @skb: the OGM to send
* @hard_iface: the interface to use to send the OGM
*/
-static void batadv_v_ogm_send_to_if(struct sk_buff *skb,
+static void batadv_v_ogm_send_to_if(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
struct batadv_hard_iface *hard_iface)
{
- struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
-
if (hard_iface->if_status != BATADV_IF_ACTIVE) {
kfree_skb(skb);
return;
@@ -190,6 +190,7 @@ static void batadv_v_ogm_aggr_list_free(struct batadv_hard_iface *hard_iface)
/**
* batadv_v_ogm_aggr_send() - flush & send aggregation queue
+ * @bat_priv: the bat priv with all the mesh interface information
* @hard_iface: the interface with the aggregation queue to flush
*
* Aggregates all OGMv2 packets currently in the aggregation queue into a
@@ -199,7 +200,8 @@ static void batadv_v_ogm_aggr_list_free(struct batadv_hard_iface *hard_iface)
*
* Caller needs to hold the hard_iface->bat_v.aggr_list.lock.
*/
-static void batadv_v_ogm_aggr_send(struct batadv_hard_iface *hard_iface)
+static void batadv_v_ogm_aggr_send(struct batadv_priv *bat_priv,
+ struct batadv_hard_iface *hard_iface)
{
unsigned int aggr_len = hard_iface->bat_v.aggr_len;
struct sk_buff *skb_aggr;
@@ -229,27 +231,32 @@ static void batadv_v_ogm_aggr_send(struct batadv_hard_iface *hard_iface)
consume_skb(skb);
}
- batadv_v_ogm_send_to_if(skb_aggr, hard_iface);
+ batadv_v_ogm_send_to_if(bat_priv, skb_aggr, hard_iface);
}
/**
* batadv_v_ogm_queue_on_if() - queue a batman ogm on a given interface
+ * @bat_priv: the bat priv with all the mesh interface information
* @skb: the OGM to queue
* @hard_iface: the interface to queue the OGM on
*/
-static void batadv_v_ogm_queue_on_if(struct sk_buff *skb,
+static void batadv_v_ogm_queue_on_if(struct batadv_priv *bat_priv,
+ struct sk_buff *skb,
struct batadv_hard_iface *hard_iface)
{
- struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ if (hard_iface->soft_iface != bat_priv->soft_iface) {
+ kfree_skb(skb);
+ return;
+ }
if (!atomic_read(&bat_priv->aggregated_ogms)) {
- batadv_v_ogm_send_to_if(skb, hard_iface);
+ batadv_v_ogm_send_to_if(bat_priv, skb, hard_iface);
return;
}
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
if (!batadv_v_ogm_queue_left(skb, hard_iface))
- batadv_v_ogm_aggr_send(hard_iface);
+ batadv_v_ogm_aggr_send(bat_priv, hard_iface);
hard_iface->bat_v.aggr_len += batadv_v_ogm_len(skb);
__skb_queue_tail(&hard_iface->bat_v.aggr_list, skb);
@@ -348,7 +355,7 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
break;
}
- batadv_v_ogm_queue_on_if(skb_tmp, hard_iface);
+ batadv_v_ogm_queue_on_if(bat_priv, skb_tmp, hard_iface);
batadv_hardif_put(hard_iface);
}
rcu_read_unlock();
@@ -388,12 +395,14 @@ void batadv_v_ogm_aggr_work(struct work_struct *work)
{
struct batadv_hard_iface_bat_v *batv;
struct batadv_hard_iface *hard_iface;
+ struct batadv_priv *bat_priv;
batv = container_of(work, struct batadv_hard_iface_bat_v, aggr_wq.work);
hard_iface = container_of(batv, struct batadv_hard_iface, bat_v);
+ bat_priv = netdev_priv(hard_iface->soft_iface);
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
- batadv_v_ogm_aggr_send(hard_iface);
+ batadv_v_ogm_aggr_send(bat_priv, hard_iface);
spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
batadv_v_ogm_start_queue_timer(hard_iface);
@@ -583,7 +592,7 @@ static void batadv_v_ogm_forward(struct batadv_priv *bat_priv,
if_outgoing->net_dev->name, ntohl(ogm_forward->throughput),
ogm_forward->ttl, if_incoming->net_dev->name);
- batadv_v_ogm_queue_on_if(skb, if_outgoing);
+ batadv_v_ogm_queue_on_if(bat_priv, skb, if_outgoing);
out:
batadv_orig_ifinfo_put(orig_ifinfo);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 036/411] batman-adv: tvlv: abort OGM send on tvlv append failure
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 035/411] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 037/411] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
` (375 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 501368506563e151b322c8c3f228b796e615b90d upstream.
batadv_tvlv_container_ogm_append() could fail in two ways: a memory
allocation failure when resizing the packet buffer, or the tvlv data
exceeding U16_MAX bytes. In both cases the function previously returned the
old (now stale) tvlv_value_len rather than signalling an error, causing the
OGM/OGM2 send path to transmit a packet whose TVLV length field no longer
matched the actual buffer contents. And because it also didn't fill in the
new TVLV data, sending either uninitialized or corrupted data on the wire.
All errors in batadv_tvlv_container_ogm_append() must be forwarded to the
caller. And the caller must abort the send of the OGM2. For B.A.T.M.A.N.
IV, it is currently not allowed to abort the send. The non-TVLV part of the
OGM must be queued up instead.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 16 +++++++++++++---
net/batman-adv/bat_v_ogm.c | 26 ++++++++++++++------------
net/batman-adv/tvlv.c | 17 ++++++++++++-----
net/batman-adv/tvlv.h | 2 +-
4 files changed, 40 insertions(+), 21 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 58c18e22603d12..bc8685ffcb7100 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -782,6 +782,7 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
u32 seqno;
u16 tvlv_len = 0;
unsigned long send_time;
+ int ret;
lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
@@ -805,9 +806,18 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
* appended as it may alter the tt tvlv container
*/
batadv_tt_local_commit_changes(bat_priv);
- tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
- ogm_buff_len,
- BATADV_OGM_HLEN);
+ ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+ ogm_buff_len,
+ BATADV_OGM_HLEN);
+ if (ret < 0) {
+ /* OGMs must be queued even when the buffer allocation for
+ * TVLVs failed. just fall back to the non-TVLV version
+ */
+ ret = 0;
+ *ogm_buff_len = BATADV_OGM_HLEN;
+ }
+
+ tvlv_len = ret;
}
batadv_ogm_packet = (struct batadv_ogm_packet *)(*ogm_buff);
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index 74295915653336..63337e02cf2f11 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -272,9 +272,9 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
struct batadv_hard_iface *hard_iface;
struct batadv_ogm2_packet *ogm_packet;
struct sk_buff *skb, *skb_tmp;
- unsigned char *ogm_buff;
- int ogm_buff_len;
- u16 tvlv_len = 0;
+ unsigned char **ogm_buff;
+ int *ogm_buff_len;
+ u16 tvlv_len;
int ret;
lockdep_assert_held(&bat_priv->bat_v.ogm_buff_mutex);
@@ -282,25 +282,27 @@ static void batadv_v_ogm_send_softif(struct batadv_priv *bat_priv)
if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING)
goto out;
- ogm_buff = bat_priv->bat_v.ogm_buff;
- ogm_buff_len = bat_priv->bat_v.ogm_buff_len;
+ ogm_buff = &bat_priv->bat_v.ogm_buff;
+ ogm_buff_len = &bat_priv->bat_v.ogm_buff_len;
+
/* tt changes have to be committed before the tvlv data is
* appended as it may alter the tt tvlv container
*/
batadv_tt_local_commit_changes(bat_priv);
- tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, &ogm_buff,
- &ogm_buff_len,
- BATADV_OGM2_HLEN);
+ ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+ ogm_buff_len,
+ BATADV_OGM2_HLEN);
+ if (ret < 0)
+ goto reschedule;
- bat_priv->bat_v.ogm_buff = ogm_buff;
- bat_priv->bat_v.ogm_buff_len = ogm_buff_len;
+ tvlv_len = ret;
- skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + ogm_buff_len);
+ skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + *ogm_buff_len);
if (!skb)
goto reschedule;
skb_reserve(skb, ETH_HLEN);
- skb_put_data(skb, ogm_buff, ogm_buff_len);
+ skb_put_data(skb, *ogm_buff, *ogm_buff_len);
ogm_packet = (struct batadv_ogm2_packet *)skb->data;
ogm_packet->seqno = htonl(atomic_read(&bat_priv->bat_v.ogm_seqno));
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 992773376e51d4..4812137439708f 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -7,6 +7,7 @@
#include "main.h"
#include <linux/byteorder/generic.h>
+#include <linux/errno.h>
#include <linux/etherdevice.h>
#include <linux/gfp.h>
#include <linux/if_ether.h>
@@ -306,9 +307,10 @@ static bool batadv_tvlv_realloc_packet_buff(unsigned char **packet_buff,
* The ogm packet might be enlarged or shrunk depending on the current size
* and the size of the to-be-appended tvlv containers.
*
- * Return: size of all appended tvlv containers in bytes.
+ * Return: size of all appended tvlv containers in bytes (max U16_MAX), negative
+ * if operation failed
*/
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
unsigned char **packet_buff,
int *packet_buff_len, int packet_min_len)
{
@@ -316,6 +318,7 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
struct batadv_tvlv_hdr *tvlv_hdr;
u16 tvlv_value_len;
void *tvlv_value;
+ int tvlv_len_ret;
bool ret;
spin_lock_bh(&bat_priv->tvlv.container_list_lock);
@@ -323,9 +326,12 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len,
packet_min_len, tvlv_value_len);
-
- if (!ret)
+ if (!ret) {
+ tvlv_len_ret = -ENOMEM;
goto end;
+ }
+
+ tvlv_len_ret = tvlv_value_len;
if (!tvlv_value_len)
goto end;
@@ -344,7 +350,8 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
end:
spin_unlock_bh(&bat_priv->tvlv.container_list_lock);
- return tvlv_value_len;
+
+ return tvlv_len_ret;
}
/**
diff --git a/net/batman-adv/tvlv.h b/net/batman-adv/tvlv.h
index 54f2a35653d0f1..ffbc93f78688e5 100644
--- a/net/batman-adv/tvlv.h
+++ b/net/batman-adv/tvlv.h
@@ -15,7 +15,7 @@
void batadv_tvlv_container_register(struct batadv_priv *bat_priv,
u8 type, u8 version,
void *tvlv_value, u16 tvlv_value_len);
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
unsigned char **packet_buff,
int *packet_buff_len, int packet_min_len);
void batadv_tvlv_ogm_receive(struct batadv_priv *bat_priv,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 037/411] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 036/411] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 038/411] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
` (374 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ido Schimmel,
syzbot+9fdcc9f05a98a540b816, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f80d3d98d2ff78d9e2fe5d68b1f45948c4f7bd24 upstream.
Without rtnl_lock held, a hardif might be retrieved as primary interface of
a meshif, but then (while operating on this interface) getting decoupled
from the mesh interface. In this case, the meshif still exists but the
pointer from the primary hardif to the meshif is set to NULL.
The mesh_iface must be checked first to be non-NULL before continuing to
send an ARP request using meshif.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Reported-by: Ido Schimmel <idosch@nvidia.com>
Reported-by: syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9fdcc9f05a98a540b816
[ switch to old "mesh_iface" name "soft_iface" ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index f768a4e0bc0f49..d8ead0eb71da06 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -355,12 +355,14 @@ static void batadv_bla_send_claim(struct batadv_priv *bat_priv, u8 *mac,
sizeof(local_claim_dest));
local_claim_dest.type = claimtype;
- soft_iface = primary_if->soft_iface;
+ soft_iface = READ_ONCE(primary_if->soft_iface);
+ if (!soft_iface)
+ goto out;
skb = arp_create(ARPOP_REPLY, ETH_P_ARP,
/* IP DST: 0.0.0.0 */
zeroip,
- primary_if->soft_iface,
+ soft_iface,
/* IP SRC: 0.0.0.0 */
zeroip,
/* Ethernet DST: Broadcast */
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 038/411] batman-adv: tvlv: reject oversized TVLV packets
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 037/411] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 039/411] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
` (373 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f50487e3566358b2b982b7801945e858c78ad9ab upstream.
batadv_tvlv_container_ogm_append() builds a TVLV packet section from
the tvlv.container_list. The total size of this section is computed by
batadv_tvlv_container_list_size(), which sums the sizes of all registered
containers.
The return type and accumulator in batadv_tvlv_container_list_size() were
u16. If the accumulated size exceeds U16_MAX, the value wraps around,
causing the subsequent allocation in batadv_tvlv_container_ogm_append()
to be undersized. The memcpy-style copy that follows would then write
beyond the end of the allocated buffer, corrupting kernel memory.
Fix this by widening the return type of batadv_tvlv_container_list_size()
to size_t. In batadv_tvlv_container_ogm_append(), check the computed length
against U16_MAX before proceeding, and bail out as if the allocation had
failed when the limit is exceeded.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tvlv.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 4812137439708f..de0c139426839c 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -13,6 +13,7 @@
#include <linux/if_ether.h>
#include <linux/kernel.h>
#include <linux/kref.h>
+#include <linux/limits.h>
#include <linux/list.h>
#include <linux/lockdep.h>
#include <linux/netdevice.h>
@@ -160,10 +161,10 @@ batadv_tvlv_container_get(struct batadv_priv *bat_priv, u8 type, u8 version)
*
* Return: size of all currently registered tvlv containers in bytes.
*/
-static u16 batadv_tvlv_container_list_size(struct batadv_priv *bat_priv)
+static size_t batadv_tvlv_container_list_size(struct batadv_priv *bat_priv)
{
struct batadv_tvlv_container *tvlv;
- u16 tvlv_len = 0;
+ size_t tvlv_len = 0;
lockdep_assert_held(&bat_priv->tvlv.container_list_lock);
@@ -316,13 +317,17 @@ int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
{
struct batadv_tvlv_container *tvlv;
struct batadv_tvlv_hdr *tvlv_hdr;
- u16 tvlv_value_len;
+ size_t tvlv_value_len;
void *tvlv_value;
int tvlv_len_ret;
bool ret;
spin_lock_bh(&bat_priv->tvlv.container_list_lock);
tvlv_value_len = batadv_tvlv_container_list_size(bat_priv);
+ if (tvlv_value_len > U16_MAX) {
+ tvlv_len_ret = -E2BIG;
+ goto end;
+ }
ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len,
packet_min_len, tvlv_value_len);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 039/411] batman-adv: iv: recover OGM scheduling after forward packet error
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 038/411] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 040/411] selftests: forwarding: lib: Add helpers for checksum handling Greg Kroah-Hartman
` (372 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit aa3153bd139a6c48667dcd02608d3b2c80bff02c upstream.
When batadv_iv_ogm_schedule_buff() fails to allocate and queue a forward
packet for OGM transmission, the work item that drives periodic OGM
scheduling is never re-armed. This silently halts transmission of the
node's own OGMs on the affected interface — only OGMs from other peers
continue to be aggregated and forwarded.
Fix this by tracking whether batadv_iv_ogm_queue_add() (and transitively
batadv_iv_ogm_aggregate_new()) successfully scheduled a forward packet.
When scheduling fails, batadv_iv_ogm_schedule_buff() falls back to queuing
a dedicated recovery work item (reschedule_work) that fires after one
originator interval and calls batadv_iv_ogm_schedule() again.
Cc: stable@kernel.org
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 76 +++++++++++++++++++++++++++----------
net/batman-adv/types.h | 3 ++
2 files changed, 60 insertions(+), 19 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index bc8685ffcb7100..669f77eed073a0 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -224,6 +224,8 @@ static void batadv_iv_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
hard_iface->bat_iv.ogm_buff = NULL;
mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
+
+ cancel_delayed_work_sync(&hard_iface->bat_iv.reschedule_work);
}
static void batadv_iv_ogm_iface_update_mac(struct batadv_hard_iface *hard_iface)
@@ -528,8 +530,10 @@ batadv_iv_ogm_can_aggregate(const struct batadv_ogm_packet *new_bat_ogm_packet,
* @if_incoming: interface where the packet was received
* @if_outgoing: interface for which the retransmission should be considered
* @own_packet: true if it is a self-generated ogm
+ *
+ * Return: whether forward packet was scheduled
*/
-static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
+static bool batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
int packet_len, unsigned long send_time,
bool direct_link,
struct batadv_hard_iface *if_incoming,
@@ -553,13 +557,13 @@ static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
skb = netdev_alloc_skb_ip_align(NULL, skb_size);
if (!skb)
- return;
+ return false;
forw_packet_aggr = batadv_forw_packet_alloc(if_incoming, if_outgoing,
queue_left, bat_priv, skb);
if (!forw_packet_aggr) {
kfree_skb(skb);
- return;
+ return false;
}
forw_packet_aggr->skb->priority = TC_PRIO_CONTROL;
@@ -581,6 +585,8 @@ static void batadv_iv_ogm_aggregate_new(const unsigned char *packet_buff,
batadv_iv_send_outstanding_bat_ogm_packet);
batadv_forw_packet_ogmv1_queue(bat_priv, forw_packet_aggr, send_time);
+
+ return true;
}
/* aggregate a new packet into the existing ogm packet */
@@ -610,8 +616,10 @@ static void batadv_iv_ogm_aggregate(struct batadv_forw_packet *forw_packet_aggr,
* @if_outgoing: interface for which the retransmission should be considered
* @own_packet: true if it is a self-generated ogm
* @send_time: timestamp (jiffies) when the packet is to be sent
+ *
+ * Return: whether forward packet was scheduled
*/
-static void batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
+static bool batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
unsigned char *packet_buff,
int packet_len,
struct batadv_hard_iface *if_incoming,
@@ -663,14 +671,16 @@ static void batadv_iv_ogm_queue_add(struct batadv_priv *bat_priv,
if (!own_packet && atomic_read(&bat_priv->aggregated_ogms))
send_time += max_aggregation_jiffies;
- batadv_iv_ogm_aggregate_new(packet_buff, packet_len,
- send_time, direct_link,
- if_incoming, if_outgoing,
- own_packet);
+ return batadv_iv_ogm_aggregate_new(packet_buff, packet_len,
+ send_time, direct_link,
+ if_incoming, if_outgoing,
+ own_packet);
} else {
batadv_iv_ogm_aggregate(forw_packet_aggr, packet_buff,
packet_len, direct_link);
spin_unlock_bh(&bat_priv->forw_bat_list_lock);
+
+ return true;
}
}
@@ -782,6 +792,8 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
u32 seqno;
u16 tvlv_len = 0;
unsigned long send_time;
+ bool reschedule = false;
+ bool scheduled;
int ret;
lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
@@ -810,11 +822,8 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
ogm_buff_len,
BATADV_OGM_HLEN);
if (ret < 0) {
- /* OGMs must be queued even when the buffer allocation for
- * TVLVs failed. just fall back to the non-TVLV version
- */
- ret = 0;
- *ogm_buff_len = BATADV_OGM_HLEN;
+ reschedule = true;
+ goto out;
}
tvlv_len = ret;
@@ -836,8 +845,11 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
/* OGMs from secondary interfaces are only scheduled on their
* respective interfaces.
*/
- batadv_iv_ogm_queue_add(bat_priv, *ogm_buff, *ogm_buff_len,
- hard_iface, hard_iface, 1, send_time);
+ scheduled = batadv_iv_ogm_queue_add(bat_priv, *ogm_buff, *ogm_buff_len,
+ hard_iface, hard_iface, 1, send_time);
+ if (!scheduled)
+ reschedule = true;
+
goto out;
}
@@ -852,15 +864,28 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
if (!kref_get_unless_zero(&tmp_hard_iface->refcount))
continue;
- batadv_iv_ogm_queue_add(bat_priv, *ogm_buff,
- *ogm_buff_len, hard_iface,
- tmp_hard_iface, 1, send_time);
-
+ scheduled = batadv_iv_ogm_queue_add(bat_priv, *ogm_buff,
+ *ogm_buff_len, hard_iface,
+ tmp_hard_iface, 1, send_time);
batadv_hardif_put(tmp_hard_iface);
+
+ if (!scheduled && tmp_hard_iface == hard_iface)
+ reschedule = true;
}
rcu_read_unlock();
out:
+ if (reschedule) {
+ /* there was a failure scheduling the own forward packet.
+ * as result, the batadv_iv_send_outstanding_bat_ogm_packet()
+ * work item is no longer scheduled. it is therefore necessary
+ * to reschedule it manually
+ */
+ queue_delayed_work(batadv_event_workqueue,
+ &hard_iface->bat_iv.reschedule_work,
+ msecs_to_jiffies(atomic_read(&bat_priv->orig_interval)));
+ }
+
batadv_hardif_put(primary_if);
}
@@ -875,6 +900,17 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
mutex_unlock(&hard_iface->bat_iv.ogm_buff_mutex);
}
+static void batadv_iv_ogm_reschedule(struct work_struct *work)
+{
+ struct delayed_work *delayed_work = to_delayed_work(work);
+ struct batadv_hard_iface *hard_iface;
+
+ hard_iface = container_of(delayed_work,
+ struct batadv_hard_iface,
+ bat_iv.reschedule_work);
+ batadv_iv_ogm_schedule(hard_iface);
+}
+
/**
* batadv_iv_orig_ifinfo_sum() - Get bcast_own sum for originator over interface
* @orig_node: originator which reproadcasted the OGMs directly
@@ -2278,6 +2314,8 @@ batadv_iv_ogm_neigh_is_sob(struct batadv_neigh_node *neigh1,
static void batadv_iv_iface_enabled(struct batadv_hard_iface *hard_iface)
{
+ INIT_DELAYED_WORK(&hard_iface->bat_iv.reschedule_work, batadv_iv_ogm_reschedule);
+
/* begin scheduling originator messages on that interface */
batadv_iv_ogm_schedule(hard_iface);
}
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 19fd1c9adf4931..ff40fc9e36f66c 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -82,6 +82,9 @@ struct batadv_hard_iface_bat_iv {
/** @ogm_seqno: OGM sequence number - used to identify each OGM */
atomic_t ogm_seqno;
+ /** @reschedule_work: recover OGM schedule after schedule error */
+ struct delayed_work reschedule_work;
+
/** @ogm_buff_mutex: lock protecting ogm_buff and ogm_buff_len */
struct mutex ogm_buff_mutex;
};
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 040/411] selftests: forwarding: lib: Add helpers for checksum handling
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 039/411] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 041/411] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
` (371 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Nikolay Aleksandrov,
David S. Miller, Ben Hutchings, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
commit 952e0ee38c7215c45192d8c899acd1830873f28b upstream.
In order to generate IGMPv3 and MLDv2 packets on the fly, we will need
helpers to calculate the packet checksum.
The approach presented in this patch revolves around payload templates
for mausezahn. These are mausezahn-like payload strings (01:23:45:...)
with possibly one 2-byte sequence replaced with the word PAYLOAD. The
main function is payload_template_calc_checksum(), which calculates
RFC 1071 checksum of the message. There are further helpers to then
convert the checksum to the payload format, and to expand it.
For IPv6, MLDv2 message checksum is computed using a pseudoheader that
differs from the header used in the payload itself. The fact that the
two messages are different means that the checksum needs to be
returned as a separate quantity, instead of being expanded in-place in
the payload itself. Furthermore, the pseudoheader includes a length of
the message. Much like the checksum, this needs to be expanded in
mausezahn format. And likewise for number of addresses for (S,G)
entries. Thus we have several places where a computed quantity needs
to be presented in the payload format. Add a helper u16_to_bytes(),
which will be used in all these cases.
Signed-off-by: Petr Machata <petrm@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 02cb2e6bacbb ("selftests: forwarding: vxlan_bridge_1d: fix test failure with br_netfilter enabled")
[bwh: Backported to 5.15: adjust context]
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/forwarding/lib.sh | 56 +++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/tools/testing/selftests/net/forwarding/lib.sh b/tools/testing/selftests/net/forwarding/lib.sh
index 83e8f9466d6273..c570d8f65a0cec 100644
--- a/tools/testing/selftests/net/forwarding/lib.sh
+++ b/tools/testing/selftests/net/forwarding/lib.sh
@@ -1491,3 +1491,59 @@ brmcast_check_sg_state()
check_err_fail $should_fail $? "Entry $src has blocked flag"
done
}
+
+u16_to_bytes()
+{
+ local u16=$1; shift
+
+ printf "%04x" $u16 | sed 's/^/000/;s/^.*\(..\)\(..\)$/\1:\2/'
+}
+
+# Given a mausezahn-formatted payload (colon-separated bytes given as %02x),
+# possibly with a keyword CHECKSUM stashed where a 16-bit checksum should be,
+# calculate checksum as per RFC 1071, assuming the CHECKSUM field (if any)
+# stands for 00:00.
+payload_template_calc_checksum()
+{
+ local payload=$1; shift
+
+ (
+ # Set input radix.
+ echo "16i"
+ # Push zero for the initial checksum.
+ echo 0
+
+ # Pad the payload with a terminating 00: in case we get an odd
+ # number of bytes.
+ echo "${payload%:}:00:" |
+ sed 's/CHECKSUM/00:00/g' |
+ tr '[:lower:]' '[:upper:]' |
+ # Add the word to the checksum.
+ sed 's/\(..\):\(..\):/\1\2+\n/g' |
+ # Strip the extra odd byte we pushed if left unconverted.
+ sed 's/\(..\):$//'
+
+ echo "10000 ~ +" # Calculate and add carry.
+ echo "FFFF r - p" # Bit-flip and print.
+ ) |
+ dc |
+ tr '[:upper:]' '[:lower:]'
+}
+
+payload_template_expand_checksum()
+{
+ local payload=$1; shift
+ local checksum=$1; shift
+
+ local ckbytes=$(u16_to_bytes $checksum)
+
+ echo "$payload" | sed "s/CHECKSUM/$ckbytes/g"
+}
+
+payload_template_nbytes()
+{
+ local payload=$1; shift
+
+ payload_template_expand_checksum "${payload%:}" 0 |
+ sed 's/:/\n/g' | wc -l
+}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 041/411] batman-adv: tp_meter: directly shut down timer on cleanup
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 040/411] selftests: forwarding: lib: Add helpers for checksum handling Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 042/411] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
` (370 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d5487249a81ea658717614009c8f46acc5b7101a upstream.
batadv_tp_sender_cleanup() was calling timer_delete_sync() followed by
timer_delete() to guard against the timer handler re-arming itself between
the two calls. This double-deletion hack relied on the sending status being
set to 0 to suppress re-arming.
Replace both calls with a single timer_shutdown_sync(). This function both
waits for any running timer callback to complete (like timer_delete_sync())
and permanently disarms the timer so it cannot be re-armed afterwards,
making re-arming prevention unconditional and self-documenting.
The re-arming property is also required because otherwise:
1. context 0 (batadv_tp_recv_ack()) checks in
batadv_tp_reset_sender_timer() if sending is still 1 -> it is
2. context 1 changes in batadv_tp_sender_shutdown() sending to 0 and in
this process forces the kthread to stop timer in
batadv_tp_sender_cleanup()
3. context 0 continues in batadv_tp_reset_sender_timer() and rearms the
timer -> but the reference for it is already gone
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ adapt pre-hunk to old del_timer* names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 464fca0ca8ac28..0eaeffba4b4ffe 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -384,13 +384,7 @@ static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv,
atomic_dec(&tp_vars->bat_priv->tp_num);
/* kill the timer and remove its reference */
- del_timer_sync(&tp_vars->timer);
- /* the worker might have rearmed itself therefore we kill it again. Note
- * that if the worker should run again before invoking the following
- * del_timer(), it would not re-arm itself once again because the status
- * is OFF now
- */
- del_timer(&tp_vars->timer);
+ timer_shutdown_sync(&tp_vars->timer);
batadv_tp_vars_put(tp_vars);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 042/411] batman-adv: tt: fix TOCTOU race for reported vlans
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 041/411] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 043/411] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
` (369 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 94d27005016be15ffc638b2ecbc4d58805ad7b48 upstream.
The local TT based TVLV is generated by first checking the number of VLANs
which have at least one TT entry. A new buffer with the correct size for
the VLANs is then allocated. Only then, the list of VLANs s used to fill
the VLAN entries in the buffer. During this time, the meshif_vlan_list_lock
is held. But the actual number of TT entries of each VLAN can still
increase during this time - just not the number of VLANs in the list.
But the prefilter used in the buffer size calculation might still cause an
increase of the number of VLANs which need to be stored. Simply because a
VLAN might now suddenly have at least one entry when it had none in the
pre-alloc check - and then needs to occupy space which was not allocated.
It is better to overestimate the buffer size at the beginning and then fill
the buffer only with the VLANs which are not empty.
Cc: stable@kernel.org
Fixes: 16116dac2339 ("batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs")
[ Context, drop flex array dependency ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 76cf40d859908a..11c39a9ab90e46 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -934,11 +934,8 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
spin_lock_bh(&bat_priv->softif_vlan_list_lock);
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
- if (vlan_entries < 1)
- continue;
-
- num_vlan++;
total_entries += vlan_entries;
+ num_vlan++;
}
change_offset = sizeof(**tt_data);
@@ -962,6 +959,7 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
(*tt_data)->num_vlan = htons(num_vlan);
tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
+ num_vlan = 0;
hlist_for_each_entry(vlan, &bat_priv->softif_vlan_list, list) {
vlan_entries = atomic_read(&vlan->tt.num_entries);
if (vlan_entries < 1)
@@ -972,8 +970,16 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv,
tt_vlan->reserved = 0;
tt_vlan++;
+ num_vlan++;
}
+ /* recalculate in case number of VLANs reduced */
+ change_offset = sizeof(**tt_data);
+ change_offset += num_vlan * sizeof(*tt_vlan);
+ tvlv_len = *tt_len + change_offset;
+
+ (*tt_data)->num_vlan = htons(num_vlan);
+
tt_change_ptr = (u8 *)*tt_data + change_offset;
*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 043/411] batman-adv: tt: avoid empty VLAN responses
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 042/411] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 044/411] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
` (368 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit fa1bd704940b5bcbc32c0b28db9167405c8ee5e0 upstream.
The commit 16116dac2339 ("batman-adv: prevent TT request storms by not
sending inconsistent TT TLVLs") added checks to the local (direct) TT
response code. But the response can also be done indirectly by another node
using the global TT state. To avoid such inconsistency states reported in
the original fix, also avoid sending empty VLANs for replies from the
global TT state.
Cc: stable@kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
[ Context, drop flex array dependency ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 11c39a9ab90e46..e4d55b27f2551b 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -843,17 +843,19 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
s32 *tt_len)
{
u16 num_vlan = 0;
- u16 num_entries = 0;
u16 tvlv_len = 0;
unsigned int change_offset;
struct batadv_tvlv_tt_vlan_data *tt_vlan;
struct batadv_orig_node_vlan *vlan;
+ u16 total_entries = 0;
u8 *tt_change_ptr;
+ int vlan_entries;
spin_lock_bh(&orig_node->vlan_list_lock);
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
+ vlan_entries = atomic_read(&vlan->tt.num_entries);
+ total_entries += vlan_entries;
num_vlan++;
- num_entries += atomic_read(&vlan->tt.num_entries);
}
change_offset = sizeof(**tt_data);
@@ -861,7 +863,7 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
/* if tt_len is negative, allocate the space needed by the full table */
if (*tt_len < 0)
- *tt_len = batadv_tt_len(num_entries);
+ *tt_len = batadv_tt_len(total_entries);
if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) {
*tt_len = 0;
@@ -882,14 +884,27 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node,
(*tt_data)->num_vlan = htons(num_vlan);
tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(*tt_data + 1);
+ num_vlan = 0;
hlist_for_each_entry(vlan, &orig_node->vlan_list, list) {
+ vlan_entries = atomic_read(&vlan->tt.num_entries);
+ if (vlan_entries < 1)
+ continue;
+
tt_vlan->vid = htons(vlan->vid);
tt_vlan->crc = htonl(vlan->tt.crc);
tt_vlan->reserved = 0;
tt_vlan++;
+ num_vlan++;
}
+ /* recalculate in case number of VLANs reduced */
+ change_offset = sizeof(**tt_data);
+ change_offset += num_vlan * sizeof(*tt_vlan);
+ tvlv_len = *tt_len + change_offset;
+
+ (*tt_data)->num_vlan = htons(num_vlan);
+
tt_change_ptr = (u8 *)*tt_data + change_offset;
*tt_change = (struct batadv_tvlv_tt_change *)tt_change_ptr;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 044/411] batman-adv: bla: avoid double decrement of bla.num_requests
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 043/411] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 045/411] wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Greg Kroah-Hartman
` (367 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 83ab69bd12b80f6ea169c8bea6977701b53a043d upstream.
The bla.num_requests is increased when no request_sent was in progress. And
it is decremented in various places (announcement was received, backbone is
purged, periodic work). But the check if the request_sent is actually set
to a specific state and the atomic_dec/_inc are not safe because they are
not atomic (TOCTOU) and multiple such code portions can run concurrently.
At the same time, it is necessary to modify request_sent (state) and
bla.num_requests atomically. Otherwise batadv_bla_send_request() might set
request_sent to 1 and is interrupted. batadv_handle_announce() can then
set request_sent back to 0 and decrement num_requests before
batadv_bla_send_request() incremented it.
The two operations must therefore be locked. And since state (request_sent)
and wait_periods are only accessed inside this lock, they can be converted
to simpler datatypes. And to avoid that the bla.num_requests is touched by
a parallel running context with a valid backbone_gw reference after
batadv_bla_purge_backbone_gw() ran, a third state "stopped" is required to
correctly signal that a backbone_gw is in the state of being cleaned up.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 51 ++++++++++++++++++--------
net/batman-adv/soft-interface.c | 1 +
net/batman-adv/types.h | 39 ++++++++++++++++----
3 files changed, 67 insertions(+), 24 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index d8ead0eb71da06..452e78fd70c039 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -515,8 +515,8 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, u8 *orig,
entry->crc = BATADV_BLA_CRC_INIT;
entry->bat_priv = bat_priv;
spin_lock_init(&entry->crc_lock);
- atomic_set(&entry->request_sent, 0);
- atomic_set(&entry->wait_periods, 0);
+ entry->state = BATADV_BLA_BACKBONE_GW_SYNCED;
+ entry->wait_periods = 0;
ether_addr_copy(entry->orig, orig);
INIT_WORK(&entry->report_work, batadv_bla_loopdetect_report);
kref_init(&entry->refcount);
@@ -545,9 +545,13 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, u8 *orig,
batadv_bla_send_announce(bat_priv, entry);
/* this will be decreased in the worker thread */
- atomic_inc(&entry->request_sent);
- atomic_set(&entry->wait_periods, BATADV_BLA_WAIT_PERIODS);
- atomic_inc(&bat_priv->bla.num_requests);
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (entry->state == BATADV_BLA_BACKBONE_GW_SYNCED) {
+ entry->state = BATADV_BLA_BACKBONE_GW_UNSYNCED;
+ entry->wait_periods = BATADV_BLA_WAIT_PERIODS;
+ atomic_inc(&bat_priv->bla.num_requests);
+ }
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
return entry;
@@ -650,10 +654,12 @@ static void batadv_bla_send_request(struct batadv_bla_backbone_gw *backbone_gw)
backbone_gw->vid, BATADV_CLAIM_TYPE_REQUEST);
/* no local broadcasts should be sent or received, for now. */
- if (!atomic_read(&backbone_gw->request_sent)) {
+ spin_lock_bh(&backbone_gw->bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_SYNCED) {
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_UNSYNCED;
atomic_inc(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 1);
}
+ spin_unlock_bh(&backbone_gw->bat_priv->bla.num_requests_lock);
}
/**
@@ -874,10 +880,12 @@ static bool batadv_handle_announce(struct batadv_priv *bat_priv, u8 *an_addr,
/* if we have sent a request and the crc was OK,
* we can allow traffic again.
*/
- if (atomic_read(&backbone_gw->request_sent)) {
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_UNSYNCED) {
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_SYNCED;
atomic_dec(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 0);
}
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
batadv_backbone_gw_put(backbone_gw);
@@ -1256,9 +1264,13 @@ static void batadv_bla_purge_backbone_gw(struct batadv_priv *bat_priv, int now)
purged = true;
/* don't wait for the pending request anymore */
- if (atomic_read(&backbone_gw->request_sent))
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state == BATADV_BLA_BACKBONE_GW_UNSYNCED)
atomic_dec(&bat_priv->bla.num_requests);
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_STOPPED;
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
+
batadv_bla_del_backbone_claims(backbone_gw);
hlist_del_rcu(&backbone_gw->hash_entry);
@@ -1509,7 +1521,7 @@ static void batadv_bla_periodic_work(struct work_struct *work)
batadv_bla_send_loopdetect(bat_priv,
backbone_gw);
- /* request_sent is only set after creation to avoid
+ /* state is only set to unsynced after creation to avoid
* problems when we are not yet known as backbone gw
* in the backbone.
*
@@ -1518,14 +1530,21 @@ static void batadv_bla_periodic_work(struct work_struct *work)
* some grace time.
*/
- if (atomic_read(&backbone_gw->request_sent) == 0)
- continue;
+ spin_lock_bh(&bat_priv->bla.num_requests_lock);
+ if (backbone_gw->state != BATADV_BLA_BACKBONE_GW_UNSYNCED)
+ goto unlock_next;
- if (!atomic_dec_and_test(&backbone_gw->wait_periods))
- continue;
+ if (backbone_gw->wait_periods > 0)
+ backbone_gw->wait_periods--;
+
+ if (backbone_gw->wait_periods > 0)
+ goto unlock_next;
+ backbone_gw->state = BATADV_BLA_BACKBONE_GW_SYNCED;
atomic_dec(&backbone_gw->bat_priv->bla.num_requests);
- atomic_set(&backbone_gw->request_sent, 0);
+
+unlock_next:
+ spin_unlock_bh(&bat_priv->bla.num_requests_lock);
}
rcu_read_unlock();
}
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index bff86ccadc2cc2..b46480ec7bd1d0 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -785,6 +785,7 @@ static int batadv_softif_init_late(struct net_device *dev)
atomic_set(&bat_priv->tt.ogm_append_cnt, 0);
#ifdef CONFIG_BATMAN_ADV_BLA
atomic_set(&bat_priv->bla.num_requests, 0);
+ spin_lock_init(&bat_priv->bla.num_requests_lock);
#endif
atomic_set(&bat_priv->tp_num, 0);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index ff40fc9e36f66c..6b64e6b7bf80ca 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1026,6 +1026,12 @@ struct batadv_priv_bla {
/** @num_requests: number of bla requests in flight */
atomic_t num_requests;
+ /**
+ * @num_requests_lock: locks update num_requests +
+ * batadv_backbone_gw::state + batadv_backbone_gw::wait_periods update
+ */
+ spinlock_t num_requests_lock;
+
/**
* @claim_hash: hash table containing mesh nodes this host has claimed
*/
@@ -1787,6 +1793,27 @@ struct batadv_socket_packet {
#ifdef CONFIG_BATMAN_ADV_BLA
+enum batadv_bla_backbone_gw_state {
+ /**
+ * @BATADV_BLA_BACKBONE_GW_STOPPED: backbone gw is being removed
+ * and it must not longer work on requests
+ */
+ BATADV_BLA_BACKBONE_GW_STOPPED,
+
+ /**
+ * @BATADV_BLA_BACKBONE_GW_UNSYNCED: backbone was detected out
+ * of sync and a request was send. No traffic is forwarded until the
+ * situation is resolved
+ */
+ BATADV_BLA_BACKBONE_GW_UNSYNCED,
+
+ /**
+ * @BATADV_BLA_BACKBONE_GW_SYNCED: backbone is consider to be in
+ * sync. traffic can be forwarded
+ */
+ BATADV_BLA_BACKBONE_GW_SYNCED,
+};
+
/**
* struct batadv_bla_backbone_gw - batman-adv gateway bridged into the LAN
*/
@@ -1812,16 +1839,12 @@ struct batadv_bla_backbone_gw {
/**
* @wait_periods: grace time for bridge forward delays and bla group
* forming at bootup phase - no bcast traffic is formwared until it has
- * elapsed
+ * elapsed. Must only be access with num_requests_lock.
*/
- atomic_t wait_periods;
+ u8 wait_periods;
- /**
- * @request_sent: if this bool is set to true we are out of sync with
- * this backbone gateway - no bcast traffic is formwared until the
- * situation was resolved
- */
- atomic_t request_sent;
+ /** @state: sync state. Must only be access with num_requests_lock. */
+ enum batadv_bla_backbone_gw_state state;
/** @crc: crc16 checksum over all claims */
u16 crc;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 045/411] wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 044/411] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 046/411] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
` (366 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arend van Spriel, Duoming Zhou,
Johannes Berg, Robert Garcia, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 9cb83d4be0b9b697eae93d321e0da999f9cdfcfc ]
The brcmf_btcoex_detach() only shuts down the btcoex timer, if the
flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which
runs as timer handler, sets timer_on to false. This creates critical
race conditions:
1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc()
is executing, it may observe timer_on as false and skip the call to
timer_shutdown_sync().
2.The brcmf_btcoex_timerfunc() may then reschedule the brcmf_btcoex_info
worker after the cancel_work_sync() has been executed, resulting in
use-after-free bugs.
The use-after-free bugs occur in two distinct scenarios, depending on
the timing of when the brcmf_btcoex_info struct is freed relative to
the execution of its worker thread.
Scenario 1: Freed before the worker is scheduled
The brcmf_btcoex_info is deallocated before the worker is scheduled.
A race condition can occur when schedule_work(&bt_local->work) is
called after the target memory has been freed. The sequence of events
is detailed below:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... |
kfree(cfg->btcoex); // FREE |
| schedule_work(&bt_local->work); // USE
Scenario 2: Freed after the worker is scheduled
The brcmf_btcoex_info is freed after the worker has been scheduled
but before or during its execution. In this case, statements within
the brcmf_btcoex_handler() — such as the container_of macro and
subsequent dereferences of the brcmf_btcoex_info object will cause
a use-after-free access. The following timeline illustrates this
scenario:
CPU0 | CPU1
brcmf_btcoex_detach | brcmf_btcoex_timerfunc
| bt_local->timer_on = false;
if (cfg->btcoex->timer_on) |
... |
cancel_work_sync(); |
... | schedule_work(); // Reschedule
|
kfree(cfg->btcoex); // FREE | brcmf_btcoex_handler() // Worker
/* | btci = container_of(....); // USE
The kfree() above could | ...
also occur at any point | btci-> // USE
during the worker's execution|
*/ |
To resolve the race conditions, drop the conditional check and call
timer_shutdown_sync() directly. It can deactivate the timer reliably,
regardless of its current state. Once stopped, the timer_on state is
then set to false.
Fixes: 61730d4dfffc ("brcmfmac: support critical protocol API for DHCP")
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20250822050839.4413-1-duoming@zju.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
index f9f18ff451ea7c..f46e4090021777 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c
@@ -392,10 +392,8 @@ void brcmf_btcoex_detach(struct brcmf_cfg80211_info *cfg)
if (!cfg->btcoex)
return;
- if (cfg->btcoex->timer_on) {
- cfg->btcoex->timer_on = false;
- del_timer_sync(&cfg->btcoex->timer);
- }
+ del_timer_sync(&cfg->btcoex->timer);
+ cfg->btcoex->timer_on = false;
cancel_work_sync(&cfg->btcoex->work);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 046/411] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 045/411] wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 047/411] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
` (365 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit fbceb39b536e40c2f7cc47ab42037bb7c2b7ced9 upstream.
EDP specification says:
"If either VSC SDP is unable to be transmitted 100 ns before the SU region,
the Source device may optionally transmit the VSC SDP during the prior
video scan line’s HBlank period There is a Intel specific drm dp register
currently containing bits related how TCON can support PSR2 with SDP on
prior line."
Unfortunately many panels are having problems in implementing this. So
there is a custom Intel specific DPCD register (INTEL_WA_REGISTER_CAPS) to
figure out if this is properly implemented on a panel or if panel doesn't
require that 100 ns delay before the SU region. Here are the definitions in
this custom DPCD address:
0 = Panel doesn't support SDP on prior line
1 = Panel supports SDP on prior line
2 = Panel doesn't have 100ns requirement
3 = Reserved
Add definitions for this new register and it's values into new header
intel_dpcd.h.
v2: add INTEL_DPCD_ prefix to definitions
Bspec: 74741
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-2-jouni.hogander@intel.com
(cherry picked from commit 1da1c9294825f08f622c473480d185680c2a3b75)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_dpcd.h | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 drivers/gpu/drm/i915/display/intel_dpcd.h
diff --git a/drivers/gpu/drm/i915/display/intel_dpcd.h b/drivers/gpu/drm/i915/display/intel_dpcd.h
new file mode 100644
index 00000000000000..4aea5326f2ed48
--- /dev/null
+++ b/drivers/gpu/drm/i915/display/intel_dpcd.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: MIT */
+/*
+ * Copyright © 2026 Intel Corporation
+ */
+
+#ifndef __INTEL_DPCD_H__
+#define __INTEL_DPCD_H__
+
+#define INTEL_DPCD_INTEL_WA_REGISTER_CAPS 0x3f0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK REG_GENMASK(1, 0)
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1 0
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE 1
+# define INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE 2
+
+#endif /* __INTEL_DPCD_H__ */
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 047/411] drm/i915/psr: Read Intel DPCD workaround register
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 046/411] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 048/411] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
` (364 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit f30bece421a4ae34359254e1dc2a187a42b6af9b upstream.
Read Intel DPCD workaround register and store it into
intel_connector->dp.psr_caps. psr_caps was chosen as currently it contains
only PSR workaround for PSR2 SDP on prior scanline implementation.
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-3-jouni.hogander@intel.com
(cherry picked from commit c48ff24d0f4ab7ad696b2d35ad64ce7e049c668c)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
drivers/gpu/drm/i915/display/intel_psr.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h
index 90e055f0569940..ef4c280d2cb630 100644
--- a/drivers/gpu/drm/i915/display/intel_display_types.h
+++ b/drivers/gpu/drm/i915/display/intel_display_types.h
@@ -1554,6 +1554,7 @@ struct intel_dp {
u8 lttpr_phy_caps[DP_MAX_LTTPR_COUNT][DP_LTTPR_PHY_CAP_SIZE];
u8 fec_capable;
u8 pcon_dsc_dpcd[DP_PCON_DSC_ENCODER_CAP_SIZE];
+ u8 intel_wa_dpcd;
/* source rates */
int num_source_rates;
const int *source_rates;
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index 93d2fd4cd16b7c..aa00e062a2a6aa 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -30,6 +30,7 @@
#include "intel_atomic.h"
#include "intel_de.h"
#include "intel_display_types.h"
+#include "intel_dpcd.h"
#include "intel_dp_aux.h"
#include "intel_hdmi.h"
#include "intel_psr.h"
@@ -363,6 +364,12 @@ void intel_psr_init_dpcd(struct intel_dp *intel_dp)
intel_dp_get_su_granularity(intel_dp);
}
}
+
+ if (intel_dp->psr.sink_psr2_support)
+ drm_dp_dpcd_read(&intel_dp->aux,
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS,
+ &intel_dp->intel_wa_dpcd,
+ sizeof(intel_dp->intel_wa_dpcd));
}
static void hsw_psr_setup_aux(struct intel_dp *intel_dp)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 048/411] drm/dp: Add eDP 1.5 bit definition
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 047/411] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 049/411] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
` (363 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suraj Kandpal, Arun R Murthy,
Ben Kao, Maarten Lankhorst, Jouni Högander, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suraj Kandpal <suraj.kandpal@intel.com>
commit 5dfc37a6b77bf6beedbd30d70184b54e1a08ccac upstream.
Add the eDP revision bit value for 1.5.
Spec: eDPv1.5 Table 16-5
Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
Reviewed-by: Arun R Murthy <arun.r.murthy@intel.com>
Tested-by: Ben Kao <ben.kao@intel.com>
Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250206063253.2827017-2-suraj.kandpal@intel.com
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/drm/drm_dp_helper.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/drm/drm_dp_helper.h b/include/drm/drm_dp_helper.h
index 9c7949ebc159eb..01422c2078f7db 100644
--- a/include/drm/drm_dp_helper.h
+++ b/include/drm/drm_dp_helper.h
@@ -942,6 +942,7 @@ struct drm_panel;
# define DP_EDP_14 0x03
# define DP_EDP_14a 0x04 /* eDP 1.4a */
# define DP_EDP_14b 0x05 /* eDP 1.4b */
+# define DP_EDP_15 0x06 /* eDP 1.5 */
#define DP_EDP_GENERAL_CAP_1 0x701
# define DP_EDP_TCON_BACKLIGHT_ADJUSTMENT_CAP (1 << 0)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 049/411] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 048/411] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 050/411] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init" Greg Kroah-Hartman
` (362 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Högander, Suraj Kandpal,
Tvrtko Ursulin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Högander <jouni.hogander@intel.com>
commit 4703049f768fc1c1caac754134118bee1a3af189 upstream.
There is Intel specific workaround DPCD address containing workaround for
case where SDP is on prior line. Apply this workaround according to values
in the offset.
Fixes: 61e887329e33 ("drm/i915/xelpd: Handle PSR2 SDP indication in the prior scanline")
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Suraj Kandpal <suraj.kandpal@intel.com>
Link: https://patch.msgid.link/20260515095756.2799483-4-jouni.hogander@intel.com
(cherry picked from commit c3fe899fbeac86ea4a5ca9dd845b2cbc0da46249)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_psr.c | 27 +++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
index aa00e062a2a6aa..fca55ae3ffe5bd 100644
--- a/drivers/gpu/drm/i915/display/intel_psr.c
+++ b/drivers/gpu/drm/i915/display/intel_psr.c
@@ -824,6 +824,30 @@ static bool psr2_granularity_check(struct intel_dp *intel_dp,
return true;
}
+static bool apply_scanline_indication_wa(struct intel_dp *intel_dp,
+ struct intel_crtc_state *crtc_state)
+{
+ u8 early_scanline_support = intel_dp->intel_wa_dpcd &
+ INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_EARLYSCANLINE_SDP_SUPPORT_MASK;
+
+ if (intel_dp->edp_dpcd[0] >= DP_EDP_15)
+ return true;
+
+ switch (early_scanline_support) {
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_FALL_BACK_TO_PSR1:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return false;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITH_EARLY_SCANLINE:
+ return true;
+ case INTEL_DPCD_INTEL_WA_REGISTER_CAPS_PSR2_WITHOUT_EARLY_SCANLINE:
+ crtc_state->req_psr2_sdp_prior_scanline = false;
+ return true;
+ default:
+ MISSING_CASE(early_scanline_support);
+ return false;
+ }
+}
+
static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_dp,
struct intel_crtc_state *crtc_state)
{
@@ -844,7 +868,8 @@ static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_d
return false;
crtc_state->req_psr2_sdp_prior_scanline = true;
- return true;
+
+ return apply_scanline_indication_wa(intel_dp, crtc_state);
}
static bool _compute_psr2_wake_times(struct intel_dp *intel_dp,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 050/411] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init"
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 049/411] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 051/411] RDMA/rxe: Fix double free in rxe_srq_from_init Greg Kroah-Hartman
` (361 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Hutchings, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
This reverts commit af5956243018918130d52c9f671efdb40bab3366, which
was commit 0beefd0e15d962f497aad750b2d5e9c3570b66d1 upstream. The
backported version did not move but duplicated the problematic
assignment, so it did not fix the bug. A proper backport will follow.
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_srq.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c
index 05ae3d183b21d1..eb1c4c3b3a7865 100644
--- a/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -118,9 +118,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
}
}
- srq->rq.queue = q;
- init->attr.max_wr = srq->rq.max_wr;
-
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 051/411] RDMA/rxe: Fix double free in rxe_srq_from_init
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 050/411] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init" Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 052/411] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table Greg Kroah-Hartman
` (360 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Zhu Yanjun,
Leon Romanovsky, Ben Hutchings, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
commit 0beefd0e15d962f497aad750b2d5e9c3570b66d1 upstream.
In rxe_srq_from_init(), the queue pointer 'q' is assigned to
'srq->rq.queue' before copying the SRQ number to user space.
If copy_to_user() fails, the function calls rxe_queue_cleanup()
to free the queue, but leaves the now-invalid pointer in
'srq->rq.queue'.
The caller of rxe_srq_from_init() (rxe_create_srq) eventually
calls rxe_srq_cleanup() upon receiving the error, which triggers
a second rxe_queue_cleanup() on the same memory, leading to a
double free.
The call trace looks like this:
kmem_cache_free+0x.../0x...
rxe_queue_cleanup+0x1a/0x30 [rdma_rxe]
rxe_srq_cleanup+0x42/0x60 [rdma_rxe]
rxe_elem_release+0x31/0x70 [rdma_rxe]
rxe_create_srq+0x12b/0x1a0 [rdma_rxe]
ib_create_srq_user+0x9a/0x150 [ib_core]
Fix this by moving 'srq->rq.queue = q' after copy_to_user.
Fixes: aae0484e15f0 ("IB/rxe: avoid srq memory leak")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20260112015412.29458-1-jiashengjiangcool@gmail.com
Reviewed-by: Zhu Yanjun <yanjun.Zhu@linux.dev>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
[bwh: Backported to 5.15: There was no assignment to init->attr.max_wr
here; don't add it]
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_srq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c
index eb1c4c3b3a7865..595d4e7b91d0b8 100644
--- a/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -100,8 +100,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
return -ENOMEM;
}
- srq->rq.queue = q;
-
err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata, q->buf,
q->buf_size, &q->ip);
if (err) {
@@ -118,6 +116,8 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq,
}
}
+ srq->rq.queue = q;
+
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 052/411] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 051/411] RDMA/rxe: Fix double free in rxe_srq_from_init Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 053/411] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
` (359 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harini Katakam, Andrew Lunn,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harini Katakam <harini.katakam@amd.com>
[ Upstream commit 31605c01fb242806f5b8c9d08abe11328d514206 ]
All the PHY devices variants specified have the same mask and
hence can be simplified to one vendor look up for 0x00070400.
Any individual config can be identified by PHY_ID_MATCH_EXACT
in the respective structure.
Signed-off-by: Harini Katakam <harini.katakam@amd.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1bc80d673087 ("phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 1 +
drivers/net/phy/mscc/mscc_main.c | 15 +--------------
2 files changed, 2 insertions(+), 14 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index fcfbff691b3c6b..4a9c12516f2057 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -291,6 +291,7 @@ enum rgmii_clock_delay {
#define PHY_ID_VSC8575 0x000707d0
#define PHY_ID_VSC8582 0x000707b0
#define PHY_ID_VSC8584 0x000707c0
+#define PHY_VENDOR_MSCC 0x00070400
#define MSCC_VDDMAC_1500 1500
#define MSCC_VDDMAC_1800 1800
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index acc9e1a2663143..a33e877a4cd151 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -2676,20 +2676,7 @@ static struct phy_driver vsc85xx_driver[] = {
module_phy_driver(vsc85xx_driver);
static struct mdio_device_id __maybe_unused vsc85xx_tbl[] = {
- { PHY_ID_VSC8502, 0xfffffff0, },
- { PHY_ID_VSC8504, 0xfffffff0, },
- { PHY_ID_VSC8514, 0xfffffff0, },
- { PHY_ID_VSC8530, 0xfffffff0, },
- { PHY_ID_VSC8531, 0xfffffff0, },
- { PHY_ID_VSC8540, 0xfffffff0, },
- { PHY_ID_VSC8541, 0xfffffff0, },
- { PHY_ID_VSC8552, 0xfffffff0, },
- { PHY_ID_VSC856X, 0xfffffff0, },
- { PHY_ID_VSC8572, 0xfffffff0, },
- { PHY_ID_VSC8574, 0xfffffff0, },
- { PHY_ID_VSC8575, 0xfffffff0, },
- { PHY_ID_VSC8582, 0xfffffff0, },
- { PHY_ID_VSC8584, 0xfffffff0, },
+ { PHY_ID_MATCH_VENDOR(PHY_VENDOR_MSCC) },
{ }
};
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 053/411] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 052/411] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 054/411] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Greg Kroah-Hartman
` (358 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 1bc80d673087e5704adbb3ee8e4b785c14899cce ]
As the PHYs VSC8584, VSC8582, VSC8575 and VSC856X exists only as rev B,
we can use PHY_ID_MATCH_EXACT to match exactly on revision B of the PHY.
Because of this change then there is not need the check if it is a
different revision than rev B in the function vsc8584_probe() as we
already know that this will never happen.
These changes are a preparation for the next patch because in that patch
we will make the PHYs VSC8574 and VSC8572 to use vsc8584_probe() and
these PHYs have multiple revision.
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20251023191350.190940-2-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 8 ++++----
drivers/net/phy/mscc/mscc_main.c | 23 ++++-------------------
2 files changed, 8 insertions(+), 23 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index 4a9c12516f2057..17273895bbb361 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -285,12 +285,12 @@ enum rgmii_clock_delay {
#define PHY_ID_VSC8540 0x00070760
#define PHY_ID_VSC8541 0x00070770
#define PHY_ID_VSC8552 0x000704e0
-#define PHY_ID_VSC856X 0x000707e0
+#define PHY_ID_VSC856X 0x000707e1
#define PHY_ID_VSC8572 0x000704d0
#define PHY_ID_VSC8574 0x000704a0
-#define PHY_ID_VSC8575 0x000707d0
-#define PHY_ID_VSC8582 0x000707b0
-#define PHY_ID_VSC8584 0x000707c0
+#define PHY_ID_VSC8575 0x000707d1
+#define PHY_ID_VSC8582 0x000707b1
+#define PHY_ID_VSC8584 0x000707c1
#define PHY_VENDOR_MSCC 0x00070400
#define MSCC_VDDMAC_1500 1500
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index a33e877a4cd151..53f37ca2e0ff82 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -1713,12 +1713,6 @@ static int vsc8584_config_init(struct phy_device *phydev)
* in this pre-init function.
*/
if (phy_package_init_once(phydev)) {
- /* The following switch statement assumes that the lowest
- * nibble of the phy_id_mask is always 0. This works because
- * the lowest nibble of the PHY_ID's below are also 0.
- */
- WARN_ON(phydev->drv->phy_id_mask & 0xf);
-
switch (phydev->phy_id & phydev->drv->phy_id_mask) {
case PHY_ID_VSC8504:
case PHY_ID_VSC8552:
@@ -2257,11 +2251,6 @@ static int vsc8584_probe(struct phy_device *phydev)
VSC8531_DUPLEX_COLLISION};
int ret;
- if ((phydev->phy_id & MSCC_DEV_REV_MASK) != VSC8584_REVB) {
- dev_err(&phydev->mdio.dev, "Only VSC8584 revB is supported.\n");
- return -ENOTSUPP;
- }
-
vsc8531 = devm_kzalloc(&phydev->mdio.dev, sizeof(*vsc8531), GFP_KERNEL);
if (!vsc8531)
return -ENOMEM;
@@ -2524,9 +2513,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC856X,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC856X),
.name = "Microsemi GE VSC856X SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2598,9 +2586,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8575,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8575),
.name = "Microsemi GE VSC8575 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2622,9 +2609,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8582,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8582),
.name = "Microsemi GE VSC8582 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
@@ -2646,9 +2632,8 @@ static struct phy_driver vsc85xx_driver[] = {
.get_stats = &vsc85xx_get_stats,
},
{
- .phy_id = PHY_ID_VSC8584,
+ PHY_ID_MATCH_EXACT(PHY_ID_VSC8584),
.name = "Microsemi GE VSC8584 SyncE",
- .phy_id_mask = 0xfffffff0,
/* PHY_GBIT_FEATURES */
.soft_reset = &genphy_soft_reset,
.config_init = &vsc8584_config_init,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 054/411] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 053/411] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 055/411] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
` (357 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steve French, Tom Talpey, Long Li,
Namjae Jeon, linux-cifs, samba-technical, Stefan Metzmacher,
Steve French, Robert Garcia, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit daac51c7032036a0ca5f1aa419ad1b0471d1c6e0 ]
During tests of another unrelated patch I was able to trigger this
error: Objects remaining on __kmem_cache_shutdown()
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Long Li <longli@microsoft.com>
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smbdirect.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c
index 48bd879349fbe2..c9bda34fd2f573 100644
--- a/fs/cifs/smbdirect.c
+++ b/fs/cifs/smbdirect.c
@@ -1084,8 +1084,10 @@ static int smbd_negotiate(struct smbd_connection *info)
log_rdma_event(INFO, "smbd_post_recv rc=%d iov.addr=%llx iov.length=%x iov.lkey=%x\n",
rc, response->sge.addr,
response->sge.length, response->sge.lkey);
- if (rc)
+ if (rc) {
+ put_receive_buffer(info, response);
return rc;
+ }
init_completion(&info->negotiate_completion);
info->negotiate_done = false;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 055/411] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 054/411] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 056/411] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
` (356 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jonathan Cameron,
David Lechner, Nuno Sá, Andy Shevchenko, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream.
The tagged FIFO path declares iio_buff on the stack with __aligned(8)
but no initializer, but there is a hole in the structure, which will
then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
copied, but the space between that and the timestamp are not
initialized.
Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
but for the tagged path it only added the alignment qualifier and not
the initializer :(
Fix this by just zero-initializing the structure on the stack.
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues")
Cc: stable <stable@kernel.org>
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
@@ -585,7 +585,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s
* must be passed a buffer that is aligned to 8 bytes so
* as to allow insertion of a naturally aligned timestamp.
*/
- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
+ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
u8 tag;
bool reset_ts = false;
int i, err, read_len;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 056/411] usb: typec: ucsi: ccg: reject firmware images without a : record header
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 055/411] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 057/411] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
` (355 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream.
do_flash() locates the first .cyacd record with
p = strnchr(fw->data, fw->size, ':');
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
...
}
If the firmware image contains no ':' byte, strnchr() returns NULL.
NULL compares less than the valid kernel pointer eof, so the loop body
runs and strnchr() is called with p + 1 == (void *)1 and a length of
roughly (unsigned long)eof, causing a wonderful crash.
The not_signed_fw fallthrough earlier in do_flash() and the chip-state
branches in ccg_fw_update_needed() allow an unsigned blob to reach this
loop, so a root user who can place a crafted file under /lib/firmware
and write the do_flash sysfs attribute can trigger the oops.
Bail out with -EINVAL when the initial strnchr() returns NULL.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
+++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
@@ -1156,6 +1156,11 @@ not_signed_fw:
*****************************************************************/
p = strnchr(fw->data, fw->size, ':');
+ if (!p) {
+ dev_err(dev, "Bad FW format: no ':' record header found\n");
+ err = -EINVAL;
+ goto release_mem;
+ }
while (p < eof) {
s = strnchr(p + 1, eof - p - 1, ':');
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 057/411] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 056/411] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 058/411] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
` (354 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pooja Katiyar, Johan Hovold, stable,
Heikki Krogerus
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream.
ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
payload VDO from data[], but unlike the equivalent handler in
altmodes/displayport.c it does not check that count covers a VDO beyond
the header. A header-only Configure VDM (count == 1) would read one u32
past the caller's array.
In the normal UCSI path the caller controls count, so this is hardening
for non-standard delivery paths. NAK and bail when no configuration VDO
is present, matching the generic DP altmode driver's existing guard.
Assisted-by: gkh_clanker_t1000
Cc: Pooja Katiyar <pooja.katiyar@intel.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/displayport.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/typec/ucsi/displayport.c
+++ b/drivers/usb/typec/ucsi/displayport.c
@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t
dp->header |= VDO_CMDT(CMDT_RSP_ACK);
break;
case DP_CMD_CONFIGURE:
+ if (count < 2) {
+ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
+ break;
+ }
dp->data.conf = *data;
if (ucsi_displayport_configure(dp)) {
dp->header |= VDO_CMDT(CMDT_RSP_NAK);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 058/411] usb: typec: altmodes/displayport: validate count before reading Status Update VDO
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 057/411] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 059/411] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
` (353 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream.
A broken/malicious device can send the incorrect count for a status
update VDO, which will cause the kernel to read uninitialized stack data
and send it off elsewhere.
Fix this up by correctly verifying the count for the update object.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -286,6 +286,8 @@ static int dp_altmode_vdm(struct typec_a
dp->data.conf = 0;
break;
case DP_CMD_STATUS_UPDATE:
+ if (count < 2)
+ break;
dp->data.status = *vdo;
ret = dp_altmode_status_update(dp);
break;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 059/411] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 058/411] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 060/411] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
` (352 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream.
wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
struct pd_message with
for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
which has two problems:
USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
The byte count latched in RXINFO is the number of bytes the port partner
put on the wire, so a malicious partner that transmits a 31-byte frame
can drive the loop one byte past the destination if the WCOVE BMC
receiver does not enforce the PD object-count limit in hardware. The
existing FIXME flagged this as unverified.
Independently, regmap_read() takes an unsigned int * and stores a full
unsigned int at the destination. Passing the byte pointer msg + i means
each iteration writes four bytes; the high three are zero (val_bits is
8) and are normally overwritten by the next iteration, but the final
iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
already writes three zero bytes past msg, which sits on the IRQ thread's
stack in wcove_typec_irq().
Clamp the loop to sizeof(struct pd_message) and read each register into
a local before storing only its low byte, so the copy can never exceed
the destination regardless of what RXINFO reports.
Assisted-by: gkh_clanker_t1000
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/wcove.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/usb/typec/tcpm/wcove.c
+++ b/drivers/usb/typec/tcpm/wcove.c
@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t
return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl);
}
-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
+static int wcove_read_rx_buffer(struct wcove_typec *wcove,
+ struct pd_message *msg)
{
- unsigned int info;
+ unsigned int info, val, len;
+ u8 *buf = (u8 *)msg;
int ret;
int i;
@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w
if (ret)
return ret;
- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */
+ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg));
- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) {
- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
+ for (i = 0; i < len; i++) {
+ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val);
if (ret)
return ret;
+ buf[i] = val;
}
return regmap_write(wcove->regmap, USBC_RXSTATUS,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 060/411] USB: serial: safe_serial: fix memory corruption with small endpoint
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 059/411] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 061/411] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
` (351 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 438061ed1ad85e6743e2dce826671772d81089ec upstream.
Make sure that the bulk-out buffer size is at least eight bytes to avoid
user-controlled slab corruption in "safe" mode should a malicious device
report a smaller size.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/safe_serial.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/usb/serial/safe_serial.c
+++ b/drivers/usb/serial/safe_serial.c
@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str
static int safe_startup(struct usb_serial *serial)
{
struct usb_interface_descriptor *desc;
+ int bulk_out_size;
if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS)
return -ENODEV;
@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria
default:
return -EINVAL;
}
+
+ /*
+ * The bulk-out buffer needs to be large enough for the two-byte
+ * trailer in safe mode, but assume anything smaller than eight bytes
+ * is broken.
+ */
+ bulk_out_size = serial->port[0]->bulk_out_size;
+ if (bulk_out_size > 0 && bulk_out_size < 8)
+ return -EINVAL;
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 061/411] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 060/411] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:54 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 062/411] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
` (350 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream.
The input buffer size is pcu->max_in_size, but pcu->max_out_size is
passed to usb_free_coherent().
Change size to match the allocation size.
Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/misc/ims-pcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1598,7 +1598,7 @@ static void ims_pcu_buffers_free(struct
usb_kill_urb(pcu->urb_in);
usb_free_urb(pcu->urb_in);
- usb_free_coherent(pcu->udev, pcu->max_out_size,
+ usb_free_coherent(pcu->udev, pcu->max_in_size,
pcu->urb_in_buf, pcu->read_dma);
kfree(pcu->urb_out_buf);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 062/411] Bluetooth: btusb: Allow firmware re-download when version matches
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-06-16 14:54 ` [PATCH 5.15 061/411] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 063/411] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
` (349 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuai Zhang, Luiz Augusto von Dentz
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream.
The Bluetooth host decides whether to download firmware by reading the
controller firmware download completion flag and firmware version
information.
If a USB error occurs during the firmware download process (for example
due to a USB disconnect), the download is aborted immediately. An
incomplete firmware transfer does not cause the controller to set the
download completion flag, but the firmware version information may be
updated at an early stage of the download process.
In this case, after USB reconnection, the host attempts to re-download
the firmware because the download completion flag is not set. However,
since the controller reports the same firmware version as the target
firmware, the download is skipped. This ultimately results in the
firmware not being properly updated on the controller.
This change removes the restriction that skips firmware download when
the versions are equal. It covers scenarios where the USB connection
can be disconnected at any time and ensures that firmware download can
be retriggered after USB reconnection, allowing the Bluetooth firmware
to be correctly and completely updated.
Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family")
Cc: stable@vger.kernel.org
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3448,7 +3448,13 @@ static int btusb_setup_qca_load_rampatch
"firmware rome 0x%x build 0x%x",
rver_rom, rver_patch, ver_rom, ver_patch);
- if (rver_rom != ver_rom || rver_patch <= ver_patch) {
+ /* Allow rampatch when the patch version equals the firmware version.
+ * A firmware download may be aborted by a transient USB error (e.g.
+ * disconnect) after the controller updates version info but before
+ * completion.
+ * Allowing equal versions enables re-flashing during recovery.
+ */
+ if (rver_rom != ver_rom || rver_patch < ver_patch) {
bt_dev_err(hdev, "rampatch file version did not match with firmware");
err = -EINVAL;
goto done;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 063/411] hpfs: fix a crash if hpfs_map_dnode_bitmap fails
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 062/411] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 064/411] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
` (348 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Farhad Alemi
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 974820a59efde7c1a7e1260bcfe9bb81f833cc9f upstream.
If hpfs_map_dnode_bitmap fails, the code would call hpfs_brelse4 on
uninitialized quad buffer head, causing a crash.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hpfs/alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/hpfs/alloc.c
+++ b/fs/hpfs/alloc.c
@@ -372,8 +372,8 @@ int hpfs_check_free_dnodes(struct super_
return 0;
}
}
+ hpfs_brelse4(&qbh);
}
- hpfs_brelse4(&qbh);
i = 0;
if (hpfs_sb(s)->sb_c_bitmap != -1) {
bmp = hpfs_map_bitmap(s, b, &qbh, "chkdn1");
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 064/411] ipc: limit next_id allocation to the valid ID range
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 063/411] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 065/411] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
` (347 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linpu Yu, Ren Wei, Yuan Tan,
Yifan Wu, Juefei Pu, Xin Liu, Kees Cook, Stanislav Kinsbursky,
Davidlohr Bueso, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linpu Yu <linpu5433@gmail.com>
commit fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 upstream.
The checkpoint/restore sysctl path can request the next SysV IPC id
through ids->next_id. ipc_idr_alloc() currently forwards that request to
idr_alloc() with an open-ended upper bound.
If the valid tail of the SysV IPC id space is full, the allocation can
spill beyond ipc_mni. The returned SysV IPC id still uses the normal
index encoding, so later lookup and removal can target the wrong slot.
This leaves the real IDR entry behind and breaks the IDR state for the
object.
The bug is in ipc_idr_alloc() in the checkpoint/restore path.
1. ids->next_id is passed to:
idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...)
2. The zero upper bound makes the allocation effectively open-ended.
Once the valid SysV IPC tail is occupied, idr_alloc() can spill past
ipc_mni and allocate an entry beyond the valid IPC id range.
3. The new object id is still encoded with the narrower SysV IPC index
width:
new->id = (new->seq << ipcmni_seq_shift()) + idx
4. Later removal goes through ipc_rmid(), which uses:
ipcid_to_idx(ipcp->id)
That truncates the real IDR index. An object actually stored at a
high index can then be removed as if it lived at a low in-range
index.
5. For shared memory, shm_destroy() frees the current object anyway, but
the real high IDR slot is left behind as a dangling pointer.
6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry
and dereferences freed memory.
Prevent this by bounding the requested allocation to ipc_mni so the
checkpoint/restore path fails once the valid range is exhausted.
Link: https://lore.kernel.org/cover.1778336914.git.linpu5433@gmail.com
Link: https://lore.kernel.org/2eebe949bfa7d1f6e13b5be6a92c64c850ce9d45.1778336914.git.linpu5433@gmail.com
Fixes: 03f595668017 ("ipc: add sysctl to specify desired next object id")
Signed-off-by: Linpu Yu <linpu5433@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Cc: Kees Cook <kees@kernel.org>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -253,7 +253,7 @@ static inline int ipc_idr_alloc(struct i
} else {
new->seq = ipcid_to_seqx(next_id);
idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id),
- 0, GFP_NOWAIT);
+ ipc_mni, GFP_NOWAIT);
}
if (idx >= 0)
new->id = (new->seq << ipcmni_seq_shift()) + idx;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 065/411] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 064/411] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 066/411] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
` (346 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
commit 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 upstream.
__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold()
before scheduling the delayed work. The normal path in
l2cap_chan_timeout() drops this reference with l2cap_chan_put() at the
end, but the early return when chan->conn is NULL skips the put,
leaking the reference.
Add the missing l2cap_chan_put() before the early return.
Fixes: adf0398cee86 ("Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -435,8 +435,10 @@ static void l2cap_chan_timeout(struct wo
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
- if (!conn)
+ if (!conn) {
+ l2cap_chan_put(chan);
return;
+ }
mutex_lock(&conn->chan_lock);
/* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 066/411] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 065/411] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 067/411] parport: Fix race between port and client registration Greg Kroah-Hartman
` (345 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Muhammad Bilal,
Luiz Augusto von Dentz
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Muhammad Bilal <meatuni001@gmail.com>
commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream.
hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.
hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in an
out-of-bounds read of skb data. The OOB bytes may be interpreted as
phantom key presses or spurious mouse movement.
Replace the open-coded length tracking and pointer arithmetic with
skb_pull_data() calls. skb_pull_data() returns NULL if the requested
bytes are not present, eliminating the need for a manual size variable
and the separate skb->len guard.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hidp/core.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid
{
struct input_dev *dev = session->input;
unsigned char *keys = session->keys;
- unsigned char *udata = skb->data + 1;
- signed char *sdata = skb->data + 1;
- int i, size = skb->len - 1;
+ unsigned char *udata;
+ signed char *sdata;
+ u8 *hdr;
+ int i;
+
+ hdr = skb_pull_data(skb, 1);
+ if (!hdr)
+ return;
- switch (skb->data[0]) {
+ switch (*hdr) {
case 0x01: /* Keyboard report */
+ udata = skb_pull_data(skb, 8);
+ if (!udata)
+ break;
+
for (i = 0; i < 8; i++)
input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid
break;
case 0x02: /* Mouse report */
+ sdata = skb_pull_data(skb, 3);
+ if (!sdata)
+ break;
+
input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid
input_report_rel(dev, REL_X, sdata[1]);
input_report_rel(dev, REL_Y, sdata[2]);
- if (size > 3)
+ if (skb->len > 0)
input_report_rel(dev, REL_WHEEL, sdata[3]);
break;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 067/411] parport: Fix race between port and client registration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 066/411] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 068/411] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
` (344 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ben Hutchings,
Sudip Mukherjee
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
commit ef15ccbb3e8640a723c42ad90eaf81d66ae02017 upstream.
The parport subsystem registers port devices before they are fully
initialised, resulting in a race condition where client drivers such
as lp can attach to ports that are not completely initialised or even
being torn down.
When the port and client drivers are built as modules and loaded
around the same time during boot, this occasionally results in a
crash. I was able to make this happen reliably in a VM with a
PC-style parallel port by patching parport_pc to fail probing:
> --- a/drivers/parport/parport_pc.c
> +++ b/drivers/parport/parport_pc.c
> @@ -2069,7 +2069,7 @@ static struct parport *__parport_pc_probe_port(unsigned long int base,
> if (!p)
> goto out3;
>
> - base_res = request_region(base, 3, p->name);
> + base_res = NULL;
> if (!base_res)
> goto out4;
>
and then running:
while true; do
modprobe lp & modprobe parport_pc
wait
rmmod lp parport_pc
done
for a few seconds.
In the long term I think port registration should be changed to put
the call to device_add() inside parport_announce_port(), but since the
latter currently cannot fail this will require changing all port
drivers.
For now, add a flag to indicate whether a port has been "announced"
and only try to attach client drivers to ports when the flag is set.
Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem")
Closes: https://bugs.debian.org/1130365
Closes: https://lore.kernel.org/all/6ba903ad-9897-42bb-8c2d-337385cc3746@molgen.mpg.de/
Cc: stable <stable@kernel.org>
Signed-off-by: Ben Hutchings <benh@debian.org>
Acked-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Link: https://patch.msgid.link/afo6uBv68GDevbMD@decadent.org.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parport/share.c | 11 +++++++++--
include/linux/parport.h | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/drivers/parport/share.c
+++ b/drivers/parport/share.c
@@ -223,10 +223,14 @@ static void get_lowlevel_driver(void)
static int port_check(struct device *dev, void *dev_drv)
{
struct parport_driver *drv = dev_drv;
+ struct parport *port;
/* only send ports, do not send other devices connected to bus */
- if (is_parport(dev))
- drv->match_port(to_parport_dev(dev));
+ if (is_parport(dev)) {
+ port = to_parport_dev(dev);
+ if (test_bit(PARPORT_ANNOUNCED, &port->devflags))
+ drv->match_port(port);
+ }
return 0;
}
@@ -553,6 +557,7 @@ void parport_announce_port(struct parpor
if (slave)
attach_driver_chain(slave);
}
+ set_bit(PARPORT_ANNOUNCED, &port->devflags);
mutex_unlock(®istration_lock);
}
EXPORT_SYMBOL(parport_announce_port);
@@ -582,6 +587,8 @@ void parport_remove_port(struct parport
mutex_lock(®istration_lock);
+ clear_bit(PARPORT_ANNOUNCED, &port->devflags);
+
/* Spread the word. */
detach_driver_chain(port);
--- a/include/linux/parport.h
+++ b/include/linux/parport.h
@@ -245,6 +245,7 @@ struct parport {
unsigned long devflags;
#define PARPORT_DEVPROC_REGISTERED 0
+#define PARPORT_ANNOUNCED 1
struct pardevice *proc_device; /* Currently register proc device */
struct list_head full_list;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 068/411] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 067/411] parport: Fix race between port and client registration Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 069/411] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
` (343 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christofer Jonason, Andy Shevchenko,
Nuno Sá, Salih Erim, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christofer Jonason <christofer.jonason@guidelinegeo.com>
commit 852534744c2d35626a604f128ff0b8ec12805591 upstream.
xadc_postdisable() unconditionally sets the sequencer to continuous
mode. For dual external multiplexer configurations this is incorrect:
simultaneous sampling mode is required so that ADC-A samples through
the mux on VAUX[0-7] while ADC-B simultaneously samples through the
mux on VAUX[8-15]. In continuous mode only ADC-A is active, so
VAUX[8-15] channels return incorrect data.
Since postdisable is also called from xadc_probe() to set the initial
idle state, the wrong sequencer mode is active from the moment the
driver loads.
The preenable path already uses xadc_get_seq_mode() which returns
SIMULTANEOUS for dual mux. Fix postdisable to do the same.
Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Christofer Jonason <christofer.jonason@guidelinegeo.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Salih Erim <salih.erim@amd.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/xilinx-xadc-core.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/xilinx-xadc-core.c
+++ b/drivers/iio/adc/xilinx-xadc-core.c
@@ -819,6 +819,7 @@ static int xadc_postdisable(struct iio_d
{
struct xadc *xadc = iio_priv(indio_dev);
unsigned long scan_mask;
+ int seq_mode;
int ret;
int i;
@@ -826,6 +827,12 @@ static int xadc_postdisable(struct iio_d
for (i = 0; i < indio_dev->num_channels; i++)
scan_mask |= BIT(indio_dev->channels[i].scan_index);
+ /*
+ * Use the correct sequencer mode for the idle state: simultaneous
+ * mode for dual external mux configurations, continuous otherwise.
+ */
+ seq_mode = xadc_get_seq_mode(xadc, scan_mask);
+
/* Enable all channels and calibration */
ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(0), scan_mask & 0xffff);
if (ret)
@@ -836,11 +843,11 @@ static int xadc_postdisable(struct iio_d
return ret;
ret = xadc_update_adc_reg(xadc, XADC_REG_CONF1, XADC_CONF1_SEQ_MASK,
- XADC_CONF1_SEQ_CONTINUOUS);
+ seq_mode);
if (ret)
return ret;
- return xadc_power_adc_b(xadc, XADC_CONF1_SEQ_CONTINUOUS);
+ return xadc_power_adc_b(xadc, seq_mode);
}
static int xadc_preenable(struct iio_dev *indio_dev)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 069/411] iio: dac: max5821: fix return value check in powerdown sync
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 068/411] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 070/411] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
` (342 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Andy Shevchenko, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit d0a228d903425e653f18a4341e60c0538afb6d41 upstream.
The function max5821_sync_powerdown_mode() returned the result of
i2c_master_send() directly. If a partial transfer occurred, it would
be incorrectly treated as a success by the caller.
While the caller currently handles the positive return value of 2 as
success, this patch refactors the function to return 0 on full success
and -EIO on short writes. This ensures robust error handling for
incomplete transfers and improves code maintainability by using
sizeof(outbuf).
Fixes: 472988972737 ("iio: add support of the max5821")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/max5821.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/iio/dac/max5821.c
+++ b/drivers/iio/dac/max5821.c
@@ -91,6 +91,7 @@ static int max5821_sync_powerdown_mode(s
const struct iio_chan_spec *chan)
{
u8 outbuf[2];
+ int ret;
outbuf[0] = MAX5821_EXTENDED_COMMAND_MODE;
@@ -104,7 +105,13 @@ static int max5821_sync_powerdown_mode(s
else
outbuf[1] |= MAX5821_EXTENDED_POWER_UP;
- return i2c_master_send(data->client, outbuf, 2);
+ ret = i2c_master_send(data->client, outbuf, sizeof(outbuf));
+ if (ret < 0)
+ return ret;
+ if (ret != sizeof(outbuf))
+ return -EIO;
+
+ return 0;
}
static ssize_t max5821_write_dac_powerdown(struct iio_dev *indio_dev,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 070/411] iio: dac: ad5686: fix input raw value check
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 069/411] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 071/411] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
` (341 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
commit d01220ee5e43c65a206df827b39bf5cf5f7b9dce upstream.
Fix range check for input raw value, which is off by one, i.e., for a
10-bit DAC the max valid value is 1023, but 1 << 10 equals 1024, which
passes the previous check, allowing an out-of-range write. The issue
exists since the ad5686 driver was first introduced.
Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -154,7 +154,7 @@ static int ad5686_write_raw(struct iio_d
switch (mask) {
case IIO_CHAN_INFO_RAW:
- if (val > (1 << chan->scan_type.realbits) || val < 0)
+ if (val >= (1 << chan->scan_type.realbits) || val < 0)
return -EINVAL;
mutex_lock(&st->lock);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 071/411] wireguard: send: append trailer after expanding head
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 070/411] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 072/411] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
` (340 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason A. Donenfeld, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit f75e3eb08fe31d30a9af6ed80cdd22e6772837e2 upstream.
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that header space requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. Instead add the
padding at the end of the process rather than at the beginning.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireguard/send.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/net/wireguard/send.c
+++ b/drivers/net/wireguard/send.c
@@ -177,16 +177,6 @@ static bool encrypt_packet(struct sk_buf
trailer_len = padding_len + noise_encrypted_len(0);
plaintext_len = skb->len + padding_len;
- /* Expand data section to have room for padding and auth tag. */
- num_frags = skb_cow_data(skb, trailer_len, &trailer);
- if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
- return false;
-
- /* Set the padding to zeros, and make sure it and the auth tag are part
- * of the skb.
- */
- memset(skb_tail_pointer(trailer), 0, padding_len);
-
/* Expand head section to have room for our header and the network
* stack's headers.
*/
@@ -198,6 +188,16 @@ static bool encrypt_packet(struct sk_buf
skb_checksum_help(skb)))
return false;
+ /* Expand data section to have room for padding and auth tag. */
+ num_frags = skb_cow_data(skb, trailer_len, &trailer);
+ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
+ return false;
+
+ /* Set the padding to zeros, and make sure it and the auth tag are part
+ * of the skb.
+ */
+ memset(skb_tail_pointer(trailer), 0, padding_len);
+
/* Only after checksumming can we safely add on the padding at the end
* and the header.
*/
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 072/411] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 071/411] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 073/411] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
` (339 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, Joshua Crofts,
Maxwell Doose, Nuno Sá, Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 422b5bbf333f75fb486855ad0eedc23cf21f3277 upstream.
The driver proceeds to the reception phase even if the preceding
transmission fails.
This uses a goto error label for an early bail out and ensures the mutex is
properly unlocked in case of failure.
Fixes: ffd8a6e7a778 ("iio: adc: Add viperboard adc driver")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: Joshua Crofts <joshua.crofts1@gmail.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/viperboard_adc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/viperboard_adc.c
+++ b/drivers/iio/adc/viperboard_adc.c
@@ -70,8 +70,10 @@ static int vprbrd_iio_read_raw(struct ii
VPRBRD_USB_TYPE_OUT, 0x0000, 0x0000, admsg,
sizeof(struct vprbrd_adc_msg), VPRBRD_USB_TIMEOUT_MS);
if (ret != sizeof(struct vprbrd_adc_msg)) {
- dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ mutex_unlock(&vb->lock);
error = -EREMOTEIO;
+ dev_err(&iio_dev->dev, "usb send error on adc read\n");
+ goto error;
}
ret = usb_control_msg(vb->usb_dev,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 073/411] iio: gyro: itg3200: fix i2c read into the wrong stack location
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 072/411] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 074/411] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
` (338 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Carlier, Andy Shevchenko,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
commit 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae upstream.
itg3200_read_all_channels() takes `__be16 *buf' as a parameter and
fills the i2c_msg destination as `(char *)&buf'. Since `buf' is the
parameter (a pointer), `&buf' is the address of the local pointer
slot on the stack of itg3200_read_all_channels(), not the address
of the caller's scan buffer. The (char *) cast hides the type
mismatch.
i2c_transfer() therefore writes ITG3200_SCAN_ELEMENTS * sizeof(s16)
= 8 bytes into the parameter's stack slot, which is discarded when
the function returns. The caller's scan buffer in
itg3200_trigger_handler() is never written to, so
iio_push_to_buffers_with_timestamp() pushes uninitialised stack
contents to userspace via /dev/iio:deviceX every scan -- both a
functional bug (no actual gyroscope or temperature data is
delivered through the triggered buffer) and an information leak.
The non-buffered read_raw() path is unaffected: it goes through
itg3200_read_reg_s16() which uses `&out' on a local s16 value,
where that is correct.
Drop the spurious `&' so the i2c read writes into the caller's
buffer.
Fixes: 9dbf091da080 ("iio: gyro: Add itg3200")
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/itg3200_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/gyro/itg3200_buffer.c
+++ b/drivers/iio/gyro/itg3200_buffer.c
@@ -34,7 +34,7 @@ static int itg3200_read_all_channels(str
.addr = i2c->addr,
.flags = i2c->flags | I2C_M_RD,
.len = ITG3200_SCAN_ELEMENTS * sizeof(s16),
- .buf = (char *)&buf,
+ .buf = (char *)buf,
},
};
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 074/411] iio: ssp_sensors: cancel delayed work_refresh on remove
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 073/411] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 075/411] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
` (337 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjay Chitroda, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjay Chitroda <sanjayembeddedse@gmail.com>
commit eedf7602fbd929e97e0c480da501dc7a34beb2a8 upstream.
The work_refresh may still be pending or running when the device is
removed, cancel the delayed work_refresh in remove path.
Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/common/ssp_sensors/ssp_dev.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iio/common/ssp_sensors/ssp_dev.c
+++ b/drivers/iio/common/ssp_sensors/ssp_dev.c
@@ -602,6 +602,7 @@ static int ssp_remove(struct spi_device
ssp_clean_pending_list(data);
free_irq(data->spi->irq, data);
+ cancel_delayed_work_sync(&data->work_refresh);
del_timer_sync(&data->wdt_timer);
cancel_work_sync(&data->work_wdt);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 075/411] iio: temperature: tsys01: fix broken PROM checksum validation
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 074/411] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 076/411] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
` (336 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salah Triki, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 upstream.
The current implementation of tsys01_crc_valid() incorrectly sums the
first word (n_prom[0]) repeatedly instead of iterating over the 8 words
retrieved from the PROM. This leads to a checksum mismatch and probe
failure on hardware.
According to the TSYS01 datasheet, the PROM consists of 8 words. A valid
check must iterate through all 8 words to verify the integrity of the
calibration data. The current driver only checks the first word 8 times.
Note: This fix was identified during a code audit and is based on
datasheet specifications. It has not been tested on real hardware.
Fixes: 43e53407f680 ("Add tsys01 meas-spec driver support")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/temperature/tsys01.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/temperature/tsys01.c
+++ b/drivers/iio/temperature/tsys01.c
@@ -119,7 +119,7 @@ static bool tsys01_crc_valid(u16 *n_prom
u8 sum = 0;
for (cnt = 0; cnt < TSYS01_PROM_WORDS_NB; cnt++)
- sum += ((n_prom[0] >> 8) + (n_prom[0] & 0xFF));
+ sum += ((n_prom[cnt] >> 8) + (n_prom[cnt] & 0xFF));
return (sum == 0);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 076/411] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 075/411] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 077/411] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
` (335 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Advait Dhamorikar, Andy Shevchenko,
Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Advait Dhamorikar <advaitd@mechasystems.com>
commit 49f79cd28f1e3333cbe0d616ce59ead0b24bf34e upstream.
The device tree binding for st,lis2mdl does not support
st,drdy-int-pin property. However, when no platform data is provided
and the property is absent, the driver falls back to default_magn_pdata
which hardcodes drdy_int_pin = 2. This causes
`st_sensors_set_drdy_int_pin` to fail with -EINVAL because the LIS2MDL
sensor settings have no INT2 DRDY mask defined.
Fix this by checking the sensor's INT2 DRDY mask availability at
probe time and selecting the appropriate default pin. Sensors that
do not support INT2 DRDY will default to INT1, while all others
retain the existing default of INT2.
Fixes: 38934daf7b5c ("iio: magnetometer: st_magn: Provide default platform data")
Signed-off-by: Advait Dhamorikar <advaitd@mechasystems.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/st_magn_core.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/iio/magnetometer/st_magn_core.c
+++ b/drivers/iio/magnetometer/st_magn_core.c
@@ -504,6 +504,11 @@ static const struct st_sensors_platform_
.drdy_int_pin = 2,
};
+/* LIS2MDL only supports DRDY on INT1 */
+static const struct st_sensors_platform_data alt_magn_pdata = {
+ .drdy_int_pin = 1,
+};
+
static int st_magn_read_raw(struct iio_dev *indio_dev,
struct iio_chan_spec const *ch, int *val,
int *val2, long mask)
@@ -632,8 +637,12 @@ int st_magn_common_probe(struct iio_dev
mdata->current_fullscale = &mdata->sensor_settings->fs.fs_avl[0];
mdata->odr = mdata->sensor_settings->odr.odr_avl[0].hz;
- if (!pdata)
- pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ if (!pdata) {
+ if (mdata->sensor_settings->drdy_irq.int2.mask)
+ pdata = (struct st_sensors_platform_data *)&default_magn_pdata;
+ else
+ pdata = (struct st_sensors_platform_data *)&alt_magn_pdata;
+ }
err = st_sensors_init_sensor(indio_dev, pdata);
if (err < 0)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 077/411] iio: light: cm3323: fix reg_conf not being initialized correctly
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 076/411] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 078/411] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
` (334 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aldo Conte, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aldo Conte <aldocontelk@gmail.com>
commit 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 upstream.
The code stores the return value of i2c_smbus_write_word_data()
in data->reg_conf; however, this value represents the result
of the write operation and not the value actually written to
the configuration register. This meant that the contents of
data->reg_conf did not truly reflect the contents
of the hardware register.
Instead, save the value of the register before the write
and use this value in the I2C write.
The bug was found by code inspection: i2c_smbus_write_word_data()
returns 0 on success, not the value written to the register.
Tested using i2c-stub on a Raspberry Pi 3B running a custom 6.19.10
kernel. Before loading the driver, the configuration register 0x00
CM3323_CMD_CONF was populated with 0x0030 using
`i2cset -y 11 0x10 0x00 0x0030 w`, encoding an integration time of 320ms
in bits[6:4].
Due to incorrect initialization of data->reg_conf in
cm3323_init(), the print of integration_time returns 0.040000
instead of the expected 0.320000. This happens because the read of the
integration_time depends on cm3323_get_it_bits() that is based on the
value of data->reg_conf, which is erroneously set to 0.
With this fix applied, data->reg_conf correctly saves 0x0030 after init
and the successive integration_time reports 0.320000 as expected.
Fixes: 8b0544263761 ("iio: light: Add support for Capella CM3323 color sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Aldo Conte <aldocontelk@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/cm3323.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iio/light/cm3323.c
+++ b/drivers/iio/light/cm3323.c
@@ -89,15 +89,14 @@ static int cm3323_init(struct iio_dev *i
/* enable sensor and set auto force mode */
ret &= ~(CM3323_CONF_SD_BIT | CM3323_CONF_AF_BIT);
+ data->reg_conf = ret;
- ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, ret);
+ ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, data->reg_conf);
if (ret < 0) {
dev_err(&data->client->dev, "Error writing reg_conf\n");
return ret;
}
- data->reg_conf = ret;
-
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 078/411] iio: buffer: hw-consumer: fix use-after-free in error path
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 077/411] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 079/411] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
` (333 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sashiko, Felix Gu, Andy Shevchenko,
Nuno Sá, Maxwell Doose, Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Gu <ustc.gu@gmail.com>
commit 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 upstream.
In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
was using list_for_each_entry() to iterate through buffers while calling
iio_buffer_put() which can free the current buffer if refcount drops to 0.
The list_for_each_entry() loop macro then evaluates buf->head.next to
continue iteration, accessing the freed buffer.
Fix this by using list_for_each_entry_safe().
Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
Reported-by: sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Maxwell Doose <m32285159@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/buffer/industrialio-hw-consumer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/buffer/industrialio-hw-consumer.c
+++ b/drivers/iio/buffer/industrialio-hw-consumer.c
@@ -82,7 +82,7 @@ static struct hw_consumer_buffer *iio_hw
*/
struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev)
{
- struct hw_consumer_buffer *buf;
+ struct hw_consumer_buffer *buf, *tmp;
struct iio_hw_consumer *hwc;
struct iio_channel *chan;
int ret;
@@ -113,7 +113,7 @@ struct iio_hw_consumer *iio_hw_consumer_
return hwc;
err_put_buffers:
- list_for_each_entry(buf, &hwc->buffers, head)
+ list_for_each_entry_safe(buf, tmp, &hwc->buffers, head)
iio_buffer_put(&buf->buffer);
iio_channel_release_all(hwc->channels);
err_free_hwc:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 079/411] USB: serial: omninet: fix memory corruption with small endpoint
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 078/411] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 080/411] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
` (332 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 60df93d30f9bdd27db17c4d80ed80ef718d7226b upstream.
Make sure that the bulk-out buffers are at least as large as the
hardcoded transfer size to avoid user-controlled slab corruption should
a malicious device report a smaller endpoint max packet size than
expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/omninet.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -30,6 +30,10 @@
/* This one seems to be a re-branded ZyXEL device */
#define BT_IGNITIONPRO_ID 0x2000
+#define OMNINET_HEADERLEN 4
+#define OMNINET_BULKOUTSIZE 64
+#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
+
/* function prototypes */
static void omninet_process_read_urb(struct urb *urb);
static int omninet_prepare_write_buffer(struct usb_serial_port *port,
@@ -55,6 +59,7 @@ static struct usb_serial_driver zyxel_om
.description = "ZyXEL - omni.net usb",
.id_table = id_table,
.num_bulk_out = 2,
+ .bulk_out_size = OMNINET_BULKOUTSIZE,
.calc_num_ports = omninet_calc_num_ports,
.port_probe = omninet_port_probe,
.port_remove = omninet_port_remove,
@@ -131,10 +136,6 @@ static void omninet_port_remove(struct u
kfree(od);
}
-#define OMNINET_HEADERLEN 4
-#define OMNINET_BULKOUTSIZE 64
-#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN)
-
static void omninet_process_read_urb(struct urb *urb)
{
struct usb_serial_port *port = urb->context;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 080/411] usb: cdns3: gadget: fix request skipping after clearing halt
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 079/411] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 081/411] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
` (331 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Yongchao Wu
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongchao Wu <yongchao.wu@autochips.com>
commit c8778ff817a7047d6848fefba99dcb27b1bf01fe upstream.
According to the cdns3 datasheet, the EPRST (Endpoint Reset) command
causes the DMA engine to reposition its internal pointer to the next
Transfer Descriptor (TD) if it was already processing one.
This issue is consistently observed during the ADB identification
process on macOS hosts, where the host issues a Clear_Halt. Although
commit 4bf2dd65135a ("usb: cdns3: gadget: toggle cycle bit before reset
endpoint") attempted to avoid DMA advance by toggling the cycle bit,
trace logs show that on certain hosts like macOS, the DMA pointer
(EP_TRADDR) still shifts after EPRST:
cdns3_ctrl_req: Clear Endpoint Feature(Halt ep1out)
cdns3_doorbell_epx: ep1out, ep_trbaddr f9c04030 <-- Should be f9c04000
cdns3_gadget_giveback: ep1out: req: ... length: 16384/16384
As shown above, the DMA pointer jumped to the next TD, causing
the controller to skip the initial TRBs of the request. This leads to
data misalignment and ADB protocol hangs on macOS.
Fix this by manually restoring the EP_TRADDR register to the starting
physical address of the current request after the EPRST operation is
complete.
Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Cc: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Yongchao Wu <yongchao.wu@autochips.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://patch.msgid.link/20260513160012.2547894-1-yongchao.wu@autochips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-gadget.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdns3-gadget.c
+++ b/drivers/usb/cdns3/cdns3-gadget.c
@@ -2812,9 +2812,19 @@ int __cdns3_gadget_ep_clear_halt(struct
priv_ep->flags &= ~(EP_STALLED | EP_STALL_PENDING);
if (request) {
- if (trb)
+ if (trb) {
*trb = trb_tmp;
+ /*
+ * Per datasheet, EPRST causes DMA to reposition to the next TD.
+ * Manually reset EP_TRADDR to the current TRB to prevent
+ * the hardware from skipping the interrupted request.
+ */
+ writel(EP_TRADDR_TRADDR(priv_ep->trb_pool_dma +
+ priv_req->start_trb * TRB_SIZE),
+ &priv_dev->regs->ep_traddr);
+ }
+
cdns3_rearm_transfer(priv_ep, 1);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 081/411] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 080/411] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 082/411] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
` (330 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
commit ae6f3b82324e4f39ad8443c9020787e6fc889637 upstream.
Call pm_runtime_allow(dev) conditionally at cdns3_plat_remove.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-3-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -181,6 +181,9 @@ static int cdns3_plat_remove(struct plat
struct device *dev = cdns->dev;
pm_runtime_get_sync(dev);
+ if (!(cdns->pdata && (cdns->pdata->quirks & CDNS3_DEFAULT_PM_RUNTIME_ALLOW)))
+ pm_runtime_allow(dev);
+
pm_runtime_disable(dev);
pm_runtime_put_noidle(dev);
cdns_remove(cdns);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 082/411] usb: dwc2: Fix use after free in debug code
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 081/411] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 083/411] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
` (329 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Dan Carpenter
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <error27@gmail.com>
commit 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 upstream.
We're not allowed to dereference "urb" after calling
usb_hcd_giveback_urb() so save the urb->status ahead of time.
Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://patch.msgid.link/ag1NwBpqT4IEQcdJ@stanley.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc2/hcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc2/hcd.c
+++ b/drivers/usb/dwc2/hcd.c
@@ -4837,6 +4837,7 @@ static int _dwc2_hcd_urb_dequeue(struct
struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd);
int rc;
unsigned long flags;
+ int urb_status;
dev_dbg(hsotg->dev, "DWC OTG HCD URB Dequeue\n");
dwc2_dump_urb_info(hcd, urb, "urb_dequeue");
@@ -4861,11 +4862,12 @@ static int _dwc2_hcd_urb_dequeue(struct
/* Higher layer software sets URB status */
spin_unlock(&hsotg->lock);
+ urb_status = urb->status;
usb_hcd_giveback_urb(hcd, urb, status);
spin_lock(&hsotg->lock);
dev_dbg(hsotg->dev, "Called usb_hcd_giveback_urb()\n");
- dev_dbg(hsotg->dev, " urb->status = %d\n", urb->status);
+ dev_dbg(hsotg->dev, " urb->status = %d\n", urb_status);
out:
spin_unlock_irqrestore(&hsotg->lock, flags);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 083/411] Input: elan_i2c - validate firmware size before use
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 082/411] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 084/411] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
` (328 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 upstream.
Ensure that the firmware file is large enough to contain the expected
number of pages and the signature (which resides at the end of the
firmware blob) before accessing them to prevent potential out-of-bounds
reads.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/elan_i2c_core.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -646,6 +646,11 @@ static ssize_t elan_sysfs_update_fw(stru
return error;
}
+ if (fw->size < data->fw_signature_address + sizeof(signature)) {
+ dev_err(dev, "firmware file too small\n");
+ return -EBADF;
+ }
+
/* Firmware file must match signature data */
fw_signature = &fw->data[data->fw_signature_address];
if (memcmp(fw_signature, signature, sizeof(signature)) != 0) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 084/411] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 083/411] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 085/411] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
` (327 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit f72eed9b84fb771019a955908132410a9ba9ea3f upstream.
When bpf_msg_push_data() inserts data in the middle of a scatterlist
entry, it splits the original entry into a left fragment and a right
fragment.
The right fragment offset is page-local, but the code advances it with
`start`, which is the message-global insertion point. For inserts into a
non-first SG entry, this over-advances the offset and leaves the split
layout inconsistent.
Advance the right fragment offset by the fragment-local delta,
`start - offset`, which matches the length removed from the front of the
original entry.
Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Link: https://patch.msgid.link/8b129d10566aa3eb43f61a8f9757bcf51707d324.1779636774.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2828,7 +2828,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
psge->length = start - offset;
rsge.length -= psge->length;
- rsge.offset += start;
+ rsge.offset += start - offset;
sk_msg_iter_var_next(i);
sg_unmark_end(psge);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 085/411] macsec: fix replay protection at XPN lower-PN wrap
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 084/411] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 086/411] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
` (326 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit e68842b3356471ba56c882209f324613dac47f64 upstream.
In macsec_post_decrypt(), when pn is U32_MAX, pn + 1 overflows u32 to 0
and the first branch never fires. If next_pn_halves.lower is also in the
upper half, pn_same_half(pn, lower) is true and the XPN else-if does not
fire either, leaving next_pn_halves unchanged. An attacker that captures
the legitimate frame carrying pn == 0xFFFFFFFF on an XPN association
can then replay it indefinitely, since lowest_pn never rises above
the captured pn and macsec_decrypt() reconstructs the same IV.
Extend the XPN else-if to also fire when pn + 1 wraps to 0, so receipt
of pn == U32_MAX advances next_pn_halves to (upper + 1, 0).
Fixes: a21ecf0e0338 ("macsec: Support XPN frame handling - IEEE 802.1AEbw")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78813FD49E58F253B989F197AF012@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/macsec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -824,7 +824,8 @@ static bool macsec_post_decrypt(struct s
if (pn + 1 > rx_sa->next_pn_halves.lower) {
rx_sa->next_pn_halves.lower = pn + 1;
} else if (secy->xpn &&
- !pn_same_half(pn, rx_sa->next_pn_halves.lower)) {
+ (pn + 1 == 0 ||
+ !pn_same_half(pn, rx_sa->next_pn_halves.lower))) {
rx_sa->next_pn_halves.upper++;
rx_sa->next_pn_halves.lower = pn + 1;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 086/411] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 085/411] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 087/411] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
` (325 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
commit d47548a36639095939f4747d4c43f2271366f565 upstream.
ipv6_hop_jumbo() calls pskb_trim_rcsum(), which can change skb pointers.
Let's recompute nh pointer to make sure any change won't mess things up.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260522112013.12342-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -183,6 +183,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_JUMBO:
if (!ipv6_hop_jumbo(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
case IPV6_TLV_CALIPSO:
if (!ipv6_hop_calipso(skb, off))
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 087/411] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 086/411] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 088/411] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
` (324 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 4b4db09f283df65d780bc7cee66cb4a7e9bf4770 upstream.
Fix error handling in q6asm_dai_compr_set_params() and q6asm_dai_prepare()
for both CMD_CLOSE and q6asm_unmap_memory_regions().
In both the functions, we are doing q6asm_audio_client_free in failure
cases, which means if prepare or set_params fail, we can never recover.
Now open and close are done in respective dai_open/close functions.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -239,9 +239,19 @@ static int q6asm_dai_prepare(struct snd_
/* rate and channels are sent to audio driver */
if (prtd->state == Q6ASM_STREAM_RUNNING) {
/* clear the previous setup if any */
- q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
- q6asm_unmap_memory_regions(substream->stream,
- prtd->audio_client);
+ ret = q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
+ if (ret < 0) {
+ dev_err(dev, "Failed to close q6asm stream %d\n", prtd->stream_id);
+ return ret;
+ }
+
+ ret = q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
+ if (ret < 0) {
+ dev_err(dev, "Failed to unmap memory regions for q6asm stream %d\n",
+ prtd->stream_id);
+ return ret;
+ }
+
q6routing_stream_close(soc_prtd->dai_link->id,
substream->stream);
prtd->state = Q6ASM_STREAM_STOPPED;
@@ -309,8 +319,6 @@ routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
q6asm_unmap_memory_regions(substream->stream, prtd->audio_client);
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
@@ -912,7 +920,7 @@ static int q6asm_dai_compr_set_params(st
prtd->session_id, dir);
if (ret) {
dev_err(dev, "Stream reg failed ret:%d\n", ret);
- goto q6_err;
+ goto routing_err;
}
ret = __q6asm_dai_compr_set_codec_params(component, stream,
@@ -938,11 +946,11 @@ static int q6asm_dai_compr_set_params(st
return 0;
q6_err:
+ q6routing_stream_close(rtd->dai_link->id, dir);
+routing_err:
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
open_err:
- q6asm_audio_client_free(prtd->audio_client);
- prtd->audio_client = NULL;
return ret;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 088/411] ipv6: exthdrs: refresh nh after handling HAO option
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 087/411] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 089/411] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
` (323 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Justin Iurman,
Ido Schimmel, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit f7b52afe3592eae66e160586b45a3f2242972c63 upstream.
ip6_parse_tlv() caches skb_network_header(skb) in nh while walking
IPv6 TLVs.
ipv6_dest_hao() may call pskb_expand_head() for a cloned skb, which can
move the skb head and invalidate the cached network header pointer.
Refresh nh after ipv6_dest_hao() returns so any trailing padding or TLVs
are parsed from the current skb head.
This matches the existing pattern used in ip6_parse_tlv() after helpers
that can modify skb header storage.
Fixes: a831f5bbc89a ("[IPV6] MIP6: Add inbound interface of home address option.")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/7aba1debc2196189172499e5769802b026f8caf8.1779247873.git.zcliangcn@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -202,6 +202,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
case IPV6_TLV_HAO:
if (!ipv6_dest_hao(skb, off))
return false;
+
+ nh = skb_network_header(skb);
break;
#endif
default:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 089/411] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 088/411] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 090/411] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
` (322 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Xiao Liang,
Maoyi Xie, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 8b484efd5cb4eeef9021a661e198edc5349dacf6 upstream.
After patch 1/2 in this series, vti6_update() unlinks and relinks
the tunnel through t->net. vti6_siocdevprivate() still uses
dev_net(dev) for the collision lookup. For a tunnel moved through
IFLA_NET_NS_FD, dev_net(dev) is the new netns, not t->net.
SIOCCHGTUNNEL on a migrated tunnel then runs:
net = dev_net(dev) /* migrated netns */
t = vti6_locate(net, &p1, false) /* misses target in t->net */
...
t = netdev_priv(dev)
vti6_update(t, &p1, false) /* mutates t->net's hash */
A caller in the migrated netns picks params that match a tunnel
in the creation netns. The lookup in dev_net(dev) finds nothing.
vti6_update() prepends the migrated tunnel at the head of the
creation netns hash bucket for those params. Later lookups in
the creation netns resolve to the migrated device. xfrm receive
delivers the matched packets through a device the caller controls.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Switch the SIOCCHGTUNNEL path on a non fallback device to use
t->net for the lookup. The lookup now matches the netns
vti6_update() operates on.
Also add ns_capable(self->net->user_ns, CAP_NET_ADMIN) before
the lookup. The check at the top of the case is against
dev_net(dev)->user_ns, which after migration is the attacker's
netns. A caller there can pick params absent from self->net,
the lookup returns NULL, t becomes self, and vti6_update()
inserts the device into the creation netns hash. The new check
requires CAP_NET_ADMIN in the creation netns user_ns too.
SIOCADDTUNNEL and SIOCCHGTUNNEL on the fallback device keep
dev_net(dev), which equals init_net there.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Suggested-by: Xiao Liang <shaw.leon@gmail.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/20260521130555.3421684-3-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -840,17 +840,24 @@ vti6_siocdevprivate(struct net_device *d
if (p.proto != IPPROTO_IPV6 && p.proto != 0)
break;
vti6_parm_from_user(&p1, &p);
- t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
if (dev != ip6n->fb_tnl_dev && cmd == SIOCCHGTUNNEL) {
+ struct ip6_tnl *self = netdev_priv(dev);
+
+ err = -EPERM;
+ if (!ns_capable(self->net->user_ns, CAP_NET_ADMIN))
+ break;
+ t = vti6_locate(self->net, &p1, false);
if (t) {
if (t->dev != dev) {
err = -EEXIST;
break;
}
} else
- t = netdev_priv(dev);
+ t = self;
err = vti6_update(t, &p1, false);
+ } else {
+ t = vti6_locate(net, &p1, cmd == SIOCADDTUNNEL);
}
if (t) {
err = 0;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 090/411] ipv6: validate extension header length before copying to cmsg
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 089/411] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 091/411] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
` (321 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qi Tang, Willem de Bruijn,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Tang <tpluszz77@gmail.com>
commit dd433671fef381fdaf7b530c631e6b782d66e224 upstream.
ip6_datagram_recv_specific_ctl() builds IPV6_{HOPOPTS,DSTOPTS,RTHDR}
cmsgs (and their IPV6_2292* legacy counterparts) by trusting the
on-wire hdrlen byte (ptr[1]) when computing the put_cmsg() length.
The length was validated only at parse time (ipv6_parse_hopopts(),
etc.). An nftables payload-write expression can rewrite hdrlen after
parsing and before the skb reaches recvmsg; the write itself is
in-bounds but put_cmsg() then reads up to ((hdrlen+1) << 3) = 2040
bytes from an 8-byte header. nftables is reachable from an
unprivileged user namespace, so this is an unprivileged
slab-out-of-bounds read:
BUG: KASAN: slab-out-of-bounds in put_cmsg+0x3ac/0x540
put_cmsg+0x3ac/0x540
udpv6_recvmsg+0xca0/0x1250
sock_recvmsg+0xdf/0x190
____sys_recvmsg+0x1b1/0x620
Add ipv6_get_exthdr_len() which validates that at least two bytes
are accessible before reading the hdrlen field, then checks the
computed length against skb_tail_pointer(skb), returning 0 on
failure. Extension headers are kept in the linear skb area by
pskb_may_pull() during input, so skb_tail_pointer() is the correct
bound.
Use ipv6_get_exthdr_len() at all non-AH call sites: the five
standalone cmsg blocks (HbH, 2292HbH, 2292DSTOPTS x2, 2292RTHDR)
and the three standard cases in the extension-header walk loop
(DSTOPTS, ROUTING, default). AH retains an inline bounds check
because its length formula differs ((ptr[1]+2)<<2).
The walk loop also gets a pre-read bounds check at the top to
validate ptr before any case accesses ptr[0] or ptr[1].
When the walk loop detects a corrupted header, return from the
function instead of continuing to process later socket options.
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260523143245.2281415-1-tpluszz77@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/datagram.c | 54 ++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 46 insertions(+), 8 deletions(-)
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -611,6 +611,18 @@ void ip6_datagram_recv_common_ctl(struct
}
}
+static u16 ipv6_get_exthdr_len(const struct sk_buff *skb, const u8 *ptr)
+{
+ u16 len;
+
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return 0;
+
+ len = (ptr[1] + 1) << 3;
+
+ return (len <= skb_tail_pointer(skb) - ptr) ? len : 0;
+}
+
void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
struct sk_buff *skb)
{
@@ -637,7 +649,10 @@ void ip6_datagram_recv_specific_ctl(stru
/* HbH is allowed only once */
if (np->rxopt.bits.hopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_HOPOPTS, len, ptr);
}
if (opt->lastopt &&
@@ -658,26 +673,37 @@ void ip6_datagram_recv_specific_ctl(stru
unsigned int len;
u8 *ptr = nh + off;
+ if (ptr + 2 > skb_tail_pointer(skb))
+ return;
+
switch (nexthdr) {
case IPPROTO_DSTOPTS:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.dstopts)
put_cmsg(msg, SOL_IPV6, IPV6_DSTOPTS, len, ptr);
break;
case IPPROTO_ROUTING:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
if (np->rxopt.bits.srcrt)
put_cmsg(msg, SOL_IPV6, IPV6_RTHDR, len, ptr);
break;
case IPPROTO_AH:
nexthdr = ptr[0];
len = (ptr[1] + 2) << 2;
+ if (ptr + len > skb_tail_pointer(skb))
+ return;
break;
default:
nexthdr = ptr[0];
- len = (ptr[1] + 1) << 3;
+ len = ipv6_get_exthdr_len(skb, ptr);
+ if (!len)
+ return;
break;
}
@@ -699,19 +725,31 @@ void ip6_datagram_recv_specific_ctl(stru
}
if (np->rxopt.bits.ohopopts && (opt->flags & IP6SKB_HOPBYHOP)) {
u8 *ptr = nh + sizeof(struct ipv6hdr);
- put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292HOPOPTS, len, ptr);
}
if (np->rxopt.bits.odstopts && opt->dst0) {
u8 *ptr = nh + opt->dst0;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.osrcrt && opt->srcrt) {
struct ipv6_rt_hdr *rthdr = (struct ipv6_rt_hdr *)(nh + opt->srcrt);
- put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, (rthdr->hdrlen+1) << 3, rthdr);
+ u16 len = ipv6_get_exthdr_len(skb, (u8 *)rthdr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292RTHDR, len, rthdr);
}
if (np->rxopt.bits.odstopts && opt->dst1) {
u8 *ptr = nh + opt->dst1;
- put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, (ptr[1]+1)<<3, ptr);
+ u16 len = ipv6_get_exthdr_len(skb, ptr);
+
+ if (len)
+ put_cmsg(msg, SOL_IPV6, IPV6_2292DSTOPTS, len, ptr);
}
if (np->rxopt.bits.rxorigdstaddr) {
struct sockaddr_in6 sin6;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 091/411] xfrm: input: hold netns during deferred transport reinjection
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 090/411] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 092/411] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
` (320 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Xin Liu,
Luxing Yin, Zhengchuan Liang, Ren Wei, Steffen Klassert
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
commit c16f74dc1d75d0e2e7670076d5375deda110ebeb upstream.
Transport-mode reinjection stores a struct net pointer in skb->cb and
uses it later from xfrm_trans_reinject(). That pointer must stay valid
until the deferred callback runs.
Take a netns reference when queueing deferred reinjection work and drop
it after the callback completes. Use maybe_get_net() so the queueing
path does not revive a namespace that is already being torn down.
This keeps the existing workqueue design and fixes the netns lifetime
handling in one place for all users of xfrm_trans_queue_net().
Fixes: 7b3801927e52 ("xfrm: introduce xfrm_trans_queue_net")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Assisted-by: Codex:gpt-5.4
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_input.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -781,9 +781,12 @@ static void xfrm_trans_reinject(struct w
spin_unlock_bh(&trans->queue_lock);
local_bh_disable();
- while ((skb = __skb_dequeue(&queue)))
- XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
- NULL, skb);
+ while ((skb = __skb_dequeue(&queue))) {
+ struct net *net = XFRM_TRANS_SKB_CB(skb)->net;
+
+ XFRM_TRANS_SKB_CB(skb)->finish(net, NULL, skb);
+ put_net(net);
+ }
local_bh_enable();
}
@@ -792,6 +795,7 @@ int xfrm_trans_queue_net(struct net *net
struct sk_buff *))
{
struct xfrm_trans_tasklet *trans;
+ struct net *hold_net;
trans = this_cpu_ptr(&xfrm_trans_tasklet);
@@ -800,8 +804,12 @@ int xfrm_trans_queue_net(struct net *net
BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
+ hold_net = maybe_get_net(net);
+ if (!hold_net)
+ return -ENODEV;
+
XFRM_TRANS_SKB_CB(skb)->finish = finish;
- XFRM_TRANS_SKB_CB(skb)->net = net;
+ XFRM_TRANS_SKB_CB(skb)->net = hold_net;
spin_lock_bh(&trans->queue_lock);
__skb_queue_tail(&trans->queue, skb);
spin_unlock_bh(&trans->queue_lock);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 092/411] ip6: vti: Use ip6_tnl.net in vti6_changelink().
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 091/411] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 093/411] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
` (319 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Eric Dumazet,
Kuniyuki Iwashima, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
commit 11b326fb0a374f4654f9be22d0f0f7abd9f7d3fe upstream.
ip netns add ns1
ip netns add ns2
ip -n ns1 link add vti6_test type vti6 remote ::1 local ::2 key 7
ip -n ns1 link set vti6_test netns ns2
ip -n ns2 link set vti6_test type vti6 remote ::3 local ::4 key 9
ip netns del ns2
ip netns del ns1
[ 132.495484] ------------[ cut here ]------------
[ 132.497609] kernel BUG at net/core/dev.c:12376!
Commit 61220ab34948 ("vti6: Enable namespace changing") dropped
NETIF_F_NETNS_LOCAL from vti6 devices. A vti6 tunnel can then
move through IFLA_NET_NS_FD. After the move dev_net(dev) points
at the new netns while t->net stays at the creation netns.
vti6_changelink() and vti6_update() still use dev_net(dev) and
dev_net(t->dev). They unlink from one per netns hash and relink
into another. The creation netns is left with a stale entry.
cleanup_net() of that netns later walks freed memory.
Reachable from an unprivileged user namespace (unshare --user
--map-root-user --net). Cross tenant scope on container hosts.
Fixes: 61220ab34948 ("vti6: Enable namespace changing")
Reported-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260521130555.3421684-2-maoyixie.tju@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_vti.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -728,10 +728,11 @@ vti6_tnl_change(struct ip6_tnl *t, const
static int vti6_update(struct ip6_tnl *t, struct __ip6_tnl_parm *p,
bool keep_mtu)
{
- struct net *net = dev_net(t->dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct net *net = t->net;
+ struct vti6_net *ip6n;
int err;
+ ip6n = net_generic(net, vti6_net_id);
vti6_tnl_unlink(ip6n, t);
synchronize_net();
err = vti6_tnl_change(t, p, keep_mtu);
@@ -1044,11 +1045,12 @@ static int vti6_changelink(struct net_de
struct nlattr *data[],
struct netlink_ext_ack *extack)
{
- struct ip6_tnl *t;
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct net *net = t->net;
struct __ip6_tnl_parm p;
- struct net *net = dev_net(dev);
- struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ struct vti6_net *ip6n;
+ ip6n = net_generic(net, vti6_net_id);
if (dev == ip6n->fb_tnl_dev)
return -EINVAL;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 093/411] HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 092/411] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 094/411] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
` (318 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping Cheng, Lee Jones,
Benjamin Tissoires
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee Jones <lee@kernel.org>
commit c0a8899e02ddebd51e2589835182c239c2e224ae upstream.
wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE
usage is always located in the first field (field[0]) of the feature report.
However, a device can specify HID_DG_INPUTMODE in a different field.
If HID_DG_INPUTMODE is in a field other than the first one and the first
field has a report_count smaller than the usage_index of HID_DG_INPUTMODE,
this leads to an out-of-bounds write to r->field[0]->value.
Fix this by storing the field index of HID_DG_INPUTMODE in 'struct
hid_data' during feature mapping. In wacom_hid_set_device_mode(), use
this stored field index to access the correct field and add bounds
checks to ensure both the field index and the value index are within
valid ranges before writing.
Cc: stable@vger.kernel.org
Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling")
Tested-by: Ping Cheng <ping.cheng@wacom.com>
Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 13 ++++++++++---
drivers/hid/wacom_wac.h | 1 +
2 files changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -346,6 +346,7 @@ static void wacom_feature_mapping(struct
hid_data->inputmode = field->report->id;
hid_data->inputmode_index = usage->usage_index;
+ hid_data->inputmode_field_index = field->index;
break;
case HID_UP_DIGITIZER:
@@ -561,9 +562,14 @@ static int wacom_hid_set_device_mode(str
re = &(hdev->report_enum[HID_FEATURE_REPORT]);
r = re->report_id_hash[hid_data->inputmode];
- if (r) {
- r->field[0]->value[hid_data->inputmode_index] = 2;
- hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ if (r && hid_data->inputmode_field_index >= 0 &&
+ hid_data->inputmode_field_index < r->maxfield) {
+ struct hid_field *field = r->field[hid_data->inputmode_field_index];
+
+ if (field && hid_data->inputmode_index < field->report_count) {
+ field->value[hid_data->inputmode_index] = 2;
+ hid_hw_request(hdev, r, HID_REQ_SET_REPORT);
+ }
}
return 0;
}
@@ -2821,6 +2827,7 @@ static int wacom_probe(struct hid_device
return error;
wacom_wac->hid_data.inputmode = -1;
+ wacom_wac->hid_data.inputmode_field_index = -1;
wacom_wac->mode_report = -1;
if (hid_is_usb(hdev)) {
--- a/drivers/hid/wacom_wac.h
+++ b/drivers/hid/wacom_wac.h
@@ -296,6 +296,7 @@ struct wacom_shared {
struct hid_data {
__s16 inputmode; /* InputMode HID feature, -1 if non-existent */
__s16 inputmode_index; /* InputMode HID feature index in the report */
+ __s16 inputmode_field_index; /* InputMode HID feature field index in the report */
bool sense_state;
bool inrange_state;
bool invert_state;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 094/411] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 093/411] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 095/411] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
` (317 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Thomas Gleixner,
Andrew Morton, Miguel Ojeda, linux-kbuild, Arnd Bergmann,
Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 4c9ad387aa2d6785299722e54224d34764edaeb3 upstream.
gcc-16 has gained some more advanced inter-procedual optimization
techniques that enable it to inline the dummy_tlb_add_page() and
dummy_tlb_flush() function pointers into a specialized version of
__arm_v7s_unmap:
WARNING: modpost: vmlinux: section mismatch in reference: __arm_v7s_unmap+0x2cc (section: .text) -> dummy_tlb_add_page (section: .init.text)
ERROR: modpost: Section mismatches detected.
>From what I can tell, the transformation is correct, as this is only
called when __arm_v7s_unmap() is called from arm_v7s_do_selftests(),
which is also __init. Since __arm_v7s_unmap() however is not __init,
gcc cannot inline the inner function calls directly.
In debug_objects_selftest(), the same thing happens. Both the
caller and the leaf function are __init, but the IPA pulls
it into a non-init one:
WARNING: modpost: vmlinux: section mismatch in reference: lookup_object_or_alloc+0x7c (section: .text.lookup_object_or_alloc) -> is_static_object (section: .init.text)
Marking the affected functions as not "__init" would reliably avoid this
issue but is not a good solution because it removes an otherwise correct
annotation. I tried marking the functions as 'noinline', but that ended
up not covering all the affected configurations.
With some more experimenting, I found that marking these functions as
__attribute__((noipa)) is both logical and reliable.
In order to keep the syntax readable, add a custom macro for this in
include/linux/compiler_attributes.h next to other related macros and
use it to annotate both files.
Link: https://lore.kernel.org/all/abRB6g-48ZX6Yl2r@willie-the-truck/
Cc: Will Deacon <will@kernel.org>
Cc: Thomas Gleixner <tglx@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: linux-kbuild@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Will Deacon <will@kernel.org>
Acked-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/io-pgtable-arm-v7s.c | 18 ++++++++++++------
include/linux/compiler_attributes.h | 11 +++++++++++
lib/debugobjects.c | 2 +-
3 files changed, 24 insertions(+), 7 deletions(-)
--- a/drivers/iommu/io-pgtable-arm-v7s.c
+++ b/drivers/iommu/io-pgtable-arm-v7s.c
@@ -910,21 +910,27 @@ struct io_pgtable_init_fns io_pgtable_ar
static struct io_pgtable_cfg *cfg_cookie __initdata;
-static void __init dummy_tlb_flush_all(void *cookie)
+/*
+ * __noipa prevents gcc from turning indirect iommu_flush_ops calls
+ * into direct calls from a specialized __arm_v7s_unmap() that triggers
+ * a build time section mismatch assertion.
+ */
+static __noipa void __init dummy_tlb_flush_all(void *cookie)
{
WARN_ON(cookie != cfg_cookie);
}
-static void __init dummy_tlb_flush(unsigned long iova, size_t size,
- size_t granule, void *cookie)
+static __noipa void __init dummy_tlb_flush(unsigned long iova, size_t size,
+ size_t granule, void *cookie)
{
WARN_ON(cookie != cfg_cookie);
WARN_ON(!(size & cfg_cookie->pgsize_bitmap));
}
-static void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
- unsigned long iova, size_t granule,
- void *cookie)
+static __noipa void __init dummy_tlb_add_page(struct iommu_iotlb_gather *gather,
+ unsigned long iova,
+ size_t granule,
+ void *cookie)
{
dummy_tlb_flush(iova, granule, granule, cookie);
}
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -328,6 +328,17 @@
#endif
/*
+ * Optional: not supported by clang
+ *
+ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-noipa
+ */
+#if __has_attribute(noipa)
+# define __noipa __attribute__((noipa))
+#else
+# define __noipa
+#endif
+
+/*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute
*/
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -1059,7 +1059,7 @@ struct self_test {
static __initconst const struct debug_obj_descr descr_type_test;
-static bool __init is_static_object(void *addr)
+static __noipa bool __init is_static_object(void *addr)
{
struct self_test *obj = addr;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 095/411] nfc: hci: fix out-of-bounds read in HCP header parsing
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 094/411] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 096/411] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
` (316 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Ashutosh Desai,
David Heidelberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit f040e590c035bfd9553fe79ee9585caf1b14d67b upstream.
Both nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read
packet->header from skb->data at function entry without first checking
that the buffer holds at least one byte. A malicious NFC peer can send
a 0-byte HCP frame that passes through the SHDLC layer and reaches
these functions, causing an out-of-bounds heap read of packet->header.
The same 0-byte frame, if queued as a non-final fragment, also causes
the reassembly loop to underflow msg_len to UINT_MAX, triggering
skb_over_panic() when the reassembled skb is written.
Fix this by adding a pskb_may_pull() check at the entry of each
function before packet->header is first accessed. The existing
pskb_may_pull() checks before the reassembled hcp_skb is cast to
struct hcp_packet remain in place to guard the 2-byte HCP message
header.
Fixes: 8b8d2e08bf0d ("NFC: HCI support")
Fixes: 11f54f228643 ("NFC: nci: Add HCI over NCI protocol support")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Link: https://patch.msgid.link/20260505170712.96560-1-ashutoshdesai993@gmail.com
Signed-off-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/hci/core.c | 10 ++++++++++
net/nfc/nci/hci.c | 10 ++++++++++
2 files changed, 20 insertions(+)
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -861,6 +861,11 @@ static void nfc_hci_recv_from_llc(struct
struct sk_buff *frag_skb;
int msg_len;
+ if (!pskb_may_pull(skb, NFC_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct hcp_packet *)skb->data;
if ((packet->header & ~NFC_HCI_FRAGMENT) == 0) {
skb_queue_tail(&hdev->rx_hcp_frags, skb);
@@ -904,6 +909,11 @@ static void nfc_hci_recv_from_llc(struct
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NFC_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct hcp_packet *)hcp_skb->data;
type = HCP_MSG_GET_TYPE(packet->message.header);
if (type == NFC_HCI_HCP_RESPONSE) {
--- a/net/nfc/nci/hci.c
+++ b/net/nfc/nci/hci.c
@@ -439,6 +439,11 @@ void nci_hci_data_received_cb(void *cont
return;
}
+ if (!pskb_may_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN)) {
+ kfree_skb(skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)skb->data;
if ((packet->header & ~NCI_HCI_FRAGMENT) == 0) {
skb_queue_tail(&ndev->hci_dev->rx_hcp_frags, skb);
@@ -482,6 +487,11 @@ void nci_hci_data_received_cb(void *cont
* unblock waiting cmd context. Otherwise, enqueue to dispatch
* in separate context where handler can also execute command.
*/
+ if (!pskb_may_pull(hcp_skb, NCI_HCI_HCP_HEADER_LEN)) {
+ kfree_skb(hcp_skb);
+ return;
+ }
+
packet = (struct nci_hcp_packet *)hcp_skb->data;
type = NCI_HCP_MSG_GET_TYPE(packet->message.header);
if (type == NCI_HCI_HCP_RESPONSE) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 096/411] xfrm: route MIGRATE notifications to callers netns
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 095/411] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 097/411] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
` (315 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maoyi Xie, Steffen Klassert
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 7e2a4f7ca0952820731ef7bdadfc9a9e9d3571b4 upstream.
xfrm_send_migrate() in net/xfrm/xfrm_user.c and pfkey_send_migrate()
in net/key/af_key.c both hardcode &init_net for the multicast that
announces a successful XFRM_MSG_MIGRATE / SADB_X_MIGRATE.
XFRM_MSG_MIGRATE arrives on a per-netns NETLINK_XFRM socket, and the
rest of the xfrm/af_key netlink path was made netns-aware in 2008.
The other 14 multicast paths in xfrm_user.c route their event using
xs_net(x), xp_net(xp) or sock_net(skb->sk); only the migrate path
was missed.
Two consequences of the init_net hardcoding:
1. The notification (selector, old/new endpoint addresses, and the
km_address) is delivered to listeners on init_net's
XFRMNLGRP_MIGRATE / pfkey BROADCAST_ALL groups rather than on
the issuing netns. An IKE daemon running in init_net therefore
receives migration notifications originating from any other
netns on the host.
2. An IKE daemon running inside a non-init netns and subscribed
to its own XFRMNLGRP_MIGRATE / pfkey groups never receives the
notification of its own migration. IKEv2 MOBIKE / address-update
handling inside a netns is silently broken.
Thread struct net through km_migrate() and the xfrm_mgr.migrate
function pointer, drop the &init_net override in xfrm_send_migrate()
and pfkey_send_migrate(), and pass the caller's net (already in
scope in xfrm_migrate() via sock_net(skb->sk)) all the way down.
struct xfrm_mgr is in-tree only and not exported as a stable API,
so the function-pointer signature change is internal.
pfkey_broadcast() is already netns-aware via net_generic(net,
pfkey_net_id) since the pernet conversion. The five other
pfkey_broadcast() callers in af_key.c already pass xs_net(x),
sock_net(sk) or a per-netns net, so this only removes the
&init_net outlier.
Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/xfrm.h | 3 ++-
net/key/af_key.c | 6 +++---
net/xfrm/xfrm_policy.c | 2 +-
net/xfrm/xfrm_state.c | 4 ++--
net/xfrm/xfrm_user.c | 5 ++---
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -584,6 +584,7 @@ struct xfrm_mgr {
const struct xfrm_migrate *m,
int num_bundles,
const struct xfrm_kmaddress *k,
+ struct net *net,
const struct xfrm_encap_tmpl *encap);
bool (*is_alive)(const struct km_event *c);
};
@@ -1684,7 +1685,7 @@ int xfrm_sk_policy_insert(struct sock *s
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap);
struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
u32 if_id);
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3548,7 +3548,7 @@ static int set_ipsecrequest(struct sk_bu
#ifdef CONFIG_NET_KEY_MIGRATE
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int i;
@@ -3653,7 +3653,7 @@ static int pfkey_send_migrate(const stru
}
/* broadcast migrate message to sockets */
- pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
+ pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, net);
return 0;
@@ -3664,7 +3664,7 @@ err:
#else
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_bundles,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4488,7 +4488,7 @@ int xfrm_migrate(const struct xfrm_selec
}
/* Stage 5 - announce */
- km_migrate(sel, dir, type, m, num_migrate, k, encap);
+ km_migrate(sel, dir, type, m, num_migrate, k, net, encap);
xfrm_pol_put(pol);
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2302,7 +2302,7 @@ EXPORT_SYMBOL(km_policy_expired);
#ifdef CONFIG_XFRM_MIGRATE
int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
int err = -EINVAL;
@@ -2313,7 +2313,7 @@ int km_migrate(const struct xfrm_selecto
list_for_each_entry_rcu(km, &xfrm_km_list, list) {
if (km->migrate) {
ret = km->migrate(sel, dir, type, m, num_migrate, k,
- encap);
+ net, encap);
if (!ret)
err = ret;
}
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2774,10 +2774,9 @@ out_cancel:
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
- struct net *net = &init_net;
struct sk_buff *skb;
int err;
@@ -2795,7 +2794,7 @@ static int xfrm_send_migrate(const struc
#else
static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
const struct xfrm_migrate *m, int num_migrate,
- const struct xfrm_kmaddress *k,
+ const struct xfrm_kmaddress *k, struct net *net,
const struct xfrm_encap_tmpl *encap)
{
return -ENOPROTOOPT;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 097/411] xfrm: ah: use skb_to_full_sk in async output callbacks
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 096/411] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 098/411] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
` (314 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 79d8be262377f7112cfa3088dfc4142d5a2533f3 upstream.
When AH output is offloaded to an asynchronous crypto provider
(hardware accelerators such as AMD CCP, or a forced-async software
shim used for testing), the digest completion fires
ah_output_done() / ah6_output_done() on a workqueue. The egress
skb at that point may have been originated by a TCP listener
sending a SYN-ACK, which sets skb->sk to a request_sock via
skb_set_owner_edemux(); it may also have been originated by an
inet_timewait_sock retransmit. Neither is a full struct sock, and
passing the raw skb->sk to xfrm_output_resume() then forwards a
non-full socket through the rest of the xfrm output chain.
xfrm_output_resume() and its downstream consumers expect a full
sk where they dereference at all. The natural egress path
through ah_output_done() does not crash today because the
consumers that read past sock_common are either gated by
sk_fullsock() or short-circuit on flags that are clear on a fresh
request_sock; an exhaustive walk of the 50 most plausible
consumers under sch_fq, dev_queue_xmit, netfilter, tc-egress and
cgroup-egress BPF found no current unguarded deref. The bug is
still a real type confusion that future consumer changes could
turn into a memory-corruption primitive.
This is the same bug class fixed for ESP in commit 1620c88887b1
("xfrm: Fix the usage of skb->sk"). Apply the analogous fix to
AH: convert skb->sk to a full socket pointer (or NULL) via
skb_to_full_sk() before handing it to xfrm_output_resume().
The same async AH callbacks were touched recently for an
independent ESN-related ICV layout bug in commit ec54093e6a8f
("xfrm: ah: account for ESN high bits in async callbacks"); the
sk type-confusion addressed here is orthogonal. This patch is
part of an ongoing audit of the AH callback paths; an ah_output
ihl-validation hardening series is also currently under review on
netdev.
Reproduced under UML + KASAN + lockdep with a forced-async
hmac(sha1) shim that registers at priority 9999 and wraps the
sync in-tree hmac-sha1-lib. With the shim loaded, ah_output_done
runs on every SYN-ACK egress through a transport-mode AH SA and
skb->sk arrives as a request_sock (TCP_NEW_SYN_RECV); after this
patch, xfrm_output_resume() receives the listener (the result of
sk_to_full_sk()) and consumer derefs land on full-sock fields as
intended.
Fixes: 9ab1265d5231 ("xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 2 +-
net/ipv6/ah6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -141,7 +141,7 @@ static void ah_output_done(struct crypto
}
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -338,7 +338,7 @@ static void ah6_output_done(struct crypt
ah6_restore_hdrs(top_iph, iph_ext, extlen);
kfree(AH_SKB_CB(skb)->tmp);
- xfrm_output_resume(skb->sk, skb, err);
+ xfrm_output_resume(skb_to_full_sk(skb), skb, err);
}
static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 098/411] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 097/411] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 099/411] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
` (313 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hamza Mahfooz, Florian Westphal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
commit bed6e04be8e6b9133d8b16d5a42d0e0ce674fa9a upstream.
An unintended behavior in the TCP conntrack state machine allows a
connection to be forced into the CLOSE state using an RST packet with an
invalid sequence number.
Specifically, after a SYN packet is observed, an RST with an invalid SEQ
can transition the conntrack entry to TCP_CONNTRACK_CLOSE, regardless of
whether the RST corresponds to the expected reply direction. The relevant
code path assumes the RST is a response to an outgoing SYN, but does not
validate packet direction or ensure that a matching SYN was actually sent
in the opposite direction.
As a result, a crafted packet sequence consisting of a SYN followed by an
invalid-sequence RST can prematurely terminate an active NAT entry. This
makes connection teardown easier than intended.
So, tighten the state transition logic to ensure that RST-triggered
CLOSE transitions only occur when the RST is a valid response to a
previously observed SYN in the correct direction.
Cc: stable@vger.kernel.org
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1170,7 +1170,8 @@ int nf_conntrack_tcp_packet(struct nf_co
new_state = old_state;
}
if (((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
- && ct->proto.tcp.last_index == TCP_SYN_SET)
+ && ct->proto.tcp.last_index == TCP_SYN_SET
+ && ct->proto.tcp.last_dir != dir)
|| (!test_bit(IPS_ASSURED_BIT, &ct->status)
&& ct->proto.tcp.last_index == TCP_ACK_SET))
&& ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 099/411] ASoC: qcom: q6asm-dai: close stream only when running
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 098/411] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 100/411] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
` (312 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 048c540ee76ded666bda74f9dae1ca3254e0633c upstream.
q6asm_dai_close() and q6asm_dai_compr_free() currently issue CMD_CLOSE
whenever prtd->state is non-zero.
After prepare() closes an existing stream, the state is updated to
Q6ASM_STREAM_STOPPED. Since this state is also non-zero, the close and
free paths can send CMD_CLOSE again for a stream that has already been
closed.
Restrict CMD_CLOSE to the Q6ASM_STREAM_RUNNING state so the command is
sent only when the ASM stream is still active.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -456,12 +456,12 @@ static int q6asm_dai_close(struct snd_so
struct q6asm_dai_rtd *prtd = runtime->private_data;
if (prtd->audio_client) {
- if (prtd->state)
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
-
- q6asm_unmap_memory_regions(substream->stream,
+ q6asm_unmap_memory_regions(substream->stream,
prtd->audio_client);
+ }
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
@@ -678,7 +678,7 @@ static int q6asm_dai_compr_free(struct s
struct snd_soc_pcm_runtime *rtd = stream->private_data;
if (prtd->audio_client) {
- if (prtd->state) {
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
q6asm_cmd(prtd->audio_client, prtd->stream_id,
CMD_CLOSE);
if (prtd->next_track_stream_id) {
@@ -686,11 +686,11 @@ static int q6asm_dai_compr_free(struct s
prtd->next_track_stream_id,
CMD_CLOSE);
}
- }
- snd_dma_free_pages(&prtd->dma_buffer);
- q6asm_unmap_memory_regions(stream->direction,
+ q6asm_unmap_memory_regions(stream->direction,
prtd->audio_client);
+ }
+ snd_dma_free_pages(&prtd->dma_buffer);
q6asm_audio_client_free(prtd->audio_client);
prtd->audio_client = NULL;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 100/411] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 099/411] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 101/411] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
` (311 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit cee3e63e7106c3c81b2053371fdf14240bfba2fc upstream.
The q6asm-dai stream state is used by prepare() to decide whether an
existing stream setup needs to be closed before opening/configuring a new
one. Updating the state from trigger or asynchronous DSP callbacks can make
that state stale or incorrect relative to the actual setup lifetime.
In particular, setting Q6ASM_STREAM_STOPPED on STOP or EOS completion can
make prepare() believe there is no active setup to close, which can result
in opening/configuring the same stream more than once.
Keep stream state updates tied to prepare(), where the stream is actually
closed and reopened, and stop changing it from trigger and EOS callbacks.
Fixes: bfbb12dfa144 ("ASoC: qcom: q6asm-dai: perform correct state check before closing")
Cc: Stable@vger.kernel.org
Closes: https://lore.kernel.org/all/afS7rTHdc9TyIeLx@rdacayan/
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260518092347.3446946-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 5 -----
1 file changed, 5 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -191,7 +191,6 @@ static void event_handler(uint32_t opcod
prtd->pcm_count, 0, 0, 0);
break;
case ASM_CLIENT_EVENT_CMD_EOS_DONE:
- prtd->state = Q6ASM_STREAM_STOPPED;
break;
case ASM_CLIENT_EVENT_DATA_WRITE_DONE: {
prtd->pcm_irq_pos += prtd->pcm_count;
@@ -338,7 +337,6 @@ static int q6asm_dai_trigger(struct snd_
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
@@ -554,8 +552,6 @@ static void compress_event_handler(uint3
snd_compr_drain_notify(prtd->cstream);
prtd->notify_on_drain = false;
- } else {
- prtd->state = Q6ASM_STREAM_STOPPED;
}
spin_unlock_irqrestore(&prtd->lock, flags);
break;
@@ -1018,7 +1014,6 @@ static int q6asm_dai_compr_trigger(struc
0, 0, 0);
break;
case SNDRV_PCM_TRIGGER_STOP:
- prtd->state = Q6ASM_STREAM_STOPPED;
ret = q6asm_cmd_nowait(prtd->audio_client, prtd->stream_id,
CMD_EOS);
break;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 101/411] xfrm: esp: restore combined single-frag length gate
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 100/411] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 102/411] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
` (310 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, Chenyuan Mi, Jingguo Tan,
Sabrina Dubroca, Steffen Klassert
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingguo Tan <tanjingguo@huawei.com>
commit dfa0d7b0ff1eb6b2c416b8fdb9b4f2cefba57a40 upstream.
The ESP out-of-place fast path appends the trailer in esp_output_head()
before esp_output_tail() allocates the destination page frag. The
head-side gate currently checks skb->data_len and tailen separately, but
the tail code allocates a single destination frag from the combined
post-trailer skb->data_len.
Reject the page-frag fast path when the combined aligned length exceeds a
page. Otherwise skb_page_frag_refill() may fall back to a single page while
the destination sg still spans the combined skb->data_len.
Restore this combined-length page gate for both IPv4 and IPv6.
Fixes: 5bd8baab087d ("esp: limit skb_page_frag_refill use to a single page")
Cc: stable@vger.kernel.org
Signed-off-by: Lin Ma <malin89@huawei.com>
Signed-off-by: Chenyuan Mi <michenyuan@huawei.com>
Signed-off-by: Jingguo Tan <tanjingguo@huawei.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/esp4.c | 4 ++--
net/ipv6/esp6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -459,8 +459,8 @@ int esp_output_head(struct xfrm_state *x
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -495,8 +495,8 @@ int esp6_output_head(struct xfrm_state *
return err;
}
- if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
- ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ if (ALIGN(skb->data_len + tailen, L1_CACHE_BYTES) >
+ PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 102/411] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 101/411] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 103/411] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
` (309 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit baa0210fb6a9dc3882509a9411b6d284d88fe30e upstream.
When a configuration file provides an object size that is larger than the
driver's known mxt_obj_size(object), the driver intends to discard the
extra bytes.
The loop iterates using for (i = 0; i < size; i++). Inside the loop, the
condition to skip processing extra bytes is:
if (i > mxt_obj_size(object))
continue;
Since i is a 0-based index, the valid indices for the object are 0 through
mxt_obj_size(object) - 1.
When i == mxt_obj_size(object), the condition evaluates to false, and the
code processes the byte instead of discarding it.
This causes the code to calculate byte_offset = reg + i - cfg->start_ofs
and writes the byte there, overwriting exactly one byte of the adjacent
instance or object.
Update the boundary check to skip extra bytes correctly by using >=.
Fixes: 50a77c658b80 ("Input: atmel_mxt_ts - download device config using firmware loader")
Cc: stable@vger.kernel.org
Assisted-by: Gemini:gemini-3.1-pro
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20260504185448.4055973-1-dmitry.torokhov@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/atmel_mxt_ts.c
+++ b/drivers/input/touchscreen/atmel_mxt_ts.c
@@ -1443,7 +1443,7 @@ static int mxt_prepare_cfg_mem(struct mx
}
cfg->raw_pos += offset;
- if (i > mxt_obj_size(object))
+ if (i >= mxt_obj_size(object))
continue;
byte_offset = reg + i - cfg->start_ofs;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 103/411] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 102/411] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 104/411] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
` (308 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolás Bazaes, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolás Bazaes <contacto@bazaes.cl>
commit 16ca52bc209fa4bf9239cd9e5643e95533476b58 upstream.
The Lenovo ThinkPad E490 (PNP ID: LEN2058) has a Synaptics TM3471-020
touchpad that supports SMBus/RMI4 mode but is not listed in
smbus_pnp_ids[]. Without this entry, RMI4 over SMBus is not enabled
by default, and the touchpad falls back to PS/2 mode.
Adding LEN2058 to the passlist enables automatic RMI4 detection without
requiring the psmouse.synaptics_intertouch parameter, and matches
the behavior of similar ThinkPad models already in the list
(E480/LEN2054, E580/LEN2055).
Tested on ThinkPad E490 with kernel 7.0.5-zen1 and Arch Linux.
RMI4 over SMBus is confirmed working without any kernel parameters.
Signed-off-by: Nicolás Bazaes <contacto@bazaes.cl>
Assisted-by: Claude:claude-sonnet-4-6
Link: https://patch.msgid.link/20260514013552.14234-1-contacto@bazaes.cl
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/synaptics.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -187,6 +187,7 @@ static const char * const smbus_pnp_ids[
"LEN2044", /* L470 */
"LEN2054", /* E480 */
"LEN2055", /* E580 */
+ "LEN2058", /* E490 */
"LEN2068", /* T14 Gen 1 */
"SYN1221", /* TUXEDO InfinityBook Pro 14 v5 */
"SYN3003", /* HP EliteBook 850 G1 */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 104/411] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 103/411] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 105/411] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
` (307 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 542f5248cb481073203e0dadab5bcbd28aeae308 upstream.
Commit 783ddaebd397 ("staging: comedi: comedi_test: support
scan_begin_src == TRIG_FOLLOW") neglected to add a test that
`scan_begin_src` has only one bit set. The allowed values are
`TRIG_FOLLOW` and `TRIG_TIMER`, but the code incorrectly also allows
`TRIG_FOLLOW | TRIG_TIMER`. Add a call to
`comedi_check_trigger_is_unique()` to check that only one trigger source
bit is set.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422162138.36003-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -273,6 +273,7 @@ static int waveform_ai_cmdtest(struct co
/* Step 2a : make sure trigger sources are unique */
err |= comedi_check_trigger_is_unique(cmd->convert_src);
+ err |= comedi_check_trigger_is_unique(cmd->scan_begin_src);
err |= comedi_check_trigger_is_unique(cmd->stop_src);
/* Step 2b : and mutually compatible */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 105/411] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 104/411] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 106/411] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
` (306 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 8a3bee801d420be8a7a0bae4a26547b353b8fe22 upstream.
The function checks and possibly modifies the description of an
asynchronous command to be run on the analog input subdevice of a comedi
device attached to the "comedi_test" driver, returning 0 if no
modifications were required, or a positive value that indicates which
step of the checking process it failed on. Step 4 fixes up various
argument values for various trigger sources.
There are two bugs in the fixing up of the `convert_arg` value to keep
the `scan_begin_arg` value within the range of `unsigned int` when
`scan_begin_src` and `convert_src` both have the value `TRIG_TIMER`,
which indicates that the corresponding `_arg` values hold a time period
in nanoseconds. The code also uses `scan_end_arg` which hold the number
of "conversions" within each "scan". The goal is to end up with the
scan period being less than or equal to the convert period multiplied by
the number of conversions per scan. It intends to do that by clamping
the `convert_arg` value to a maximum value of `UINT_MAX / scan_end_arg`
rounded down to a multiple of 1000 (`NSEC_PER_USEC`).
(The rounding from nanoseconds to microseconds is because the driver is
modelling a device that uses a 1 MHz clock for timing. This is partly
because that is a more typical timing base for real hardware devices
driven by comedi, and partly because the driver used to use `struct
timeval` internally.)
The first bug is that the code checks if `scan_begin_arg == TRIG_TIMER`
when it should be checking if `scan_begin_src == TRIG_TIMER`. The
bugged check will always fail because if `scan_begin_src == TRIG_TIMER`,
then `scan_begin_arg` will be at least 1000 (`NSEC_PER_USEC`), otherwise
`scan_begin_src == TRIG_FOLLOW` and `scan_begin_arg` will be 0. (N.B
`TRIG_TIMER` is defined as `0x10`.) The second bug is that is rounding
the maximum value down to a multiple of 1000000000 (`NSEC_PER_SEC`)
instead of 1000 (`NSEC_PER_USEC`), however this bug is not reached due
to the first bug. This patch fixes both bugs.
Fixes: 783ddaebd397 ("staging: comedi: comedi_test: support scan_begin_src == TRIG_FOLLOW")
Fixes: 5afdcad2f818 ("staging: comedi: comedi_test: limit maximum convert_arg")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20260422144637.27692-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -324,10 +324,10 @@ static int waveform_ai_cmdtest(struct co
arg = min(arg,
rounddown(UINT_MAX, (unsigned int)NSEC_PER_USEC));
arg = NSEC_PER_USEC * DIV_ROUND_CLOSEST(arg, NSEC_PER_USEC);
- if (cmd->scan_begin_arg == TRIG_TIMER) {
+ if (cmd->scan_begin_src == TRIG_TIMER) {
/* limit convert_arg to keep scan_begin_arg in range */
limit = UINT_MAX / cmd->scan_end_arg;
- limit = rounddown(limit, (unsigned int)NSEC_PER_SEC);
+ limit = rounddown(limit, (unsigned int)NSEC_PER_USEC);
arg = min(arg, limit);
}
err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 106/411] tty: serial: pch_uart: add check for dma_alloc_coherent()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 105/411] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 107/411] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
` (305 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zhaoyang Yu, Andy Shevchenko
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhaoyang Yu <2426767509@qq.com>
commit 6fe472c1bbbe238e91141f7cabc1226e96a60d43 upstream.
Add a check for dma_alloc_coherent() failure to prevent a potential
NULL pointer dereference in dma_handle_rx(). Properly release DMA
channels and the PCI device reference using a goto ladder if the
allocation fails.
Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Zhaoyang Yu <2426767509@qq.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/tencent_E328416B7CFD436F6029F2DF02AD7ED89C08@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/pch_uart.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -707,8 +707,7 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
__func__);
- pci_dev_put(dma_dev);
- return;
+ goto err_pci_get;
}
priv->chan_tx = chan;
@@ -722,18 +721,26 @@ static void pch_request_dma(struct uart_
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Rx)\n",
__func__);
- dma_release_channel(priv->chan_tx);
- priv->chan_tx = NULL;
- pci_dev_put(dma_dev);
- return;
+ goto err_req_tx;
}
/* Get Consistent memory for DMA */
priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
&priv->rx_buf_dma, GFP_KERNEL);
+ if (!priv->rx_buf_virt)
+ goto err_req_rx;
priv->chan_rx = chan;
pci_dev_put(dma_dev);
+ return;
+
+err_req_rx:
+ dma_release_channel(chan);
+err_req_tx:
+ dma_release_channel(priv->chan_tx);
+ priv->chan_tx = NULL;
+err_pci_get:
+ pci_dev_put(dma_dev);
}
static void pch_dma_rx_complete(void *arg)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 107/411] usb: chipidea: core: convert ci_role_switch to local variable
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 106/411] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 108/411] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
` (304 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Peter Chen, Frank Li,
Xu Yang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8f6aa392653e52a45858cff5c063df550028836b upstream.
When a system contains multiple USB controllers, the global ci_role_switch
variable may be overwritten by subsequent driver initialization code.
This can cause issues in the following cases:
- The 2nd ci_hdrc_probe() sees ci_role_switch.fwnode as non-NULL even
though the "usb-role-switch" property is not present for the controller.
- When the ci_hdrc device is unbound and bound again, ci_role_switch
fwnode will not be reassigned, and the old value will be used instead.
Convert ci_role_switch to a local variable to fix these issues.
Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support")
Cc: stable <stable@kernel.org>
Acked-by: Peter Chen <peter.chen@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260427075755.3611217-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/chipidea/core.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
--- a/drivers/usb/chipidea/core.c
+++ b/drivers/usb/chipidea/core.c
@@ -659,12 +659,6 @@ static int ci_usb_role_switch_set(struct
return 0;
}
-static struct usb_role_switch_desc ci_role_switch = {
- .set = ci_usb_role_switch_set,
- .get = ci_usb_role_switch_get,
- .allow_userspace_control = true,
-};
-
static int ci_get_platdata(struct device *dev,
struct ci_hdrc_platform_data *platdata)
{
@@ -791,9 +785,6 @@ static int ci_get_platdata(struct device
cable->connected = false;
}
- if (device_property_read_bool(dev, "usb-role-switch"))
- ci_role_switch.fwnode = dev->fwnode;
-
platdata->pctl = devm_pinctrl_get(dev);
if (!IS_ERR(platdata->pctl)) {
struct pinctrl_state *p;
@@ -1013,6 +1004,7 @@ ATTRIBUTE_GROUPS(ci);
static int ci_hdrc_probe(struct platform_device *pdev)
{
+ struct usb_role_switch_desc ci_role_switch = {};
struct device *dev = &pdev->dev;
struct ci_hdrc *ci;
struct resource *res;
@@ -1154,7 +1146,11 @@ static int ci_hdrc_probe(struct platform
}
}
- if (ci_role_switch.fwnode) {
+ if (device_property_read_bool(dev, "usb-role-switch")) {
+ ci_role_switch.set = ci_usb_role_switch_set;
+ ci_role_switch.get = ci_usb_role_switch_get;
+ ci_role_switch.allow_userspace_control = true;
+ ci_role_switch.fwnode = dev_fwnode(dev);
ci_role_switch.driver_data = ci;
ci->role_switch = usb_role_switch_register(dev,
&ci_role_switch);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 108/411] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 107/411] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 109/411] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
` (303 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Pecio, Tao Xue
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit 727d045d064b7c9a24db3bce9c0485a382cb768b upstream.
Tao Xue found that some common devices violate USB 3.x section 9.6.7
by reporting wBytesPerInterval lower than the size of packets they
actually send. I confirmed that AX88179 may set it to 0 and RTL8153
CDC configuration sets it to 8 but sends both 8 and 16 byte packets:
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 8 = a1000000 01000000
S Ii:11:007:3 -115:128 16 <
C Ii:11:007:3 0:128 16 = a12a0000 01000800 00000000 00000000
Most xHCI host controllers neglect interrupt bandwidth reservations
and let such devices exceed theirs, some fail the URB with EOVERFLOW.
Assume that wBytesPerInterval lower than wMaxPacketSize is bogus and
increase it to the worst case maximum on interrupt IN endpoints. This
solves xHCI problems and appears to have no other effect. Interrupt
transfers are not limited to one interval and drivers submit URBs of
class defined size without looking at wBytesPerInterval. Any multi-
interval transfer is considered terminated by a packet shorter than
wMaxPacketSize regardless of wBytesPerInterval - see USB3 8.10.3.
Stay in spec on OUT endpoints and isochronous. No buggy devices are
known and we don't want to risk sending more data than the device
is prepared to handle or confusing isoc drivers regarding altsetting
capacities guaranteed by the device itself. And don't complain when
wMaxPacketSize <= wBytesPerInterval < wMaxPacketSize * (bMaxBurst+1)
because enabling this seems to be the exact goal of the spec.
Reported-and-tested-by: Tao Xue <xuetao09@huawei.com>
Closes: https://lore.kernel.org/linux-usb/20260402021400.28853-1-xuetao09@huawei.com/
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Link: https://patch.msgid.link/20260518073207.5b7d26e7.michal.pecio@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -165,7 +165,14 @@ static void usb_parse_ss_endpoint_compan
(desc->bMaxBurst + 1);
else
max_tx = 999999;
- if (le16_to_cpu(desc->wBytesPerInterval) > max_tx) {
+ /*
+ * wBytesPerInterval > max_tx is bogus, but USB3 spec doesn't forbid the opposite.
+ * Experience shows that wBytesPerInterval < wMaxPacketSize on common interrupt IN
+ * endpoints is usually bogus too, and recent HCs enforce interrupt BW limits.
+ */
+ if (le16_to_cpu(desc->wBytesPerInterval) > max_tx ||
+ (le16_to_cpu(desc->wBytesPerInterval) < usb_endpoint_maxp(&ep->desc) &&
+ usb_endpoint_is_int_in(&ep->desc))) {
dev_notice(ddev, "%s endpoint with wBytesPerInterval of %d in "
"config %d interface %d altsetting %d ep %d: "
"setting to %d\n",
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 109/411] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 108/411] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 110/411] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
` (302 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen J. Fuhry, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen J. Fuhry <fuhrysteve@gmail.com>
commit 9ddb9c0deca48d2c2a22ebf4d2f35c925a520328 upstream.
The Lenovo ThinkPad USB-C Dock Gen2 (17ef:a391, 17ef:a392) hub
controllers exhibit link instability when USB Link Power Management
is enabled, similar to the dock's Ethernet adapter (17ef:a387) which
already carries USB_QUIRK_NO_LPM.
When the dock reconnects after a transient disconnect, the hub
controllers enter LPM states between re-enumeration retries, causing
repeated disconnect/reconnect cycles lasting up to two minutes.
Disabling LPM for these devices restores stable enumeration.
Signed-off-by: Stephen J. Fuhry <fuhrysteve@gmail.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260513171419.44849-1-fuhrysteve@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -497,6 +497,10 @@ static const struct usb_device_id usb_qu
/* Lenovo ThinkPad USB-C Dock Gen2 Ethernet (RTL8153 GigE) */
{ USB_DEVICE(0x17ef, 0xa387), .driver_info = USB_QUIRK_NO_LPM },
+ /* Lenovo ThinkPad USB-C Dock Gen2 USB 3.1 and USB 2.0 hub controllers */
+ { USB_DEVICE(0x17ef, 0xa391), .driver_info = USB_QUIRK_NO_LPM },
+ { USB_DEVICE(0x17ef, 0xa392), .driver_info = USB_QUIRK_NO_LPM },
+
/* BUILDWIN Photo Frame */
{ USB_DEVICE(0x1908, 0x1315), .driver_info =
USB_QUIRK_HONOR_BNUMINTERFACES },
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 110/411] usb: storage: Add quirks for PNY Elite Portable SSD
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 109/411] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 111/411] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
` (301 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Burkels, Oliver Neukum, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Burkels <sam@1a38.nl>
commit b53ebb811e00be50a779ce4e7aee604178b4a825 upstream.
The PNY Elite Portable SSD (USB ID 154b:f009) is a sibling of the
already-quirked PNY Pro Elite SSDs (154b:f00b and 154b:f00d). Like its
siblings, it uses a Phison-based USB-SATA bridge that exhibits
firmware bugs when bound to the uas driver.
Without quirks, the device fails to complete READ CAPACITY commands
when accessed over UAS on a SuperSpeed (USB 3) port. The device
enumerates and reports as a SCSI direct-access device, but reports
zero logical blocks and never finishes spin-up:
usb 2-3: new SuperSpeed USB device number 8 using xhci_hcd
usb 2-3: New USB device found, idVendor=154b, idProduct=f009
usb 2-3: Product: PNY ELITE PSSD
usb 2-3: Manufacturer: PNY
scsi host0: uas
scsi 0:0:0:0: Direct-Access PNY PNY ELITE PSSD 0
sd 0:0:0:0: [sda] Spinning up disk...
[...10+ seconds of polling, no progress...]
sd 0:0:0:0: [sda] Read Capacity(16) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] Read Capacity(10) failed: hostbyte=DID_ERROR
sd 0:0:0:0: [sda] 0 512-byte logical blocks: (0 B/0 B)
Tested each individual quirk to find the minimum that fixes this:
- US_FL_NO_ATA_1X alone: device hangs on spin-up
- US_FL_NO_REPORT_OPCODES alone: works on USB 2.0, hangs on USB 3.0
- US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES: works on both
With both quirks the device enumerates correctly while still using
the uas driver, and delivers full UAS throughput (~281 MB/s
sequential read on a USB 3.0 Gen 1 port).
The existing PNY Pro Elite entries (f00b, f00d) only set NO_ATA_1X,
but this device additionally chokes on REPORT OPCODES under
SuperSpeed.
Signed-off-by: Sam Burkels <sam@1a38.nl>
Acked-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20260501132346.86572-1-sam@1a38.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -132,6 +132,13 @@ UNUSUAL_DEV(0x152d, 0x0583, 0x0000, 0x99
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_REPORT_OPCODES),
+/* Reported-by: Sam Burkels <sam@1a38.nl> */
+UNUSUAL_DEV(0x154b, 0xf009, 0x0000, 0x9999,
+ "PNY",
+ "PNY ELITE PSSD",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_ATA_1X | US_FL_NO_REPORT_OPCODES),
+
/* Reported-by: Thinh Nguyen <thinhn@synopsys.com> */
UNUSUAL_DEV(0x154b, 0xf00b, 0x0000, 0x9999,
"PNY",
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 111/411] usbip: vudc: Fix use after free bug in vudc_remove due to race condition
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 110/411] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 112/411] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
` (300 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Zheng Wang,
Michael Bommarito, Shuah Khan
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit d96209626a29ea64666be98c30b30ac82e5f1be6 upstream.
This patch follows up Zheng Wang's 2023 report of a use-after-free in
vudc_remove(). The original thread stalled on Shuah Khan's request for
runtime testing of the unplug/unbind path. This patch supplies that
testing and keeps Zheng's original fix shape.
In vudc_probe(), v_init_timer() binds udc->tr_timer.timer to v_timer().
usbip_sockfd_store() starts the timer via v_start_timer()/v_kick_timer().
vudc_remove() can then free the containing struct vudc while the timer is
still pending or executing.
KASAN confirms the race on an unpatched x86_64 QEMU guest with
CONFIG_KASAN=y, CONFIG_USBIP_VUDC=y, CONFIG_USB_ZERO=y, and a tight loop
that repeatedly writes a socket fd to usbip_sockfd, closes the socket
pair, and unbinds/rebinds usbip-vudc.0:
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x8ba/0x8e0
Write of size 8 at addr ffff888001b80740 by task trigger_and_unb/239
Allocated by task 239:
vudc_probe+0x4d/0xaa0
Freed by task 239:
kfree+0x18f/0x520
device_release_driver_internal+0x388/0x540
unbind_store+0xd9/0x100
This lands in the timer core rather than v_timer() itself because the
embedded timer_list is being walked after its containing struct vudc has
already been freed. The underlying lifetime bug is the same one Zheng
reported.
With v_stop_timer() called from vudc_remove() and the timer deleted
synchronously, the same harness completed 5000 bind/unbind iterations
with no KASAN report.
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable <stable@kernel.org>
Reported-by: Zheng Wang <zyytlz.wz@163.com>
Closes: https://lore.kernel.org/linux-usb/20230317100954.2626573-1-zyytlz.wz@163.com/
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://patch.msgid.link/20260417163552.807548-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/usbip/vudc_dev.c | 1 +
drivers/usb/usbip/vudc_transfer.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -633,6 +633,7 @@ int vudc_remove(struct platform_device *
{
struct vudc *udc = platform_get_drvdata(pdev);
+ v_stop_timer(udc);
usb_del_gadget_udc(&udc->gadget);
cleanup_vudc_hw(udc);
kfree(udc);
--- a/drivers/usb/usbip/vudc_transfer.c
+++ b/drivers/usb/usbip/vudc_transfer.c
@@ -490,7 +490,8 @@ void v_stop_timer(struct vudc *udc)
{
struct transfer_timer *t = &udc->tr_timer;
- /* timer itself will take care of stopping */
+ /* Delete the timer synchronously before teardown frees udc. */
dev_dbg(&udc->pdev->dev, "timer stop");
+ timer_delete_sync(&t->timer);
t->state = VUDC_TR_STOPPED;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 112/411] usb: usbtmc: check URB actual_length for interrupt-IN notifications
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 111/411] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 113/411] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
` (299 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+abbfd103085885cf16a2, stable,
Michal Pecio, Heitor Alves de Siqueira
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 52f2ad3f7e5eb3b5908e1d685d4342519dc9cfcd upstream.
USBTMC devices can use an optional interrupt endpoint for notification
messages. These typically contain two-byte headers indicating the
payload format, but the driver does not check if these headers are
present before accessing the data buffers. In cases where the URB
actual_length is not enough to fit these headers, the driver will either
cause an out-of-bounds read, or consume stale leftover data from a
previous notification.
Fix by checking if actual_data contains enough bytes for the headers,
otherwise resubmit URB to the interrupt endpoint.
Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-1-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2310,6 +2310,14 @@ static void usbtmc_interrupt(struct urb
switch (status) {
case 0: /* SUCCESS */
+ /* ensure at least two bytes of headers were transferred */
+ if (urb->actual_length < 2) {
+ dev_warn(dev,
+ "actual length %d not sufficient for interrupt headers\n",
+ urb->actual_length);
+ goto exit;
+ }
+
/* check for valid STB notification */
if (data->iin_buffer[0] > 0x81) {
data->bNotify1 = data->iin_buffer[0];
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 113/411] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 112/411] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 114/411] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
` (298 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Michal Pecio,
Heitor Alves de Siqueira
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heitor Alves de Siqueira <halves@igalia.com>
commit 121d2f682ba912b1427cddca7cf84840f41cc620 upstream.
The USB488 subclass specification requires interrupt wMaxPacketSize to
be 0x02, unless the device sends vendor-specific notifications.
Endpoints that advertise less than 2 bytes for wMaxPacketSize are
unlikely to work with the current driver, as URBs will not have enough
space for interrupt headers. Considering that any notification URBs will
be ignored by the driver, reject these endpoints early during probe.
Fixes: 041370cce889 ("USB: usbtmc: refactor endpoint retrieval")
Cc: stable <stable@kernel.org>
Suggested-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Link: https://patch.msgid.link/20260505-usbtmc-iin-size-v3-2-a36113f62db7@igalia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2444,6 +2444,12 @@ static int usbtmc_probe(struct usb_inter
data->iin_ep = int_in->bEndpointAddress;
data->iin_wMaxPacketSize = usb_endpoint_maxp(int_in);
data->iin_interval = int_in->bInterval;
+ /* wMaxPacketSize should be 0x02 or more as per USB488 Table 22 */
+ if (iface_desc->desc.bInterfaceProtocol == 1 &&
+ data->iin_wMaxPacketSize < 2) {
+ retcode = -EINVAL;
+ goto err_put;
+ }
dev_dbg(&intf->dev, "Found Int in endpoint at %u\n",
data->iin_ep);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 114/411] USB: serial: option: add MeiG SRM813Q
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 113/411] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 115/411] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
` (297 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Volckaert, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Volckaert <janvolck@gmail.com>
commit 7d2b37d3e42d19071b62f4ddbee6e16e905efbf1 upstream.
Add support for the Qualcomm Technology Snapdragon X35-based MeiG
SRM813Q module.
The module can be put in different modes via AT commands to
enable/disable GPS functionality:
MODEM - PPP mode(2dee:4d63): AT+SER=1,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: MODEM
If#= 3: AT
P: Vendor=2dee ProdID=4d63 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
NMEA mode(2dee:4d64): AT+SER=51,1
If#= 0: RMNET
If#= 1: DIAG/ADB
If#= 2: NMEA
If#= 3: AT
P: Vendor=2dee ProdID=4d64 Rev=05.15
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=1bd51f0e
C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Signed-off-by: Jan Volckaert <janvolck@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2450,6 +2450,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x30) }, /* MeiG Smart SRM825WN (Diag) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x40) }, /* MeiG Smart SRM825WN (AT) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d38, 0xff, 0xff, 0x60) }, /* MeiG Smart SRM825WN (NMEA) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d63, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x30) }, /* MeiG SRM813Q (Diag) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x40) }, /* MeiG SRM813Q (AT) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2dee, 0x4d64, 0xff, 0xff, 0x60) }, /* MeiG SRM813Q (NMEA) */
+
{ USB_DEVICE_INTERFACE_CLASS(0x2df3, 0x9d03, 0xff) }, /* LongSung M5710 */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1404, 0xff) }, /* GosunCn GM500 RNDIS */
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1405, 0xff) }, /* GosunCn GM500 MBIM */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 115/411] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 114/411] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 116/411] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
` (296 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wanquan Zhong, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wanquan Zhong <wanquan.zhong@fibocom.com>
commit 689f2facc689c8add11d7ff69fbbad17d65ee596 upstream.
The RW135R-GL entry added in commit 01e8d0f74222 ("USB: serial: option:
add support for Rolling Wireless RW135R-GL") was missing the
.driver_info = RSVD(5) flag used by other Rolling Wireless MBIM laptop
modules (e.g. RW135-GL and RW350-GL).
Without this flag, the option driver incorrectly binds to the reserved
ADB interface (If#5) in multi-interface USB modes, causing AT/MBIM
communication failures after mode switching. This matches the handling
of other Rolling Wireless MBIM devices.
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, diag, AT, ADB, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
- VID:PID 33f8:1003, RW135R-GL for laptop debug M.2 cards (with MBIM
interface for Linux/Chrome OS)
0x1003: mbim, pipe
Here are the outputs of usb-devices:
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=33f8 ProdID=1003 Rev= 5.15
S: Manufacturer=Rolling Wireless S.a.r.l.
S: Product=Rolling RW135R-GL Module
S: SerialNumber=12345678
C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Fixes: 01e8d0f74222 ("USB: serial: option: add support for Rolling Wireless RW135R-GL")
Signed-off-by: Wanquan Zhong <wanquan.zhong@fibocom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2476,7 +2476,8 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0302, 0xff) }, /* Rolling RW101R-GL (laptop MBIM) */
{ USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x0802, 0xff), /* Rolling RW350-GL (laptop MBIM) */
.driver_info = RSVD(5) },
- { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff) }, /* Rolling RW135R-GL (laptop MBIM) */
+ { USB_DEVICE_INTERFACE_CLASS(0x33f8, 0x1003, 0xff), /* Rolling RW135R-GL (laptop MBIM) */
+ .driver_info = RSVD(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x30) }, /* NetPrisma LCUK54-WWD for Global */
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0x00, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3731, 0x0100, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 116/411] USB: serial: belkin_sa: validate interrupt status length
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 115/411] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 117/411] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
` (295 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 4ce058df2ee02cc2a0f0fd5cd64ce6f1482a0b65 upstream.
The Belkin interrupt callback treats interrupt data as a four-byte
status report and reads LSR/MSR fields at offsets 2 and 3. The
interrupt-in buffer length is derived from endpoint wMaxPacketSize, and
short interrupt transfers may complete successfully with a smaller
actual_length.
Check the completed interrupt packet length before parsing status
fields so short interrupt endpoints and short successful packets are
ignored instead of causing out-of-bounds or stale status-byte reads.
KASAN report as below:
BUG: KASAN: slab-out-of-bounds in belkin_sa_read_int_callback()
Read of size 1
Call trace:
belkin_sa_read_int_callback() (drivers/usb/serial/belkin_sa.c:202)
__usb_hcd_giveback_urb() (drivers/usb/core/hcd.c:1630)
dummy_timer() (?:?)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/belkin_sa.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -194,6 +194,9 @@ static void belkin_sa_read_int_callback(
usb_serial_debug_data(&port->dev, __func__, urb->actual_length, data);
+ if (urb->actual_length < BELKIN_SA_MSR_INDEX + 1)
+ goto exit;
+
/* Handle known interrupt data */
/* ignore data[0] and data[1] */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 117/411] USB: serial: cypress_m8: validate interrupt packet headers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 116/411] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 118/411] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
` (294 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Cen, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 9f9bfc80c67f35a275820da7e83a35dface08281 upstream.
cypress_read_int_callback() parses the interrupt-in buffer according to
the selected Cypress packet format. Format 1 has a two-byte status/count
header and format 2 has a one-byte combined status/count header. The
usb-serial core sizes the interrupt-in buffer from the endpoint
descriptor's wMaxPacketSize, and successful interrupt transfers can
complete short when URB_SHORT_NOT_OK is not set.
Check that the completed packet contains the selected header before
reading it. Malformed short reports are ignored and the interrupt URB is
resubmitted through the existing retry path, preventing out-of-bounds
header-byte reads.
KASAN report as below:
KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0
Read of size 1
Call trace:
cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009)
__usb_hcd_giveback_urb()
dummy_timer()
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
[ johan: use constants in header length sanity checks ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/cypress_m8.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -1018,8 +1018,8 @@ static void cypress_read_int_callback(st
char tty_flag = TTY_NORMAL;
int bytes = 0;
int result;
- int i = 0;
int status = urb->status;
+ int i;
switch (status) {
case 0: /* success */
@@ -1057,22 +1057,32 @@ static void cypress_read_int_callback(st
spin_lock_irqsave(&priv->lock, flags);
result = urb->actual_length;
+ i = 0;
switch (priv->pkt_fmt) {
default:
case packet_format_1:
/* This is for the CY7C64013... */
+ if (result < 2)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = data[1] + 2;
i = 2;
break;
case packet_format_2:
/* This is for the CY7C63743... */
+ if (result < 1)
+ break;
priv->current_status = data[0] & 0xF8;
bytes = (data[0] & 0x07) + 1;
i = 1;
break;
}
spin_unlock_irqrestore(&priv->lock, flags);
+ if (i == 0) {
+ dev_dbg(dev, "%s - short packet received: %d bytes\n",
+ __func__, result);
+ goto continue_read;
+ }
if (result < bytes) {
dev_dbg(dev,
"%s - wrong packet size - received %d bytes but packet said %d bytes\n",
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 118/411] USB: serial: keyspan: fix missing indat transfer sanity check
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 117/411] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 119/411] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
` (293 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ab8336a7e414f018430aa1af3a46944032f7ff96 upstream.
Add the missing sanity check on the size of usa49wg indat transfers to
avoid parsing stale or uninitialised slab data.
Fixes: 0ca1268e109a ("USB Serial Keyspan: add support for USA-49WG & USA-28XG")
Cc: stable@vger.kernel.org # 2.6.23
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/keyspan.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -1184,6 +1184,10 @@ static void usa49wg_indat_callback(struc
len = 0;
while (i < urb->actual_length) {
+ if (urb->actual_length - i < 3) {
+ dev_warn_ratelimited(&urb->dev->dev, "malformed indat packet\n");
+ break;
+ }
/* Check port number from message */
if (data[i] >= serial->num_ports) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 119/411] USB: serial: mxuport: fix memory corruption with small endpoint
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 118/411] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 120/411] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
` (292 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4085f0dbb1ce2251c9a5938d693de6593f0ab2bd upstream.
Make sure that the bulk-out endpoint max packet size is at least eight
bytes to avoid user-controlled slab corruption should a malicious device
report a smaller size.
Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX driver")
Cc: stable@vger.kernel.org # 3.14
Cc: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mxuport.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -962,6 +962,14 @@ static int mxuport_calc_num_ports(struct
*/
BUILD_BUG_ON(ARRAY_SIZE(epds->bulk_out) < 16);
+ /*
+ * The bulk-out buffers must be large enough for the four-byte header
+ * (and following data), but assume anything smaller than eight bytes
+ * is broken.
+ */
+ if (usb_endpoint_maxp(epds->bulk_out[0]) < 8)
+ return -EINVAL;
+
for (i = 1; i < num_ports; ++i)
epds->bulk_out[i] = epds->bulk_out[0];
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 120/411] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 119/411] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 121/411] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
` (291 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 245aba83e3c288e176ed037a1f6b618b09e92ed8 upstream.
Add the missing sanity check on the size of interrupt-in transfers to
avoid parsing stale or uninitialised slab data (and leaking it to user
space).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/mct_u232.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -543,6 +543,11 @@ static void mct_u232_read_int_callback(s
goto exit;
}
+ if (urb->actual_length < 2) {
+ dev_warn_ratelimited(&port->dev, "short interrupt-in packet\n");
+ goto exit;
+ }
+
/*
* The interrupt-in pipe signals exceptional conditions (modem line
* signal changes and errors). data[0] holds MSR, data[1] holds LSR.
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 121/411] usb: gadget: net2280: Fix double free in probe error path
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 120/411] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
@ 2026-06-16 14:55 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 122/411] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
` (290 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Guangshuo Li, Alan Stern
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit c8547c74988e0b5f4cbb1b895e2a57aae084f070 upstream.
usb_initialize_gadget() installs gadget_release() as the release
callback for the embedded gadget device. The struct net2280 instance is
therefore released through gadget_release() when the gadget device's last
reference is dropped.
The probe error path calls net2280_remove(), which tears down the
partially initialized device and drops the gadget reference with
usb_put_gadget(). Calling kfree(dev) afterwards can free the same object
again.
Drop the explicit kfree() and let the gadget device release callback
handle the final free. This issue was found by a static analysis tool
I am developing.
Fixes: f770fbec4165 ("USB: UDC: net2280: Fix memory leaks")
Cc: stable <stable@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260427153651.337846-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/net2280.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/usb/gadget/udc/net2280.c
+++ b/drivers/usb/gadget/udc/net2280.c
@@ -3796,10 +3796,8 @@ static int net2280_probe(struct pci_dev
return 0;
done:
- if (dev) {
+ if (dev)
net2280_remove(pdev);
- kfree(dev);
- }
return retval;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 122/411] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-06-16 14:55 ` [PATCH 5.15 121/411] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 123/411] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
` (289 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Seungjin Bae
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
commit 7d9633528dd40e33964d2dc74a5abbf5c4d116ce upstream.
The `dummy_hub_control()` function handles USB hub class requests
to the virtual root hub. The `GetPortStatus` case returns -EPIPE for
requests with `wIndex != 1`, since the virtual root hub has only a
single port. However, the `ClearPortFeature` and `SetPortFeature`
cases lack the same check.
Fix this by extending the `wIndex != 1` rejection to both cases,
matching the existing behavior of `GetPortStatus`.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable <stable@kernel.org>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260518234314.1889396-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/dummy_hcd.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/gadget/udc/dummy_hcd.c
+++ b/drivers/usb/gadget/udc/dummy_hcd.c
@@ -2122,6 +2122,8 @@ static int dummy_hub_control(
case ClearHubFeature:
break;
case ClearPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_SUSPEND:
if (hcd->speed == HCD_USB3) {
@@ -2236,6 +2238,8 @@ static int dummy_hub_control(
retval = -EPIPE;
break;
case SetPortFeature:
+ if (wIndex != 1)
+ goto error;
switch (wValue) {
case USB_PORT_FEAT_LINK_STATE:
if (hcd->speed != HCD_USB3) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 123/411] usb: gadget: f_fs: copy only received bytes on short ep0 read
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 122/411] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 124/411] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
` (288 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Michael Bommarito
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4e036c10e7f4df5d951c69cc3697bc8e209c6d02 upstream.
ffs_ep0_read() allocates its control-OUT data buffer with
kmalloc() (not kzalloc) at the Length value from the Setup
packet, then copies that full len to userspace regardless of
how many bytes were actually received:
data = kmalloc(len, GFP_KERNEL);
...
ret = __ffs_ep0_queue_wait(ffs, data, len);
if ((ret > 0) && (copy_to_user(buf, data, len)))
ret = -EFAULT;
__ffs_ep0_queue_wait() returns req->actual, which on a short
control OUT transfer is strictly less than len. The
copy_to_user() call still copies len bytes, so on a short OUT
the last (len - ret) bytes of the kmalloc() buffer --
uninitialised slab residue -- are delivered to the FunctionFS
daemon.
Short ep0 OUT completions are specified USB control-transfer
behavior and are produced by in-tree UDCs:
* dwc2 continues on req->actual < req->length for ep0 DATA OUT
(short-not-ok is the only ep0-OUT stall path).
* aspeed_udc ends ep0 OUT on rx_len < ep->ep.maxpacket.
* renesas_usbf logs "ep0 short packet" and completes the
request.
* dwc3 stalls on short IN but not on short OUT.
A short ep0 OUT is therefore not evidence of a broken UDC; it is
a normal condition f_fs has to cope with. The sibling gadgetfs
implementation in drivers/usb/gadget/legacy/inode.c already does
this correctly via min(len, dev->req->actual) before
copy_to_user(). This patch brings f_fs.c to the same safe
pattern rather than trimming at a defensive layer.
The bug is reached from the FunctionFS device node, which in
real deployments is owned by the privileged gadget daemon
(adbd, UMS, composite gadget services, etc.); it is not
reachable from unprivileged userspace. Linux host stacks
normally reject short-wLength control OUTs before they reach
the gadget, so reproducing this required a build that
bypasses that host-side check. With the bypass in place, a
1-byte payload on a 64-byte Setup produces 63 bytes of
non-canary slab residue in the daemon's read buffer.
Fix by copying only ret (actually received) bytes to
userspace.
Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
Cc: stable <stable@kernel.org>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260419160359.1577270-1-michael.bommarito@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -592,7 +592,7 @@ static ssize_t ffs_ep0_read(struct file
/* unlocks spinlock */
ret = __ffs_ep0_queue_wait(ffs, data, len);
- if ((ret > 0) && (copy_to_user(buf, data, len)))
+ if ((ret > 0) && (copy_to_user(buf, data, ret)))
ret = -EFAULT;
goto done_mutex;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 124/411] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 123/411] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 125/411] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
` (287 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 01deda0152066c6c955f0619114ea6afa070aaec upstream.
entry->value is u32 and entry->length is u16; the sum is performed in
u32 and wraps. A malicious XDomain peer can pick
value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0
and passes the > block_len check. tb_property_parse() then passes
entry->value to parse_dwdata() as a dword offset into the property
block, reading attacker-directed memory far past the allocation.
For TEXT-typed entries with the "deviceid" or "vendorid" keys this
lands in xd->device_name / xd->vendor_name and is readable back via
the per-XDomain device_name / vendor_name sysfs attributes; the leak
is NUL-bounded (kstrdup() stops at the first zero byte) and
untargeted (the attacker picks a delta, not an absolute address).
DATA-typed entries are parsed into property->value.data but not
generically surfaced to userspace.
Use check_add_overflow() so a wrapped sum is rejected.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -8,6 +8,7 @@
*/
#include <linux/err.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uuid.h>
@@ -52,13 +53,16 @@ static inline void format_dwdata(void *d
static bool tb_property_entry_valid(const struct tb_property_entry *entry,
size_t block_len)
{
+ u32 end;
+
switch (entry->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
if (entry->length > block_len)
return false;
- if (entry->value + entry->length > block_len)
+ if (check_add_overflow(entry->value, entry->length, &end) ||
+ end > block_len)
return false;
break;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 125/411] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 124/411] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 126/411] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
` (286 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit de21b59c29e31c5108ddc04210631bbfab81b997 upstream.
On the non-root path, __tb_property_parse_dir() takes dir_len from
entry->length (u16 widened to size_t). Two distinct OOB conditions
follow when entry->length < 4:
1. The non-root path begins with kmemdup(&block[dir_offset],
sizeof(*dir->uuid), ...) which always reads 4 dwords from
dir_offset. tb_property_entry_valid() only enforces
dir_offset + entry->length <= block_len, so a crafted entry
with dir_offset close to the end of the property block and
entry->length in 0..3 passes that gate but lets the UUID copy
run off the block (e.g. dir_offset = 497, dir_len = 3 in a
500-dword block reads block[497..501]).
2. After the kmemdup, content_len = dir_len - 4 underflows size_t
to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry
walk runs OOB on each iteration until an entry fails
validation or the kernel oopses on an unmapped page.
Reject dir_len < 4 on the non-root path *before* the UUID kmemdup,
which closes both holes.
Also move INIT_LIST_HEAD(&dir->properties) up to immediately after
the dir allocation so the new error-return path (and the existing
uuid-alloc failure path) calling tb_property_free_dir() sees a
walkable list rather than the zero-initialized NULL next/prev that
list_for_each_entry_safe() would oops on.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -174,10 +174,16 @@ static struct tb_property_dir *__tb_prop
if (!dir)
return NULL;
+ INIT_LIST_HEAD(&dir->properties);
+
if (is_root) {
content_offset = dir_offset + 2;
content_len = dir_len;
} else {
+ if (dir_len < 4) {
+ tb_property_free_dir(dir);
+ return NULL;
+ }
dir->uuid = kmemdup(&block[dir_offset], sizeof(*dir->uuid),
GFP_KERNEL);
if (!dir->uuid) {
@@ -191,8 +197,6 @@ static struct tb_property_dir *__tb_prop
entries = (const struct tb_property_entry *)&block[content_offset];
nentries = content_len / (sizeof(*entries) / 4);
- INIT_LIST_HEAD(&dir->properties);
-
for (i = 0; i < nentries; i++) {
struct tb_property *property;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 126/411] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 125/411] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 127/411] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
` (285 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Hannes Reinecke,
Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 9eed1bd59937e6828b00d2f2dfef631d964f3636 upstream.
drivers/scsi/fcoe/fcoe_ctlr.c::fcoe_ctlr_recv_clr_vlink() advanced the
descriptor cursor by an attacker-supplied fip_dlen without ever
requiring dlen >= sizeof(struct fip_desc) in the default branch. The
named descriptor cases (FIP_DT_MAC, FIP_DT_NAME, FIP_DT_VN_ID) checked
their per-type minimum lengths, but a FIP_DT_NON_CRITICAL descriptor
(fip_dtype >= 128, which the standard requires receivers to silently
ignore) skipped that check entirely.
An unauthenticated L2 peer on the FCoE control VLAN could hang
fcoe_ctlr_recv_work on an fcoe, qedf, or bnx2fc initiator indefinitely
by emitting one FIP CVL frame whose single descriptor had fip_dtype ==
FIP_DT_NON_CRITICAL and fip_dlen == 0: the cursor advanced zero bytes
per iteration and the loop condition rlen >= sizeof(*desc) stayed true
forever, blocking every subsequent FIP frame on that controller.
Tighten the outer dlen guard to also reject dlen < sizeof(struct
fip_desc), so a malformed descriptor whose length cannot even cover the
descriptor header is rejected before the switch. This is the same
lower-bound the named cases already apply and is the minimum scope that
closes the loop.
Fixes: 97c8389d54b9 ("[SCSI] fcoe, libfcoe: Add support for FIP. FCoE discovery and keep-alive.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Link: https://patch.msgid.link/20260518144307.2820961-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/fcoe/fcoe_ctlr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/fcoe/fcoe_ctlr.c
+++ b/drivers/scsi/fcoe/fcoe_ctlr.c
@@ -1391,7 +1391,7 @@ static void fcoe_ctlr_recv_clr_vlink(str
while (rlen >= sizeof(*desc)) {
dlen = desc->fip_dlen * FIP_BPW;
- if (dlen > rlen)
+ if (dlen < sizeof(*desc) || dlen > rlen)
goto err;
/* Drop CVL if there are duplicate critical descriptors */
if ((desc->fip_dtype < 32) &&
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 127/411] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 126/411] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 128/411] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
` (284 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Christoph Hellwig,
John Garry, Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit a9a39233ec1fc9f97ea1340a4d09bb7ec2be5153 upstream.
An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS
frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in
the generic FC transport. This is not a local userspace or IP network
path; the attacker must be able to inject fabric traffic, for example as
a compromised switch or fabric controller, or as a same-zone N_Port on a
fabric that permits source spoofing.
The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop
counter against the 32-bit on-wire pname_count field, and did not bound
pname_count by the descriptor body already validated by the TLV walker.
A pname_count of 256 therefore wraps the counter and keeps the loop
condition true indefinitely.
Factor the shared pname_list[] walk into one helper, widen the counter
to u32, and clamp pname_count against the entries that fit in the
descriptor body before iterating.
Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://patch.msgid.link/20260520133015.1018937-1-michael.bommarito@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_transport_fc.c | 77 ++++++++++++++++++++-------------------
1 file changed, 41 insertions(+), 36 deletions(-)
--- a/drivers/scsi/scsi_transport_fc.c
+++ b/drivers/scsi/scsi_transport_fc.c
@@ -744,6 +744,37 @@ fc_cn_stats_update(u16 event_type, struc
}
}
+static void
+fc_fpin_pname_stats_update(struct Scsi_Host *shost,
+ struct fc_rport *attach_rport, u16 event_type,
+ u32 desc_len, u32 fixed_len, u32 pname_count,
+ __be64 *pname_list,
+ void (*stats_update)(u16 event_type,
+ struct fc_fpin_stats *stats))
+{
+ u32 i;
+ struct fc_rport *rport;
+ u64 wwpn;
+
+ if (desc_len < fixed_len)
+ pname_count = 0;
+ else
+ pname_count = min(pname_count, (desc_len - fixed_len) /
+ sizeof(pname_list[0]));
+
+ for (i = 0; i < pname_count; i++) {
+ wwpn = be64_to_cpu(pname_list[i]);
+ rport = fc_find_rport_by_wwpn(shost, wwpn);
+ if (rport &&
+ (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
+ rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
+ if (rport == attach_rport)
+ continue;
+ stats_update(event_type, &rport->fpin_stats);
+ }
+ }
+}
+
/*
* fc_fpin_li_stats_update - routine to update Link Integrity
* event statistics.
@@ -754,13 +785,11 @@ fc_cn_stats_update(u16 event_type, struc
static void
fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_host_attrs *fc_host = shost_to_fc_host(shost);
struct fc_fn_li_desc *li_desc = (struct fc_fn_li_desc *)tlv;
u16 event_type = be16_to_cpu(li_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(li_desc->attached_wwpn));
@@ -771,22 +800,11 @@ fc_fpin_li_stats_update(struct Scsi_Host
fc_li_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(li_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(li_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(li_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_li_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(li_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*li_desc),
+ be32_to_cpu(li_desc->pname_count),
+ li_desc->pname_list, fc_li_stats_update);
if (fc_host->port_name == be64_to_cpu(li_desc->attached_wwpn))
fc_li_stats_update(event_type, &fc_host->fpin_stats);
@@ -834,13 +852,11 @@ static void
fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost,
struct fc_tlv_desc *tlv)
{
- u8 i;
struct fc_rport *rport = NULL;
struct fc_rport *attach_rport = NULL;
struct fc_fn_peer_congn_desc *pc_desc =
(struct fc_fn_peer_congn_desc *)tlv;
u16 event_type = be16_to_cpu(pc_desc->event_type);
- u64 wwpn;
rport = fc_find_rport_by_wwpn(shost,
be64_to_cpu(pc_desc->attached_wwpn));
@@ -851,22 +867,11 @@ fc_fpin_peer_congn_stats_update(struct S
fc_cn_stats_update(event_type, &attach_rport->fpin_stats);
}
- if (be32_to_cpu(pc_desc->pname_count) > 0) {
- for (i = 0;
- i < be32_to_cpu(pc_desc->pname_count);
- i++) {
- wwpn = be64_to_cpu(pc_desc->pname_list[i]);
- rport = fc_find_rport_by_wwpn(shost, wwpn);
- if (rport &&
- (rport->roles & FC_PORT_ROLE_FCP_TARGET ||
- rport->roles & FC_PORT_ROLE_NVME_TARGET)) {
- if (rport == attach_rport)
- continue;
- fc_cn_stats_update(event_type,
- &rport->fpin_stats);
- }
- }
- }
+ fc_fpin_pname_stats_update(shost, attach_rport, event_type,
+ be32_to_cpu(pc_desc->desc_len),
+ FC_TLV_DESC_LENGTH_FROM_SZ(*pc_desc),
+ be32_to_cpu(pc_desc->pname_count),
+ pc_desc->pname_list, fc_cn_stats_update);
}
/*
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 128/411] drm/hyperv: validate VMBus packet size in receive callback
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 127/411] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 129/411] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
` (283 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
commit 7f87763f47a3c22fb50265a00619ef10f2394b18 upstream.
hyperv_receive_sub() reads msg->vid_hdr.type and dispatches into one
of four message-type branches without knowing how many bytes the host
wrote into hv->recv_buf. The completion path then runs
memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE), so the consumer that
wakes on wait_for_completion_timeout() can read up to 16 KiB of
residue from a prior message as if it were the response payload.
Pass bytes_recvd into hyperv_receive_sub() and reject any packet that
does not cover the pipe + synthvid header. A single switch on
msg->vid_hdr.type then computes the type-specific payload size: the
three completion-driving types (SYNTHVID_VERSION_RESPONSE,
SYNTHVID_RESOLUTION_RESPONSE, SYNTHVID_VRAM_LOCATION_ACK) fall through
to a shared exit that requires that size before memcpy/complete, while
SYNTHVID_FEATURE_CHANGE validates its own payload and returns before
reading is_dirt_needed. Unknown types are dropped.
SYNTHVID_RESOLUTION_RESPONSE is variable length: the host fills
resolution_count entries, not the full SYNTHVID_MAX_RESOLUTION_COUNT
array. Validate the fixed prefix first so resolution_count can be
read, bound it against the array, then require only the count-sized
array, so the shorter responses the host actually sends are accepted.
Only run the sub-handler when vmbus_recvpacket() returned success. The
memcpy length is bytes_recvd, which is bounded by VMBUS_MAX_PACKET_SIZE
only on a successful receive; on -ENOBUFS vmbus_recvpacket() instead
reports the required length, which can exceed hv->recv_buf, so copying
bytes_recvd would read and write past the 16 KiB buffers. Gating on the
success return keeps the copy bounded. The nonzero-return path is itself
a malformed-message case and is now logged rather than silently skipped;
channel recovery is not attempted.
Rejected packets are reported via drm_err_ratelimited() rather than
silently dropped, matching the CoCo-hardened pattern in
hv_kvp_onchannelcallback().
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/8200dbc199c7a9b75ac7e8af6c748d2189b5ebd5.1779542874.git.me@berkoc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 100 ++++++++++++++++++++++++++----
1 file changed, 87 insertions(+), 13 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -422,30 +422,92 @@ static int hyperv_get_supported_resoluti
return 0;
}
-static void hyperv_receive_sub(struct hv_device *hdev)
+static void hyperv_receive_sub(struct hv_device *hdev, u32 bytes_recvd)
{
struct hyperv_drm_device *hv = hv_get_drvdata(hdev);
struct synthvid_msg *msg;
+ size_t hdr_size;
+ size_t need;
if (!hv)
return;
- msg = (struct synthvid_msg *)hv->recv_buf;
-
- /* Complete the wait event */
- if (msg->vid_hdr.type == SYNTHVID_VERSION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_RESOLUTION_RESPONSE ||
- msg->vid_hdr.type == SYNTHVID_VRAM_LOCATION_ACK) {
- memcpy(hv->init_buf, msg, VMBUS_MAX_PACKET_SIZE);
- complete(&hv->wait);
+ hdr_size = sizeof(struct pipe_msg_hdr) +
+ sizeof(struct synthvid_msg_hdr);
+ if (bytes_recvd < hdr_size) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for header: %u\n",
+ bytes_recvd);
return;
}
- if (msg->vid_hdr.type == SYNTHVID_FEATURE_CHANGE) {
+ msg = (struct synthvid_msg *)hv->recv_buf;
+ need = hdr_size;
+
+ switch (msg->vid_hdr.type) {
+ case SYNTHVID_VERSION_RESPONSE:
+ need += sizeof(struct synthvid_version_resp);
+ break;
+ case SYNTHVID_RESOLUTION_RESPONSE:
+ /*
+ * The resolution response is variable length: the host
+ * fills resolution_count entries, not the full
+ * SYNTHVID_MAX_RESOLUTION_COUNT array. Require the fixed
+ * prefix first so resolution_count can be read, then
+ * demand exactly the count-sized array.
+ */
+ need += offsetof(struct synthvid_supported_resolution_resp,
+ supported_resolution);
+ if (bytes_recvd < need)
+ break;
+ if (msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid resolution count too large: %u\n",
+ msg->resolution_resp.resolution_count);
+ return;
+ }
+ need += msg->resolution_resp.resolution_count *
+ sizeof(struct hvd_screen_info);
+ break;
+ case SYNTHVID_VRAM_LOCATION_ACK:
+ need += sizeof(struct synthvid_vram_location_ack);
+ break;
+ case SYNTHVID_FEATURE_CHANGE:
+ /*
+ * Not a completion-driving message: validate its own payload
+ * and consume it here rather than falling through to the
+ * memcpy/complete shared by the wait-event responses.
+ */
+ if (bytes_recvd < need +
+ sizeof(struct synthvid_feature_change)) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid feature change packet too small: %u\n",
+ bytes_recvd);
+ return;
+ }
hv->dirt_needed = msg->feature_chg.is_dirt_needed;
if (hv->dirt_needed)
hyperv_hide_hw_ptr(hv->hdev);
+ return;
+ default:
+ return;
+ }
+
+ /*
+ * Shared completion path for the wait-event responses
+ * (VERSION_RESPONSE, RESOLUTION_RESPONSE, VRAM_LOCATION_ACK):
+ * require the type-specific payload before handing the buffer to
+ * the waiter.
+ */
+ if (bytes_recvd < need) {
+ drm_err_ratelimited(&hv->dev,
+ "synthvid packet too small for type %u: %u < %zu\n",
+ msg->vid_hdr.type, bytes_recvd, need);
+ return;
}
+ memcpy(hv->init_buf, msg, bytes_recvd);
+ complete(&hv->wait);
}
static void hyperv_receive(void *ctx)
@@ -466,9 +528,21 @@ static void hyperv_receive(void *ctx)
ret = vmbus_recvpacket(hdev->channel, recv_buf,
VMBUS_MAX_PACKET_SIZE,
&bytes_recvd, &req_id);
- if (bytes_recvd > 0 &&
- recv_buf->pipe_hdr.type == PIPE_MSG_DATA)
- hyperv_receive_sub(hdev);
+ if (ret) {
+ /*
+ * A nonzero return (e.g. -ENOBUFS for an oversized
+ * packet) is itself a malformed message: bytes_recvd
+ * then reports the required length rather than a copied
+ * payload, so it must not be forwarded to the
+ * sub-handler. Channel recovery is not attempted.
+ */
+ drm_err_ratelimited(&hv->dev,
+ "vmbus_recvpacket failed: %d (need %u)\n",
+ ret, bytes_recvd);
+ } else if (bytes_recvd > 0 &&
+ recv_buf->pipe_hdr.type == PIPE_MSG_DATA) {
+ hyperv_receive_sub(hdev, bytes_recvd);
+ }
} while (bytes_recvd > 0 && ret == 0);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 129/411] serial: sh-sci: fix memory region release in error path
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 128/411] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 130/411] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
` (282 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, kernel test robot,
Dan Carpenter, Hongling Zeng, Geert Uytterhoeven
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 92b1ea22454b08a39baef3a7290fb3ec50366616 upstream.
The sci_request_port() function uses request_mem_region() to reserve
I/O memory, but in the error path when sci_remap_port() fails, it
incorrectly calls release_resource() instead of release_mem_region().
This mismatch can cause resource accounting issues. Fix it by using
the correct release function, consistent with sci_release_port().
Fixes: e2651647080930a1 ("serial: sh-sci: Handle port memory region reservations.")
Cc: stable <stable@kernel.org>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202604032356.SzEjYkBC-lkp@intel.com/
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20260421065737.724187-1-zenghongling@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -2753,7 +2753,7 @@ static int sci_request_port(struct uart_
ret = sci_remap_port(port);
if (unlikely(ret != 0)) {
- release_resource(res);
+ release_mem_region(port->mapbase, sport->reg_size);
return ret;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 130/411] serial: zs: Fix swapped RI/DSR modem line transition counting
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 129/411] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 131/411] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
` (281 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Maciej W. Rozycki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit d15cd40cb1858f75846eaafa9a6bca841b790a92 upstream.
Fix a thinko in the status interrupt handler that has caused counters
for the RI and DSR modem line transitions to be used for the other line
each.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Cc: stable <stable@kernel.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://patch.msgid.link/alpine.DEB.2.21.2604101747110.29980@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -679,9 +679,9 @@ static void zs_status_handle(struct zs_p
uart_handle_dcd_change(uport,
zport->mctrl & TIOCM_CAR);
if (delta & TIOCM_RNG)
- uport->icount.dsr++;
- if (delta & TIOCM_DSR)
uport->icount.rng++;
+ if (delta & TIOCM_DSR)
+ uport->icount.dsr++;
if (delta)
wake_up_interruptible(&uport->state->port.delta_msr_wait);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 131/411] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 130/411] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 132/411] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
` (280 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Shitalkumar Gandhi, Frank Li
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shitalkumar Gandhi <shital.gandhi45@gmail.com>
commit 9a9254c4a2a3ca2b3da16d173f3b0dd01f397ff6 upstream.
lpuart_start_rx_dma() allocates sport->rx_ring.buf with kzalloc() and
then maps a scatterlist via dma_map_sg(). On three subsequent error
paths the function returns directly without releasing those resources:
- when dma_map_sg() returns 0 (-EINVAL):
ring->buf is leaked.
- when dmaengine_slave_config() fails:
ring->buf and the DMA mapping are leaked.
- when dmaengine_prep_dma_cyclic() returns NULL:
ring->buf and the DMA mapping are leaked.
The sole cleanup path, lpuart_dma_rx_free(), is only reached when
lpuart_dma_rx_use is set, and the caller lpuart_rx_dma_startup() clears
that flag on failure of lpuart_start_rx_dma(). So these resources are
permanently leaked on every failure in this function. Repeated port
open/close or termios changes under error conditions will slowly consume
memory and leave stale streaming DMA mappings behind.
Fix it by introducing two error labels that unmap the scatterlist and
free the ring buffer as appropriate. While here, replace the misleading
-EFAULT (bad userspace pointer) returned when dmaengine_prep_dma_cyclic()
fails with the more accurate -ENOMEM, matching how other dmaengine users
in the tree treat this failure.
No functional change on the success path.
Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
Cc: stable <stable@kernel.org>
Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260420135903.2062024-1-shitalkumar.gandhi@cambiumnetworks.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1279,7 +1279,8 @@ static inline int lpuart_start_rx_dma(st
if (!nent) {
dev_err(sport->port.dev, "DMA Rx mapping error\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_free_buf;
}
dma_rx_sconfig.src_addr = lpuart_dma_datareg_addr(sport);
@@ -1291,7 +1292,7 @@ static inline int lpuart_start_rx_dma(st
if (ret < 0) {
dev_err(sport->port.dev,
"DMA Rx slave config failed, err = %d\n", ret);
- return ret;
+ goto err_unmap_sg;
}
sport->dma_rx_desc = dmaengine_prep_dma_cyclic(chan,
@@ -1302,7 +1303,8 @@ static inline int lpuart_start_rx_dma(st
DMA_PREP_INTERRUPT);
if (!sport->dma_rx_desc) {
dev_err(sport->port.dev, "Cannot prepare cyclic DMA\n");
- return -EFAULT;
+ ret = -ENOMEM;
+ goto err_unmap_sg;
}
sport->dma_rx_desc->callback = lpuart_dma_rx_complete;
@@ -1320,6 +1322,13 @@ static inline int lpuart_start_rx_dma(st
}
return 0;
+
+err_unmap_sg:
+ dma_unmap_sg(chan->device->dev, &sport->rx_sgl, 1, DMA_FROM_DEVICE);
+err_free_buf:
+ kfree(ring->buf);
+ ring->buf = NULL;
+ return ret;
}
static void lpuart_dma_rx_free(struct uart_port *port)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 132/411] serial: dz: Fix bootconsole message clobbering at chip reset
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 131/411] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 133/411] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
` (279 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit ca904f4b42355287bc5ce8b7550ebe909cda4c2c upstream.
In the DZ interface as implemented by the DC7085 gate array the serial
transmitters are double buffered, meaning that at the time a transmitter
is ready to accept the next character there is one in the transmit shift
register still being sent to the line. Issuing a master clear at this
time causes this character to be lost, so wait an extra amount of time
sufficient for the transmit shift register to drain at 9600bps, which is
the baud rate setting used by the firmware console.
Mind the specified 1.4us TRDY recovery time in the course and continue
using iob() as the completion barrier, since the platforms involved use
a write buffer that can delay and combine writes, and reorder them with
respect to reads regardless of the MMIO locations accessed and we still
lack a platform-independent handler for that.
When called from dz_serial_console_init() this is too early for fsleep()
to work and even before lpj has been calculated and therefore the delay
is actually not sufficient for the transmitter to drain and is merely a
placeholder now. This will be addressed in a follow-up change.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062259080.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/dz.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -544,10 +544,31 @@ static int dz_encode_baud_rate(unsigned
static void dz_reset(struct dz_port *dport)
{
struct dz_mux *mux = dport->mux;
+ unsigned short tcr;
+ int loops = 10000;
if (mux->initialised)
return;
+ tcr = dz_in(dport, DZ_TCR);
+
+ /* Do not disturb any ongoing transmissions. */
+ if (dz_in(dport, DZ_CSR) & DZ_MSE) {
+ unsigned short csr, mask;
+
+ mask = tcr;
+ while ((mask & DZ_LNENB) && loops--) {
+ csr = dz_in(dport, DZ_CSR);
+ if (!(csr & DZ_TRDY))
+ continue;
+ mask &= ~(1 << ((csr & DZ_TLINE) >> 8));
+ dz_out(dport, DZ_TCR, mask);
+ iob();
+ udelay(2); /* 1.4us TRDY recovery. */
+ }
+ udelay(1200); /* Transmitter drain. */
+ }
+
dz_out(dport, DZ_CSR, DZ_CLR);
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 133/411] serial: zs: Fix bootconsole handover lockup
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 132/411] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 134/411] serial: zs: Switch to using channel reset Greg Kroah-Hartman
` (278 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 6c05cf72e13314ce9b770b5951695dc5a2152920 upstream.
Calling zs_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by zs_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix zs_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means zs_pm() serves no purpose anymore, so drop it.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062308040.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 29 ++++++++---------------------
1 file changed, 8 insertions(+), 21 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -105,18 +105,24 @@ struct zs_parms {
static struct zs_scc zs_sccs[ZS_NUM_SCCS];
+/*
+ * Set parameters in WR5, WR12, WR13 such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to hang (TxENAB) or produce rubbish (Tx8, B9600).
+ */
static u8 zs_init_regs[ZS_NUM_REGS] __initdata = {
0, /* write 0 */
PAR_SPEC, /* write 1 */
0, /* write 2 */
0, /* write 3 */
X16CLK | SB1, /* write 4 */
- 0, /* write 5 */
+ Tx8 | TxENAB, /* write 5 */
0, 0, 0, /* write 6, 7, 8 */
MIE | DLC | NV, /* write 9 */
NRZ, /* write 10 */
TCBR | RCBR, /* write 11 */
- 0, 0, /* BRG time constant, write 12 + 13 */
+ 0x16, 0x00, /* BRG time constant, write 12 + 13 */
BRSRC | BRENABL, /* write 14 */
0, /* write 15 */
};
@@ -955,23 +961,6 @@ static void zs_set_termios(struct uart_p
spin_unlock_irqrestore(&scc->zlock, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void zs_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct zs_port *zport = to_zport(uport);
-
- if (state < 3)
- zport->regs[5] |= TxENAB;
- else
- zport->regs[5] &= ~TxENAB;
- write_zsreg(zport, R5, zport->regs[5]);
-}
-
static const char *zs_type(struct uart_port *uport)
{
@@ -1054,7 +1043,6 @@ static const struct uart_ops zs_ops = {
.startup = zs_startup,
.shutdown = zs_shutdown,
.set_termios = zs_set_termios,
- .pm = zs_pm,
.type = zs_type,
.release_port = zs_release_port,
.request_port = zs_request_port,
@@ -1209,7 +1197,6 @@ static int __init zs_console_setup(struc
return ret;
zs_reset(zport);
- zs_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 134/411] serial: zs: Switch to using channel reset
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 133/411] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 135/411] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
` (277 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 8572955630f30948837088aa98bcbe0532d1ceac upstream.
Switch the driver to using the channel reset rather than hardware reset,
simplifying handling by removing an interference between channels that
causes the other channel to become uninitialised afterwards.
There is little difference between the two kinds of reset in terms of
register settings that result, and we initialise the whole register set
right away anyway. However this prevents a hang from happening should
the console output handler in the firmware try to access the other port
whose transmitter has been disabled and line parameters messed up.
For example this will happen if the keyboard port (port A) is chosen for
the system console, unusually but not insanely for a headless system, as
the port is wired to a standard DA-15 connector and an adapter can be
easily made. Or with the next change in place this would happen for the
regular console port (port B), since the keyboard port (port A) will be
initialised first.
Just remove the unnecessary complication then, a channel reset is good
enough. We still need the initialisation marker, now per channel rather
than per SCC, as for the console port zs_reset() will be called twice:
once early on via zs_serial_console_init() for the console setup only,
and then again via zs_config_port() as the port is associated with a TTY
device.
Fixes: 8b4a40809e53 ("zs: move to the serial subsystem")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.23+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062323430.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/zs.c | 7 ++++---
drivers/tty/serial/zs.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/zs.c
+++ b/drivers/tty/serial/zs.c
@@ -831,21 +831,22 @@ static void zs_shutdown(struct uart_port
static void zs_reset(struct zs_port *zport)
{
+ struct zs_port *zport_a = &zport->scc->zport[ZS_CHAN_A];
struct zs_scc *scc = zport->scc;
int irq;
unsigned long flags;
spin_lock_irqsave(&scc->zlock, flags);
irq = !irqs_disabled_flags(flags);
- if (!scc->initialised) {
+ if (!zport->initialised) {
/* Reset the pointer first, just in case... */
read_zsreg(zport, R0);
/* And let the current transmission finish. */
zs_line_drain(zport, irq);
- write_zsreg(zport, R9, FHWRES);
+ write_zsreg(zport, R9, zport == zport_a ? CHRA : CHRB);
udelay(10);
write_zsreg(zport, R9, 0);
- scc->initialised = 1;
+ zport->initialised = 1;
}
load_zsregs(zport, zport->regs, irq);
spin_unlock_irqrestore(&scc->zlock, flags);
--- a/drivers/tty/serial/zs.h
+++ b/drivers/tty/serial/zs.h
@@ -22,6 +22,7 @@
struct zs_port {
struct zs_scc *scc; /* Containing SCC. */
struct uart_port port; /* Underlying UART. */
+ int initialised; /* For the console port. */
int clk_mode; /* May be 1, 16, 32, or 64. */
@@ -41,7 +42,6 @@ struct zs_scc {
struct zs_port zport[2];
spinlock_t zlock;
atomic_t irq_guard;
- int initialised;
};
#endif /* __KERNEL__ */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 135/411] USB: serial: cypress_m8: fix memory corruption with small endpoint
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 134/411] serial: zs: Switch to using channel reset Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 136/411] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
` (276 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e1a9d791fd66ab2431b9e6f6f835823809869047 upstream.
Make sure that the interrupt-out endpoint max packet size is at least
eight bytes to avoid user-controlled slab corruption or NULL-pointer
dereference should a malicious device report a smaller size.
Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
Cc: stable@vger.kernel.org # 2.6.26
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
[ johan: adjust context for 6.18 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/cypress_m8.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index 115e2df92132d3..2ca7e7af714fdb 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -447,6 +447,14 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
return -ENODEV;
}
+ /*
+ * The buffer must be large enough for the one or two-byte header (and
+ * following data), but assume anything smaller than eight bytes is
+ * broken.
+ */
+ if (port->interrupt_out_size < 8)
+ return -EINVAL;
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 136/411] HID: core: Add printk_ratelimited variants to hid_warn() etc
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 135/411] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 137/411] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
` (275 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vicki Pfau, Jiri Kosina, Lee Jones,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vicki Pfau <vi@endrift.com>
[ Upstream commit 1d64624243af8329b4b219d8c39e28ea448f9929 ]
hid_warn_ratelimited() is needed. Add the others as part of the block.
Signed-off-by: Vicki Pfau <vi@endrift.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/hid.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 671403f208c91d..3968fa039c260b 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1248,4 +1248,15 @@ do { \
#define hid_dbg_once(hid, fmt, ...) \
dev_dbg_once(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_err_ratelimited(hid, fmt, ...) \
+ dev_err_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_notice_ratelimited(hid, fmt, ...) \
+ dev_notice_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_warn_ratelimited(hid, fmt, ...) \
+ dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_info_ratelimited(hid, fmt, ...) \
+ dev_info_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+#define hid_dbg_ratelimited(hid, fmt, ...) \
+ dev_dbg_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
+
#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 137/411] HID: pass the buffer size to hid_report_raw_event
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 136/411] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 138/411] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
` (274 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires, Johan Hovold,
Jiri Kosina, Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
[ Upstream commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a ]
commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
bogus memset()") enforced the provided data to be at least the size of
the declared buffer in the report descriptor to prevent a buffer
overflow. However, we can try to be smarter by providing both the buffer
size and the data size, meaning that hid_report_raw_event() can make
better decision whether we should plaining reject the buffer (buffer
overflow attempt) or if we can safely memset it to 0 and pass it to the
rest of the stack.
Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Acked-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Stable-dep-of: 206342541fc8 ("HID: core: introduce hid_safe_input_report()")
[Lee: Backported to linux-6.12.y and beyond]
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 29 ++++++++++++++++++++++-------
drivers/hid/hid-gfrm.c | 4 ++--
drivers/hid/hid-logitech-hidpp.c | 2 +-
drivers/hid/hid-multitouch.c | 2 +-
drivers/hid/hid-primax.c | 2 +-
drivers/hid/hid-vivaldi.c | 2 +-
drivers/hid/wacom_sys.c | 6 +++---
drivers/staging/greybus/hid.c | 2 +-
include/linux/hid.h | 4 ++--
9 files changed, 34 insertions(+), 19 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 4fb573ee31b2ca..a8d4673c7b8e13 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1775,8 +1775,8 @@ int __hid_request(struct hid_device *hid, struct hid_report *report,
}
EXPORT_SYMBOL_GPL(__hid_request);
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
- int interrupt)
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
+ size_t bufsize, u32 size, int interrupt)
{
struct hid_report_enum *report_enum = hid->report_enum + type;
struct hid_report *report;
@@ -1784,16 +1784,24 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
int max_buffer_size = HID_MAX_BUFFER_SIZE;
unsigned int a;
u32 rsize, csize = size;
+ size_t bsize = bufsize;
u8 *cdata = data;
int ret = 0;
report = hid_get_report(report_enum, data);
if (!report)
- goto out;
+ return 0;
+
+ if (unlikely(bsize < csize)) {
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ report->id, csize, bsize);
+ return -EINVAL;
+ }
if (report_enum->numbered) {
cdata++;
csize--;
+ bsize--;
}
rsize = hid_compute_report_size(report);
@@ -1806,9 +1814,15 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
else if (rsize > max_buffer_size)
rsize = max_buffer_size;
+ if (bsize < rsize) {
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ report->id, rsize, bsize);
+ return -EINVAL;
+ }
+
if (csize < rsize) {
dbg_hid("report %d is too short, (%d < %d)\n", report->id,
- csize, rsize);
+ csize, rsize);
memset(cdata + csize, 0, rsize - csize);
}
@@ -1817,7 +1831,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
if (hid->claimed & HID_CLAIMED_HIDRAW) {
ret = hidraw_report_event(hid, data, size);
if (ret)
- goto out;
+ return ret;
}
if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
@@ -1830,7 +1844,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
if (hid->claimed & HID_CLAIMED_INPUT)
hidinput_report_event(hid, report);
-out:
+
return ret;
}
EXPORT_SYMBOL_GPL(hid_report_raw_event);
@@ -1851,6 +1865,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i
struct hid_report_enum *report_enum;
struct hid_driver *hdrv;
struct hid_report *report;
+ size_t bufsize = size;
int ret = 0;
if (!hid)
@@ -1889,7 +1904,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i
goto unlock;
}
- ret = hid_report_raw_event(hid, type, data, size, interrupt);
+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
unlock:
up(&hid->driver_input_lock);
diff --git a/drivers/hid/hid-gfrm.c b/drivers/hid/hid-gfrm.c
index 699186ff2349e9..d2a56bf92b416e 100644
--- a/drivers/hid/hid-gfrm.c
+++ b/drivers/hid/hid-gfrm.c
@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
switch (data[1]) {
case GFRM100_SEARCH_KEY_DOWN:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
- sizeof(search_key_dn), 1);
+ sizeof(search_key_dn), sizeof(search_key_dn), 1);
break;
case GFRM100_SEARCH_KEY_AUDIO_DATA:
@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
case GFRM100_SEARCH_KEY_UP:
ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
- sizeof(search_key_up), 1);
+ sizeof(search_key_up), sizeof(search_key_up), 1);
break;
default:
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 7ed851bf5bc81f..812ed660c55575 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -3440,7 +3440,7 @@ static int hidpp10_consumer_keys_raw_event(struct hidpp_device *hidpp,
memcpy(&consumer_report[1], &data[3], 4);
/* We are called from atomic context */
hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
- consumer_report, 5, 1);
+ consumer_report, sizeof(consumer_report), 5, 1);
return 1;
}
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 7a092a2a1bf004..df87d7ae94c462 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -479,7 +479,7 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
- size, 0);
+ size, size, 0);
if (ret)
dev_warn(&hdev->dev, "failed to report feature\n");
}
diff --git a/drivers/hid/hid-primax.c b/drivers/hid/hid-primax.c
index 1e6413d07cae21..16e2a811eda9f0 100644
--- a/drivers/hid/hid-primax.c
+++ b/drivers/hid/hid-primax.c
@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_device *hid, struct hid_report *report,
data[0] |= (1 << (data[idx] - 0xE0));
data[idx] = 0;
}
- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
return 1;
default: /* unknown report */
diff --git a/drivers/hid/hid-vivaldi.c b/drivers/hid/hid-vivaldi.c
index d57ec17670379c..fdfea1355ee782 100644
--- a/drivers/hid/hid-vivaldi.c
+++ b/drivers/hid/hid-vivaldi.c
@@ -126,7 +126,7 @@ static void vivaldi_feature_mapping(struct hid_device *hdev,
}
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
- report_len, 0);
+ report_len, report_len, 0);
if (ret) {
dev_warn(&hdev->dev, "failed to report feature %d\n",
field->report->id);
diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
index 9065a41336f9ba..07de763a4ee330 100644
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -79,7 +79,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
int err;
size = kfifo_out(fifo, buf, sizeof(buf));
- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
if (err) {
hid_warn(hdev, "%s: unable to flush event due to error %d\n",
__func__, err);
@@ -324,7 +324,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n && features->type == HID_GENERIC) {
ret = hid_report_raw_event(hdev,
- HID_FEATURE_REPORT, data, n, 0);
+ HID_FEATURE_REPORT, data, n, n, 0);
} else if (ret == 2 && features->type != HID_GENERIC) {
features->touch_max = data[1];
} else {
@@ -386,7 +386,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
data, n, WAC_CMD_RETRIES);
if (ret == n) {
ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
- data, n, 0);
+ data, n, n, 0);
} else {
hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
__func__);
diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
index adb91286803a91..49b42c0ab078ec 100644
--- a/drivers/staging/greybus/hid.c
+++ b/drivers/staging/greybus/hid.c
@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid *ghid, struct hid_report *report)
* we just need to setup the input fields, so using
* hid_report_raw_event is safe.
*/
- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
}
static void gb_hid_init_reports(struct gb_hid *ghid)
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 3968fa039c260b..c92c5e2ae24f3b 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1206,8 +1206,8 @@ static inline u32 hid_report_len(struct hid_report *report)
return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
}
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
- int interrupt);
+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
+ size_t bufsize, u32 size, int interrupt);
/* HID quirks API */
unsigned long hid_lookup_quirk(const struct hid_device *hdev);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 138/411] HID: core: Fix size_t specifier in hid_report_raw_event()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 137/411] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 139/411] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
` (273 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miguel Ojeda, Nathan Chancellor,
Linus Torvalds, Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 ]
When building for 32-bit platforms, for which 'size_t' is
'unsigned int', there are warnings around using the incorrect format
specifier to print bsize in hid_report_raw_event():
drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
| ~~~
| %zu
2054 | report->id, csize, bsize);
| ^~~~~
drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
| ~~~
| %zu
2076 | report->id, rsize, bsize);
| ^~~~~
Use the proper 'size_t' format specifier, '%zu', to clear up the
warnings.
Cc: stable@vger.kernel.org
Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
Reported-by: Miguel Ojeda <ojeda@kernel.org>
Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index a8d4673c7b8e13..e106b59b55da2d 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1793,7 +1793,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
return 0;
if (unlikely(bsize < csize)) {
- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n",
report->id, csize, bsize);
return -EINVAL;
}
@@ -1815,7 +1815,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
rsize = max_buffer_size;
if (bsize < rsize) {
- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
report->id, rsize, bsize);
return -EINVAL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 139/411] USB: serial: digi_acceleport: fix memory corruption with small endpoints
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 138/411] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 140/411] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
` (272 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit cb3560e8eab1dfa1cac1ed52631adf8ec6ff2cd5 upstream.
Add the missing bulk-out buffer size sanity checks to avoid
out-of-bounds memory accesses or slab corruption should a malicious
device report smaller buffers than expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/digi_acceleport.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
index af65eb863d70d4..6edc1b50a364f1 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1228,15 +1228,34 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
static int digi_startup(struct usb_serial *serial)
{
struct digi_serial *serial_priv;
+ int oob_port_num;
int ret;
+ int i;
+
+ /*
+ * The port bulk-out buffers must be large enough for header and
+ * buffered data.
+ */
+ for (i = 0; i < serial->type->num_ports; i++) {
+ if (serial->port[i]->bulk_out_size < DIGI_OUT_BUF_SIZE + 2)
+ return -EINVAL;
+ }
+
+ /*
+ * The OOB port bulk-out buffer must be large enough for the two
+ * commands in digi_set_modem_signals().
+ */
+ oob_port_num = serial->type->num_ports;
+ if (serial->port[oob_port_num]->bulk_out_size < 8)
+ return -EINVAL;
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)
return -ENOMEM;
spin_lock_init(&serial_priv->ds_serial_lock);
- serial_priv->ds_oob_port_num = serial->type->num_ports;
- serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
+ serial_priv->ds_oob_port_num = oob_port_num;
+ serial_priv->ds_oob_port = serial->port[oob_port_num];
ret = digi_port_init(serial_priv->ds_oob_port,
serial_priv->ds_oob_port_num);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 140/411] xhci: tegra: Fix ghost USB device on dual-role port unplug
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 139/411] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 141/411] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
` (271 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei-Cheng Chen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei-Cheng Chen <weichengc@nvidia.com>
[ Upstream commit 5a4c828b8b29b47534814ade26d9aee09d5101fc ]
When a USB device is unplugged from the dual-role port, the device-mode
path in tegra_xhci_id_work() explicitly clears both SS and HS port power
via direct hub_control ClearPortFeature(POWER) calls. This preempts the
xHCI controller's normal disconnect processing -- PORT_CSC is never
generated, the USB core never sees the disconnect, and the device remains
in its internal tree as a ghost visible in lsusb.
Add an otg_set_port_power flag to control whether the dual-role switch
path performs explicit port power management. SoCs that need it
(Tegra124 / Tegra210 / Tegra186) set the flag; later SoCs (Tegra194 and
beyond) rely on the PHY mode change to handle disconnect naturally and
skip all port power calls.
Within the port power path, otg_reset_sspi additionally gates the SSPI
reset sequence on host-mode entry for SoCs that require it.
Flags set per SoC:
Tegra124, Tegra186 -> otg_set_port_power
Tegra210 -> otg_set_port_power, otg_reset_sspi
Tegra194 and later -> (none)
[ Backport to 5.15.y: keep the host-mode snapshot in the existing
tegra->lock section, retain pm_runtime_mark_last_busy() in the host
port-power path, and omit the newer Tegra234 entry. ]
Fixes: f836e7843036 ("usb: xhci-tegra: Add OTG support")
Cc: stable@vger.kernel.org
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Link: https://patch.msgid.link/20260505112630.217704-1-weichengc@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-tegra.c | 78 ++++++++++++++++++++---------------
1 file changed, 44 insertions(+), 34 deletions(-)
diff --git a/drivers/usb/host/xhci-tegra.c b/drivers/usb/host/xhci-tegra.c
index 14a772feab7946..0f936aeb88d064 100644
--- a/drivers/usb/host/xhci-tegra.c
+++ b/drivers/usb/host/xhci-tegra.c
@@ -210,6 +210,7 @@ struct tegra_xusb_soc {
bool has_ipfs;
bool lpm_support;
bool otg_reset_sspi;
+ bool otg_set_port_power;
};
struct tegra_xusb_context {
@@ -1211,14 +1212,17 @@ static void tegra_xhci_id_work(struct work_struct *work)
struct tegra_xusb_mbox_msg msg;
struct phy *phy = tegra_xusb_get_phy(tegra, "usb2",
tegra->otg_usb2_port);
+ bool host_mode;
u32 status;
int ret;
- dev_dbg(tegra->dev, "host mode %s\n", tegra->host_mode ? "on" : "off");
-
mutex_lock(&tegra->lock);
- if (tegra->host_mode)
+ host_mode = tegra->host_mode;
+
+ dev_dbg(tegra->dev, "host mode %s\n", host_mode ? "on" : "off");
+
+ if (host_mode)
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_HOST);
else
phy_set_mode_ext(phy, PHY_MODE_USB_OTG, USB_ROLE_NONE);
@@ -1229,42 +1233,44 @@ static void tegra_xhci_id_work(struct work_struct *work)
tegra->otg_usb2_port);
pm_runtime_get_sync(tegra->dev);
- if (tegra->host_mode) {
- /* switch to host mode */
- if (tegra->otg_usb3_port >= 0) {
- if (tegra->soc->otg_reset_sspi) {
- /* set PP=0 */
- tegra_xhci_hc_driver.hub_control(
- xhci->shared_hcd, GetPortStatus,
- 0, tegra->otg_usb3_port+1,
- (char *) &status, sizeof(status));
- if (status & USB_SS_PORT_STAT_POWER)
- tegra_xhci_set_port_power(tegra, false,
- false);
-
- /* reset OTG port SSPI */
- msg.cmd = MBOX_CMD_RESET_SSPI;
- msg.data = tegra->otg_usb3_port+1;
-
- ret = tegra_xusb_mbox_send(tegra, &msg);
- if (ret < 0) {
- dev_info(tegra->dev,
- "failed to RESET_SSPI %d\n",
- ret);
+ if (tegra->soc->otg_set_port_power) {
+ if (host_mode) {
+ /* switch to host mode */
+ if (tegra->otg_usb3_port >= 0) {
+ if (tegra->soc->otg_reset_sspi) {
+ /* set PP=0 */
+ tegra_xhci_hc_driver.hub_control(
+ xhci->shared_hcd, GetPortStatus,
+ 0, tegra->otg_usb3_port+1,
+ (char *) &status, sizeof(status));
+ if (status & USB_SS_PORT_STAT_POWER)
+ tegra_xhci_set_port_power(tegra, false,
+ false);
+
+ /* reset OTG port SSPI */
+ msg.cmd = MBOX_CMD_RESET_SSPI;
+ msg.data = tegra->otg_usb3_port+1;
+
+ ret = tegra_xusb_mbox_send(tegra, &msg);
+ if (ret < 0) {
+ dev_info(tegra->dev,
+ "failed to RESET_SSPI %d\n",
+ ret);
+ }
}
- }
- tegra_xhci_set_port_power(tegra, false, true);
- }
+ tegra_xhci_set_port_power(tegra, false, true);
+ }
- tegra_xhci_set_port_power(tegra, true, true);
- pm_runtime_mark_last_busy(tegra->dev);
+ tegra_xhci_set_port_power(tegra, true, true);
+ pm_runtime_mark_last_busy(tegra->dev);
- } else {
- if (tegra->otg_usb3_port >= 0)
- tegra_xhci_set_port_power(tegra, false, false);
+ } else {
+ if (tegra->otg_usb3_port >= 0)
+ tegra_xhci_set_port_power(tegra, false, false);
- tegra_xhci_set_port_power(tegra, true, false);
+ tegra_xhci_set_port_power(tegra, true, false);
+ }
}
pm_runtime_put_autosuspend(tegra->dev);
}
@@ -2289,6 +2295,7 @@ static const struct tegra_xusb_soc tegra124_soc = {
.scale_ss_clock = true,
.has_ipfs = true,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.mbox = {
.cmd = 0xe4,
.data_in = 0xe8,
@@ -2325,6 +2332,7 @@ static const struct tegra_xusb_soc tegra210_soc = {
.scale_ss_clock = false,
.has_ipfs = true,
.otg_reset_sspi = true,
+ .otg_set_port_power = true,
.mbox = {
.cmd = 0xe4,
.data_in = 0xe8,
@@ -2366,6 +2374,7 @@ static const struct tegra_xusb_soc tegra186_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = true,
.mbox = {
.cmd = 0xe4,
.data_in = 0xe8,
@@ -2397,6 +2406,7 @@ static const struct tegra_xusb_soc tegra194_soc = {
.scale_ss_clock = false,
.has_ipfs = false,
.otg_reset_sspi = false,
+ .otg_set_port_power = false,
.mbox = {
.cmd = 0x68,
.data_in = 0x6c,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 141/411] serial: dz: Fix bootconsole handover lockup
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 140/411] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 142/411] usb: core: Fix SuperSpeed root hub wMaxPacketSize Greg Kroah-Hartman
` (270 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7f127b2208e5e2b817243cad41fe4211a6d5a7a3 upstream.
Calling dz_reset() in the course of setting up the serial device causes
line parameters to be reset and the transmitter disabled. We've been
lucky in that no message is usually produced to the kernel log between
this call and the later call to uart_set_options() in the course of
console setup done by dz_serial_console_init(), or the system would hang
as the console output handler in the firmware tried to access a port the
transmitter of which has been disabled and line parameters messed up.
This will change with the next change to the driver, so fix dz_reset()
such that line parameters are set for 9600n8 console operation as with
the system firmware and the transmitter re-enabled after reset. This
also means dz_pm() serves no purpose anymore, so drop it.
Fixes: e6ee512f5a77 ("dz.c: Resource management")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.25+
Link: https://patch.msgid.link/alpine.DEB.2.21.2605062302010.46195@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Avoid C99+ 'for' loop initial declaration for 5.15.y. ]
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/dz.c | 37 +++++++++++++------------------------
1 file changed, 13 insertions(+), 24 deletions(-)
diff --git a/drivers/tty/serial/dz.c b/drivers/tty/serial/dz.c
index 6d74ba5a5a431c..05f22e76a50893 100644
--- a/drivers/tty/serial/dz.c
+++ b/drivers/tty/serial/dz.c
@@ -546,6 +546,7 @@ static void dz_reset(struct dz_port *dport)
struct dz_mux *mux = dport->mux;
unsigned short tcr;
int loops = 10000;
+ int line;
if (mux->initialised)
return;
@@ -573,6 +574,18 @@ static void dz_reset(struct dz_port *dport)
while (dz_in(dport, DZ_CSR) & DZ_CLR);
iob();
+ /*
+ * Set parameters across all lines such as not to interfere
+ * with the initial PROM-based console. Otherwise any output
+ * produced before the console handover would cause the system
+ * firmware to produce rubbish.
+ */
+ for (line = 0; line < DZ_NB_PORT; line++)
+ dz_out(dport, DZ_LPR, DZ_B9600 | DZ_CS8 | line);
+
+ /* Re-enable transmission for the initial PROM-based console. */
+ dz_out(dport, DZ_TCR, tcr);
+
/* Enable scanning. */
dz_out(dport, DZ_CSR, DZ_MSE);
@@ -653,26 +666,6 @@ static void dz_set_termios(struct uart_port *uport, struct ktermios *termios,
spin_unlock_irqrestore(&dport->port.lock, flags);
}
-/*
- * Hack alert!
- * Required solely so that the initial PROM-based console
- * works undisturbed in parallel with this one.
- */
-static void dz_pm(struct uart_port *uport, unsigned int state,
- unsigned int oldstate)
-{
- struct dz_port *dport = to_dport(uport);
- unsigned long flags;
-
- spin_lock_irqsave(&dport->port.lock, flags);
- if (state < 3)
- dz_start_tx(&dport->port);
- else
- dz_stop_tx(&dport->port);
- spin_unlock_irqrestore(&dport->port.lock, flags);
-}
-
-
static const char *dz_type(struct uart_port *uport)
{
return "DZ";
@@ -768,7 +761,6 @@ static const struct uart_ops dz_ops = {
.startup = dz_startup,
.shutdown = dz_shutdown,
.set_termios = dz_set_termios,
- .pm = dz_pm,
.type = dz_type,
.release_port = dz_release_port,
.request_port = dz_request_port,
@@ -893,10 +885,7 @@ static int __init dz_console_setup(struct console *co, char *options)
if (ret)
return ret;
- spin_lock_init(&dport->port.lock); /* For dz_pm(). */
-
dz_reset(dport);
- dz_pm(uport, 0, -1);
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 142/411] usb: core: Fix SuperSpeed root hub wMaxPacketSize
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 141/411] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 143/411] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
` (269 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman, Michal Pecio
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit d1e280334b7f0a1df441e08bd1f6a1bcc36b3bbb upstream.
There is no good reason to have wBytesPerInterval < wMaxPacketSize -
either one is too low or the other too high, and we may want to warn
about such descriptors. Start with cleaning up our own root hubs.
USB 3.2 section 10.15.1 sets wMaxPacketSize and wBytesPerInterval of
SuperSpeed hub status endpoints at 2 bytes, so reduce wMaxPacketSize
from its former value of 4, which was derived from USB 2.0 spec and
the kernel's USB_MAXCHILDREN limit. They don't apply because USB 3.2
10.15.2.1 specifies SuperSpeed hubs to have up to 15 ports.
Suggested-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Link: https://patch.msgid.link/20260518073121.7bc1da0f.michal.pecio@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hcd.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -353,9 +353,7 @@ static const u8 ss_rh_config_descriptor[
USB_DT_ENDPOINT, /* __u8 ep_bDescriptorType; Endpoint */
0x81, /* __u8 ep_bEndpointAddress; IN Endpoint 1 */
0x03, /* __u8 ep_bmAttributes; Interrupt */
- /* __le16 ep_wMaxPacketSize; 1 + (MAX_ROOT_PORTS / 8)
- * see hub.c:hub_configure() for details. */
- (USB_MAXCHILDREN + 1 + 7) / 8, 0x00,
+ 0x02, 0x00, /* __le16 ep_wMaxPacketSize; 2 bytes per USB3 10.15.1 */
0x0c, /* __u8 ep_bInterval; (256ms -- usb 2.0 spec) */
/* one SuperSpeed endpoint companion descriptor */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 143/411] bpf: Free reuseport cBPF prog after RCU grace period.
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 142/411] usb: core: Fix SuperSpeed root hub wMaxPacketSize Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 144/411] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
` (268 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eulgyu Kim, Taeyang Lee,
Kuniyuki Iwashima, Daniel Borkmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
Eulgyu Kim reported the splat below with a repro. [0]
The repro sets up a UDP reuseport group with a cBPF prog and
replaces it with a new one while another thread is sending
a UDP packet to the group.
The reuseport prog is freed by sk_reuseport_prog_free().
bpf_prog_put() is called for "e"BPF prog to destruct through
multiple stages while cBPF prog is freed immediately by
bpf_release_orig_filter() and bpf_prog_free().
If a reuseport prog is detached from the setsockopt() path
(reuseport_attach_prog() or reuseport_detach_prog()),
sk_reuseport_prog_free() is called without waiting for RCU
readers to complete, resulting in various bugs.
Let's defer freeing the reuseport cBPF prog after one RCU
grace period.
Note "e"BPF prog is safe as is unless the fast path starts
to touch fields destroyed in bpf_prog_put_deferred() and
__bpf_prog_put_noref().
[0]:
BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
Read of size 4 at addr ffffc9000051e004 by task slowme/10208
CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
__udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
__udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
__udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6181 [inline]
__netif_receive_skb net/core/dev.c:6294 [inline]
process_backlog+0xaa4/0x1960 net/core/dev.c:6645
__napi_poll+0xae/0x340 net/core/dev.c:7709
napi_poll net/core/dev.c:7772 [inline]
net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
handle_softirqs+0x22b/0x870 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
__dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x554/0x680 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x415a2d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
</TASK>
Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
Reported-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 04d1cf57cfe257..6a1210abe4625e 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1641,15 +1641,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
return err;
}
+static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
+{
+ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
+ struct bpf_prog *prog = aux->prog;
+
+ bpf_release_orig_filter(prog);
+ bpf_prog_free(prog);
+}
+
void sk_reuseport_prog_free(struct bpf_prog *prog)
{
if (!prog)
return;
- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
- bpf_prog_put(prog);
+ if (bpf_prog_was_classic(prog))
+ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
else
- bpf_prog_destroy(prog);
+ bpf_prog_put(prog);
}
struct bpf_scratchpad {
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 144/411] USB: serial: mct_u232: fix memory corruption with small endpoint
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 143/411] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 145/411] compiler-clang.h: Add __diag infrastructure for clang Greg Kroah-Hartman
` (267 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
The driver overrides the maximum transfer size for a specific device
which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
Make sure to never increase the maximum transfer size to prevent slab
corruption should a malicious device report a smaller endpoint max
packet size than expected.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 5070e6d5cfd9eb..a359669df3dfff 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
struct mct_u232_private *priv;
+ u16 pid;
/* check first to simplify error handling */
if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
return -ENODEV;
}
+ /*
+ * Compensate for a hardware bug: although the Sitecom U232-P25
+ * device reports a maximum output packet size of 32 bytes,
+ * it seems to be able to accept only 16 bytes (and that's what
+ * SniffUSB says too...)
+ */
+ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
+ if (pid == MCT_U232_SITECOM_PID)
+ port->bulk_out_size = min(16, port->bulk_out_size);
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port)
static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
{
- struct usb_serial *serial = port->serial;
struct mct_u232_private *priv = usb_get_serial_port_data(port);
int retval = 0;
unsigned int control_state;
@@ -418,15 +428,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
unsigned char last_lcr;
unsigned char last_msr;
- /* Compensate for a hardware bug: although the Sitecom U232-P25
- * device reports a maximum output packet size of 32 bytes,
- * it seems to be able to accept only 16 bytes (and that's what
- * SniffUSB says too...)
- */
- if (le16_to_cpu(serial->dev->descriptor.idProduct)
- == MCT_U232_SITECOM_PID)
- port->bulk_out_size = 16;
-
/* Do a defined restart: the normal serial device seems to
* always turn on DTR and RTS here, so do the same. I'm not
* sure if this is really necessary. But it should not harm
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 145/411] compiler-clang.h: Add __diag infrastructure for clang
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 144/411] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 146/411] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
` (266 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor,
Kumar Kartikeya Dwivedi, Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit f014a00bbeb09cea16017b82448d32a468a6b96f upstream.
Add __diag macros similar to those in compiler-gcc.h, so that warnings
that need to be adjusted for specific cases but not globally can be
ignored when building with clang.
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220304224645.3677453-6-memxor@gmail.com
[ Kartikeya: wrote commit message ]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/compiler-clang.h | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index 3397f6809c8694..7ae9fc072302d4 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -119,3 +119,25 @@
#define __nocfi __attribute__((__no_sanitize__("cfi")))
#define __cficanonical __attribute__((__cfi_canonical_jump_table__))
+
+/*
+ * Turn individual warnings and errors on and off locally, depending
+ * on version.
+ */
+#define __diag_clang(version, severity, s) \
+ __diag_clang_ ## version(__diag_clang_ ## severity s)
+
+/* Severity used in pragma directives */
+#define __diag_clang_ignore ignored
+#define __diag_clang_warn warning
+#define __diag_clang_error error
+
+#define __diag_str1(s) #s
+#define __diag_str(s) __diag_str1(s)
+#define __diag(s) _Pragma(__diag_str(clang diagnostic s))
+
+#if CONFIG_CLANG_VERSION >= 110000
+#define __diag_clang_11(s) __diag(s)
+#else
+#define __diag_clang_11(s)
+#endif
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 146/411] Disable -Wattribute-alias for clang-23 and newer
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 145/411] compiler-clang.h: Add __diag infrastructure for clang Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 147/411] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
` (265 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
Clang recently added support for -Wattribute-alias [1], which results in
the same warnings that necessitated commit bee20031772a ("disable
-Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
| ^
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
251 | __attribute__((alias(__stringify(__se_sys##name)))); \
| ^
kernel/time/itimer.c:325:1: note: aliasee is declared here
include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
| ^
include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
| ^
include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
| ^
<scratch space>:16:1: note: expanded from here
16 | __se_sys_alarm
| ^
Disable the warnings in the same way for clang-23 and newer. Disable the
warning about unknown warning options to avoid breaking the build for
versions of clang-23 that do not have -Wattribute-alias, such as ones
deployed by vendors like Android or CI systems or when bisecting LLVM
between llvmorg-23-init and release/23.x.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
[nathan: Drop arch/riscv hunk in older trees and address conflicts]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/compat.h | 4 ++++
include/linux/compiler-clang.h | 6 ++++++
include/linux/compiler_types.h | 4 ++++
include/linux/syscalls.h | 4 ++++
4 files changed, 18 insertions(+)
diff --git a/include/linux/compat.h b/include/linux/compat.h
index d91fb5225dbf48..c5441ac9050f4f 100644
--- a/include/linux/compat.h
+++ b/include/linux/compat.h
@@ -72,6 +72,10 @@
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias"); \
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments"); \
asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_compat_sys##name)))); \
ALLOW_ERROR_INJECTION(compat_sys##name, ERRNO); \
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index 7ae9fc072302d4..f0b218c914f1fb 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -141,3 +141,9 @@
#else
#define __diag_clang_11(s)
#endif
+
+#if CONFIG_CLANG_VERSION >= 230000
+#define __diag_clang_23(s) __diag(s)
+#else
+#define __diag_clang_23(s)
+#endif
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index ca9345e2934d38..2eda6f70169630 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -345,6 +345,10 @@ struct ftrace_likely_data {
#define __diag_GCC(version, severity, string)
#endif
+#ifndef __diag_clang
+#define __diag_clang(version, severity, string)
+#endif
+
#define __diag_push() __diag(push)
#define __diag_pop() __diag(pop)
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index b8037a46ff41d7..ce63109333a585 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -239,6 +239,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
__diag_push(); \
__diag_ignore(GCC, 8, "-Wattribute-alias", \
"Type aliasing is used to sanitize syscall arguments");\
+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
+ "Avoid breaking versions without -Wattribute-alias");\
+ __diag_ignore(clang, 23, "-Wattribute-alias", \
+ "Type aliasing is used to sanitize syscall arguments");\
asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
__attribute__((alias(__stringify(__se_sys##name)))); \
ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 147/411] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 146/411] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 148/411] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
` (264 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Wolfram Sang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream.
While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
timeout value` warning was observed, accompanied by SMBus controller
state machine corruption.
The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
10 ms. The user argument is checked against INT_MAX, but it is
subsequently multiplied by 10 before being passed to msecs_to_jiffies().
A malicious user can pass a large value (e.g., 429496729) that passes
the `arg > INT_MAX` check but overflows when multiplied by 10. This
results in a truncated 32-bit unsigned value that bypasses the
internal `(int)m < 0` check in `msecs_to_jiffies()`.
The truncated value is then assigned to `client->adapter->timeout`
(a signed 32-bit int), which is reinterpreted as a negative number.
When passed to wait_for_completion_timeout(), this negative value
undergoes sign extension to a 64-bit unsigned long, triggering the
`schedule_timeout` warning and causing premature returns. This leaves
the SMBus state machine in an unrecoverable state, constituting a
local Denial of Service (DoS).
Fix this by bounding the user argument to `INT_MAX / 10`.
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
[wsa: move the comment as well]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-dev.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *fi
client->adapter->retries = arg;
break;
case I2C_TIMEOUT:
- if (arg > INT_MAX)
+ /*
+ * For historical reasons, user-space sets the timeout value in
+ * units of 10 ms.
+ */
+ if (arg > INT_MAX / 10)
return -EINVAL;
- /* For historical reasons, user-space sets the timeout
- * value in units of 10 ms.
- */
client->adapter->timeout = msecs_to_jiffies(arg * 10);
break;
default:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 148/411] ipv6: mcast: Fix use-after-free when processing MLD queries
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 147/411] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 149/411] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
` (263 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Lin, David Ahern, Ido Schimmel,
Eric Dumazet, Jiayuan Chen, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 upstream.
When processing an MLD query, a pointer to the multicast group address
is retrieved when initially parsing the packet. This pointer is later
dereferenced without being reloaded despite the fact that the skb header
might have been reallocated following the pskb_may_pull() calls, leading
to a use-after-free [1].
Fix by copying the multicast group address when the packet is initially
parsed.
[1]
BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
Workqueue: mld mld_query_work
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
print_address_description.constprop.0 (mm/kasan/report.c:378)
print_report (mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:595)
__mld_query_work (net/ipv6/mcast.c:1512)
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
</TASK>
[...]
Freed by task 118:
kasan_save_stack (mm/kasan/common.c:57)
kasan_save_track (mm/kasan/common.c:78)
kasan_save_free_info (mm/kasan/generic.c:584)
__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
pskb_expand_head (net/core/skbuff.c:2335)
__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
mld_query_work (net/ipv6/mcast.c:1563)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
Reported-by: Leo Lin <leo@depthfirst.com>
Reviewed-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/mcast.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1392,9 +1392,9 @@ out:
static void __mld_query_work(struct sk_buff *skb)
{
struct mld2_query *mlh2 = NULL;
- const struct in6_addr *group;
unsigned long max_delay;
struct inet6_dev *idev;
+ struct in6_addr group;
struct ifmcaddr6 *ma;
struct mld_msg *mld;
int group_type;
@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_b
goto kfree_skb;
mld = (struct mld_msg *)icmp6_hdr(skb);
- group = &mld->mld_mca;
- group_type = ipv6_addr_type(group);
+ group = mld->mld_mca;
+ group_type = ipv6_addr_type(&group);
if (group_type != IPV6_ADDR_ANY &&
!(group_type&IPV6_ADDR_MULTICAST))
@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_b
}
} else {
for_each_mc_mclock(idev, ma) {
- if (!ipv6_addr_equal(group, &ma->mca_addr))
+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
continue;
if (ma->mca_flags & MAF_TIMER_RUNNING) {
/* gsquery <- gsquery && mark */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 149/411] tee: optee: prevent use-after-free when the client exits before the supplicant
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 148/411] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 150/411] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
` (262 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amirreza Zarrabi, Ox Yeh, Sumit Garg,
Jens Wiklander, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
[ Upstream commit 387a926ee166814611acecb960207fe2f3c4fd3e ]
Commit 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop") made the
client wait as killable so it can be interrupted during shutdown or
after a supplicant crash. This changes the original lifetime expectations:
the client task can now terminate while the supplicant is still processing
its request.
If the client exits first it removes the request from its queue and
kfree()s it, while the request ID remains in supp->idr. A subsequent
lookup on the supplicant path then dereferences freed memory, leading to
a use-after-free.
Serialise access to the request with supp->mutex:
* Hold supp->mutex in optee_supp_recv() and optee_supp_send() while
looking up and touching the request.
* Let optee_supp_thrd_req() notice that the client has terminated and
signal optee_supp_send() accordingly.
With these changes the request cannot be freed while the supplicant still
has a reference, eliminating the race.
Fixes: 70b0d6b0a199 ("tee: optee: Fix supplicant wait loop")
Signed-off-by: Amirreza Zarrabi <amirreza.zarrabi@oss.qualcomm.com>
Tested-by: Ox Yeh <ox.yeh@mediatek.com>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tee/optee/supp.c | 107 +++++++++++++++++++++++++++------------
1 file changed, 74 insertions(+), 33 deletions(-)
diff --git a/drivers/tee/optee/supp.c b/drivers/tee/optee/supp.c
index d0f397c9024201..2386bbd38ce78b 100644
--- a/drivers/tee/optee/supp.c
+++ b/drivers/tee/optee/supp.c
@@ -10,7 +10,11 @@
struct optee_supp_req {
struct list_head link;
+ int id;
+
bool in_queue;
+ bool processed;
+
u32 func;
u32 ret;
size_t num_params;
@@ -19,6 +23,9 @@ struct optee_supp_req {
struct completion c;
};
+/* It is temporary request used for revoked pending request in supp->idr. */
+#define INVALID_REQ_PTR ((struct optee_supp_req *)ERR_PTR(-EBADF))
+
void optee_supp_init(struct optee_supp *supp)
{
memset(supp, 0, sizeof(*supp));
@@ -39,21 +46,23 @@ void optee_supp_release(struct optee_supp *supp)
{
int id;
struct optee_supp_req *req;
- struct optee_supp_req *req_tmp;
mutex_lock(&supp->mutex);
- /* Abort all request retrieved by supplicant */
+ /* Abort all request */
idr_for_each_entry(&supp->idr, req, id) {
idr_remove(&supp->idr, id);
- req->ret = TEEC_ERROR_COMMUNICATION;
- complete(&req->c);
- }
+ /* Skip if request was already marked invalid */
+ if (IS_ERR(req))
+ continue;
- /* Abort all queued requests */
- list_for_each_entry_safe(req, req_tmp, &supp->reqs, link) {
- list_del(&req->link);
- req->in_queue = false;
+ /* For queued requests where supplicant has not seen it */
+ if (req->in_queue) {
+ list_del(&req->link);
+ req->in_queue = false;
+ }
+
+ req->processed = true;
req->ret = TEEC_ERROR_COMMUNICATION;
complete(&req->c);
}
@@ -100,8 +109,16 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
/* Insert the request in the request list */
mutex_lock(&supp->mutex);
+ req->id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
+ if (req->id < 0) {
+ mutex_unlock(&supp->mutex);
+ kfree(req);
+ return TEEC_ERROR_OUT_OF_MEMORY;
+ }
+
list_add_tail(&req->link, &supp->reqs);
req->in_queue = true;
+ req->processed = false;
mutex_unlock(&supp->mutex);
/* Tell an eventual waiter there's a new request */
@@ -117,21 +134,43 @@ u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t num_params,
if (wait_for_completion_killable(&req->c)) {
mutex_lock(&supp->mutex);
if (req->in_queue) {
+ /* Supplicant has not seen this request yet. */
+ idr_remove(&supp->idr, req->id);
list_del(&req->link);
req->in_queue = false;
+
+ ret = TEEC_ERROR_COMMUNICATION;
+ } else if (req->processed) {
+ /*
+ * Supplicant has processed this request. Ignore the
+ * kill signal for now and submit the result. req is not
+ * in supp->reqs (removed by supp_pop_entry()) nor in
+ * supp->idr (removed by supp_pop_req()).
+ */
+ ret = req->ret;
+ } else {
+ /*
+ * Supplicant is in the middle of processing this
+ * request. Replace req with INVALID_REQ_PTR so that
+ * the ID remains busy, causing optee_supp_send() to
+ * fail on the next call to supp_pop_req() with this ID.
+ */
+ idr_replace(&supp->idr, INVALID_REQ_PTR, req->id);
+ ret = TEEC_ERROR_COMMUNICATION;
}
+
mutex_unlock(&supp->mutex);
- req->ret = TEEC_ERROR_COMMUNICATION;
+ } else {
+ ret = req->ret;
}
- ret = req->ret;
kfree(req);
return ret;
}
static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
- int num_params, int *id)
+ int num_params)
{
struct optee_supp_req *req;
@@ -153,10 +192,6 @@ static struct optee_supp_req *supp_pop_entry(struct optee_supp *supp,
return ERR_PTR(-EINVAL);
}
- *id = idr_alloc(&supp->idr, req, 1, 0, GFP_KERNEL);
- if (*id < 0)
- return ERR_PTR(-ENOMEM);
-
list_del(&req->link);
req->in_queue = false;
@@ -214,7 +249,6 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
struct optee *optee = tee_get_drvdata(teedev);
struct optee_supp *supp = &optee->supp;
struct optee_supp_req *req = NULL;
- int id;
size_t num_meta;
int rc;
@@ -224,15 +258,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
while (true) {
mutex_lock(&supp->mutex);
- req = supp_pop_entry(supp, *num_params - num_meta, &id);
+ req = supp_pop_entry(supp, *num_params - num_meta);
+ if (req)
+ break; /* Keep mutex held. */
mutex_unlock(&supp->mutex);
- if (req) {
- if (IS_ERR(req))
- return PTR_ERR(req);
- break;
- }
-
/*
* If we didn't get a request we'll block in
* wait_for_completion() to avoid needless spinning.
@@ -245,6 +275,13 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
return -ERESTARTSYS;
}
+ /* supp->mutex held and req != NULL. */
+
+ if (IS_ERR(req)) {
+ mutex_unlock(&supp->mutex);
+ return PTR_ERR(req);
+ }
+
if (num_meta) {
/*
* tee-supplicant support meta parameters -> requsts can be
@@ -252,13 +289,11 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
*/
param->attr = TEE_IOCTL_PARAM_ATTR_TYPE_VALUE_INOUT |
TEE_IOCTL_PARAM_ATTR_META;
- param->u.value.a = id;
+ param->u.value.a = req->id;
param->u.value.b = 0;
param->u.value.c = 0;
} else {
- mutex_lock(&supp->mutex);
- supp->req_id = id;
- mutex_unlock(&supp->mutex);
+ supp->req_id = req->id;
}
*func = req->func;
@@ -266,6 +301,7 @@ int optee_supp_recv(struct tee_context *ctx, u32 *func, u32 *num_params,
memcpy(param + num_meta, req->param,
sizeof(struct tee_param) * req->num_params);
+ mutex_unlock(&supp->mutex);
return 0;
}
@@ -297,12 +333,17 @@ static struct optee_supp_req *supp_pop_req(struct optee_supp *supp,
if (!req)
return ERR_PTR(-ENOENT);
+ /* optee_supp_thrd_req() already returned to optee. */
+ if (IS_ERR(req))
+ goto failed_req;
+
if ((num_params - nm) != req->num_params)
return ERR_PTR(-EINVAL);
+ *num_meta = nm;
+failed_req:
idr_remove(&supp->idr, id);
supp->req_id = -1;
- *num_meta = nm;
return req;
}
@@ -328,10 +369,9 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
mutex_lock(&supp->mutex);
req = supp_pop_req(supp, num_params, param, &num_meta);
- mutex_unlock(&supp->mutex);
-
if (IS_ERR(req)) {
- /* Something is wrong, let supplicant restart. */
+ mutex_unlock(&supp->mutex);
+ /* Something is wrong, let supplicant handel it. */
return PTR_ERR(req);
}
@@ -355,9 +395,10 @@ int optee_supp_send(struct tee_context *ctx, u32 ret, u32 num_params,
}
}
req->ret = ret;
-
+ req->processed = true;
/* Let the requesting thread continue */
complete(&req->c);
+ mutex_unlock(&supp->mutex);
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 150/411] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 149/411] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 151/411] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
` (261 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit c6c5327dd18bec1e1bbf139b2cf5ae53608a9d30 ]
With PREEMPT_RCU this triggers a splat because smp_processor_id() can be
preempted while inside a RCU critical section. If xt_NFQUEUE target is
invoked via nft_compat_eval() path, we are inside a RCU critical
section.
Just use the raw version instead.
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_NFQUEUE.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 466da23e36ff47..b32d153e3a1862 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -91,7 +91,7 @@ nfqueue_tg_v3(struct sk_buff *skb, const struct xt_action_param *par)
if (info->queues_total > 1) {
if (info->flags & NFQ_FLAG_CPU_FANOUT) {
- int cpu = smp_processor_id();
+ int cpu = raw_smp_processor_id();
queue = info->queuenum + cpu % info->queues_total;
} else {
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 151/411] ipvs: clear the svc scheduler ptr early on edit
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 150/411] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 152/411] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
` (260 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Anastasov, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Anastasov <ja@ssi.bg>
[ Upstream commit 193989cc6d80dd8e0460fb3992e69fa03bf0ff9b ]
ip_vs_edit_service() while unbinding the old scheduler clears
the svc->scheduler ptr after the scheduler module initiates
RCU callbacks. This can cause packets to use the old
scheduler at the time when svc->sched_data is already freed
after RCU grace period.
Fix it by clearing the ptr early in ip_vs_unbind_scheduler(),
before the done_service method schedules any RCU callbacks.
Also, if the new scheduler fails to initialize when replacing
the old scheduler, try to restore the old scheduler while still
returning the error code.
Link: https://sashiko.dev/#/patchset/20260519015506.634185-1-rosenp%40gmail.com
Fixes: 05f00505a89a ("ipvs: fix crash if scheduler is changed")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip_vs.h | 3 +--
net/netfilter/ipvs/ip_vs_ctl.c | 13 ++++++++-----
net/netfilter/ipvs/ip_vs_sched.c | 14 +++++++-------
3 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 59f8412de45ac4..41e20b7e8e88db 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -1396,8 +1396,7 @@ int register_ip_vs_scheduler(struct ip_vs_scheduler *scheduler);
int unregister_ip_vs_scheduler(struct ip_vs_scheduler *scheduler);
int ip_vs_bind_scheduler(struct ip_vs_service *svc,
struct ip_vs_scheduler *scheduler);
-void ip_vs_unbind_scheduler(struct ip_vs_service *svc,
- struct ip_vs_scheduler *sched);
+void ip_vs_unbind_scheduler(struct ip_vs_service *svc);
struct ip_vs_scheduler *ip_vs_scheduler_get(const char *sched_name);
void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler);
struct ip_vs_conn *
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 4c9ef2ae4d6877..0805c9083eaa8f 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1417,7 +1417,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
if (ret_hooks >= 0)
ip_vs_unregister_hooks(ipvs, u->af);
if (svc != NULL) {
- ip_vs_unbind_scheduler(svc, sched);
+ ip_vs_unbind_scheduler(svc);
ip_vs_service_free(svc);
}
ip_vs_scheduler_put(sched);
@@ -1479,9 +1479,8 @@ ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
old_sched = rcu_dereference_protected(svc->scheduler, 1);
if (sched != old_sched) {
if (old_sched) {
- ip_vs_unbind_scheduler(svc, old_sched);
- RCU_INIT_POINTER(svc->scheduler, NULL);
- /* Wait all svc->sched_data users */
+ ip_vs_unbind_scheduler(svc);
+ /* Wait all svc->scheduler/sched_data users */
synchronize_rcu();
}
/* Bind the new scheduler */
@@ -1489,6 +1488,10 @@ ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
ret = ip_vs_bind_scheduler(svc, sched);
if (ret) {
ip_vs_scheduler_put(sched);
+ /* Try to restore the old_sched */
+ if (old_sched &&
+ !ip_vs_bind_scheduler(svc, old_sched))
+ old_sched = NULL;
goto out;
}
}
@@ -1545,7 +1548,7 @@ static void __ip_vs_del_service(struct ip_vs_service *svc, bool cleanup)
/* Unbind scheduler */
old_sched = rcu_dereference_protected(svc->scheduler, 1);
- ip_vs_unbind_scheduler(svc, old_sched);
+ ip_vs_unbind_scheduler(svc);
ip_vs_scheduler_put(old_sched);
/* Unbind persistence engine, keep svc->pe */
diff --git a/net/netfilter/ipvs/ip_vs_sched.c b/net/netfilter/ipvs/ip_vs_sched.c
index d4903723be7e90..49b2e5d2b2c837 100644
--- a/net/netfilter/ipvs/ip_vs_sched.c
+++ b/net/netfilter/ipvs/ip_vs_sched.c
@@ -57,19 +57,19 @@ int ip_vs_bind_scheduler(struct ip_vs_service *svc,
/*
* Unbind a service with its scheduler
*/
-void ip_vs_unbind_scheduler(struct ip_vs_service *svc,
- struct ip_vs_scheduler *sched)
+void ip_vs_unbind_scheduler(struct ip_vs_service *svc)
{
- struct ip_vs_scheduler *cur_sched;
+ struct ip_vs_scheduler *sched;
- cur_sched = rcu_dereference_protected(svc->scheduler, 1);
- /* This check proves that old 'sched' was installed */
- if (!cur_sched)
+ sched = rcu_dereference_protected(svc->scheduler, 1);
+ if (!sched)
return;
+ /* Reset the scheduler before initiating any RCU callbacks */
+ rcu_assign_pointer(svc->scheduler, NULL);
+ smp_wmb(); /* paired with smp_rmb() in ip_vs_schedule() */
if (sched->done_service)
sched->done_service(svc);
- /* svc->scheduler can be set to NULL only by caller */
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 152/411] netfilter: synproxy: add mutex to guard hook reference counting
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 151/411] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 153/411] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
` (259 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 2fcba19caaeb2a33017459d3430f057967bb91b6 ]
As the synproxy infrastructure register netfilter hooks on-demand when a
user adds the first iptables target or nftables expression, if done
concurrently they can race each other.
Introduce a mutex to serialize the refcount control blocks access from
both frontends. While a per namespace mutex might be more efficient, it
is not needed for target/expression like SYNPROXY.
Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_synproxy_core.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index cdb2c3e23af7ee..91d3e3eea1be0b 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -21,6 +21,8 @@
#include <net/netfilter/nf_conntrack_zones.h>
#include <net/netfilter/nf_synproxy.h>
+static DEFINE_MUTEX(synproxy_mutex);
+
unsigned int synproxy_net_id;
EXPORT_SYMBOL_GPL(synproxy_net_id);
@@ -790,26 +792,31 @@ static const struct nf_hook_ops ipv4_synproxy_ops[] = {
int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net)
{
- int err;
+ int err = 0;
+ mutex_lock(&synproxy_mutex);
if (snet->hook_ref4 == 0) {
err = nf_register_net_hooks(net, ipv4_synproxy_ops,
ARRAY_SIZE(ipv4_synproxy_ops));
if (err)
- return err;
+ goto out;
}
snet->hook_ref4++;
- return 0;
+out:
+ mutex_unlock(&synproxy_mutex);
+ return err;
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv4_init);
void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net)
{
+ mutex_lock(&synproxy_mutex);
snet->hook_ref4--;
if (snet->hook_ref4 == 0)
nf_unregister_net_hooks(net, ipv4_synproxy_ops,
ARRAY_SIZE(ipv4_synproxy_ops));
+ mutex_unlock(&synproxy_mutex);
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv4_fini);
@@ -1214,27 +1221,32 @@ static const struct nf_hook_ops ipv6_synproxy_ops[] = {
int
nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net)
{
- int err;
+ int err = 0;
+ mutex_lock(&synproxy_mutex);
if (snet->hook_ref6 == 0) {
err = nf_register_net_hooks(net, ipv6_synproxy_ops,
ARRAY_SIZE(ipv6_synproxy_ops));
if (err)
- return err;
+ goto out;
}
snet->hook_ref6++;
- return 0;
+out:
+ mutex_unlock(&synproxy_mutex);
+ return err;
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_init);
void
nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net)
{
+ mutex_lock(&synproxy_mutex);
snet->hook_ref6--;
if (snet->hook_ref6 == 0)
nf_unregister_net_hooks(net, ipv6_synproxy_ops,
ARRAY_SIZE(ipv6_synproxy_ops));
+ mutex_unlock(&synproxy_mutex);
}
EXPORT_SYMBOL_GPL(nf_synproxy_ipv6_fini);
#endif /* CONFIG_IPV6 */
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 153/411] netfilter: conntrack_irc: fix possible out-of-bounds read
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 152/411] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 154/411] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
` (258 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal,
Fernando Fernandez Mancera, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 66eba0ffce3b7e11449946b4cbbef8ea36112f56 ]
When parsing fails after we've matched the command string we
should bail out instead of trying to match a different command.
This helper should be deprecated, given prevalence of TLS I doubt it has
any relevance in 2026.
Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port")
Closes: https://sashiko.dev/#/patchset/20260525182924.28456-1-fw%40strlen.de
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_irc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 159e1e4441a433..7a0c645a11c390 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -202,7 +202,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
if (parse_dcc(data, data_limit, &dcc_ip,
&dcc_port, &addr_beg_p, &addr_end_p)) {
pr_debug("unable to parse dcc command\n");
- continue;
+ goto out;
}
pr_debug("DCC bound ip/port: %pI4:%u\n",
@@ -216,7 +216,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n",
&tuple->src.u3.ip,
&dcc_ip, dcc_port);
- continue;
+ goto out;
}
exp = nf_ct_expect_alloc(ct);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 154/411] netfilter: bridge: make ebt_snat ARP rewrite writable
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 153/411] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 155/411] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
` (257 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiming Qian <yimingqian591@gmail.com>
[ Upstream commit 67ba971ae02514d85818fe0c32549ab4bfa3bf49 ]
The ebtables SNAT target keeps the Ethernet source address rewrite
behind skb_ensure_writable(skb, 0). This is intentional: at the bridge
ebtables hooks the Ethernet header is addressed through
skb_mac_header()/eth_hdr(), while skb->data points at the Ethernet
payload. Asking skb_ensure_writable() for ETH_HLEN bytes would check
the payload, not the Ethernet header, and would reintroduce the small
packet regression fixed by commit 63137bc5882a.
However, the optional ARP sender hardware address rewrite is different.
It writes through skb_store_bits() at an offset relative to skb->data:
skb_store_bits(skb, sizeof(struct arphdr), info->mac, ETH_ALEN)
skb_header_pointer() only safely reads the ARP header; it does not make
the later sender hardware address range writable. If that range is
still held in a nonlinear skb fragment backed by a splice-imported file
page, skb_store_bits() maps the frag page and copies the new MAC address
directly into it.
Ensure the ARP SHA range is writable before reading the ARP header and
before calling skb_store_bits().
Fixes: 63137bc5882a ("netfilter: ebtables: Fixes dropping of small packets in bridge nat")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/netfilter/ebt_snat.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 7dfbcdfc30e5d2..c9e229af0366b8 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -31,6 +31,9 @@ ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
const struct arphdr *ap;
struct arphdr _ah;
+ if (skb_ensure_writable(skb, sizeof(_ah) + ETH_ALEN))
+ return EBT_DROP;
+
ap = skb_header_pointer(skb, 0, sizeof(_ah), &_ah);
if (ap == NULL)
return EBT_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 155/411] dm cache policy smq: check allocation under invalidate lock
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 154/411] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 156/411] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
` (256 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Mikulas Patocka,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit d3f0a606b9f278ece8a0df626ded9c4044071235 ]
commit 2d1f7b65f5de ("dm cache policy smq: fix missing locks in
invalidating cache blocks") added mq->lock around the destructive part of
smq_invalidate_mapping(), but left the e->allocated check outside the
critical section.
That leaves a check-then-act race. Two concurrent invalidators can both
observe e->allocated as true before either of them takes mq->lock. The
first invalidator that acquires the lock removes the entry from the
queues and hash table and then calls free_entry(), which clears
e->allocated and puts the entry back on the free list. The second
invalidator can then acquire mq->lock and continue with the stale result
of the unlocked check.
This can corrupt the SMQ queues or hash table by deleting an entry that
is no longer on those structures. It can also hit the allocation check in
free_entry() when the same entry is freed again.
Move the allocation check under mq->lock so the predicate and the
destructive operations are serialized by the same lock.
Fixes: 2d1f7b65f5de ("dm cache policy smq: fix missing locks in invalidating cache blocks")
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-cache-policy-smq.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm-cache-policy-smq.c b/drivers/md/dm-cache-policy-smq.c
index 95b0670c32acda..e5c4d7ff2c655b 100644
--- a/drivers/md/dm-cache-policy-smq.c
+++ b/drivers/md/dm-cache-policy-smq.c
@@ -1585,18 +1585,22 @@ static int smq_invalidate_mapping(struct dm_cache_policy *p, dm_cblock_t cblock)
struct smq_policy *mq = to_smq_policy(p);
struct entry *e = get_entry(&mq->cache_alloc, from_cblock(cblock));
unsigned long flags;
-
- if (!e->allocated)
- return -ENODATA;
+ int r = 0;
spin_lock_irqsave(&mq->lock, flags);
+ if (!e->allocated) {
+ r = -ENODATA;
+ goto out;
+ }
// FIXME: what if this block has pending background work?
del_queue(mq, e);
h_remove(&mq->table, e);
free_entry(&mq->cache_alloc, e);
+
+out:
spin_unlock_irqrestore(&mq->lock, flags);
- return 0;
+ return r;
}
static uint32_t smq_get_hint(struct dm_cache_policy *p, dm_cblock_t cblock)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 156/411] net/sched: act_api: use RCU with deferred freeing for action lifecycle
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 155/411] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 157/411] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
` (255 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Kyle Zeng,
Victor Nogueira, syzbot, Jamal Hadi Salim, Pedro Tammela,
Eric Dumazet, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit 5057e1aca011e51ef51498c940ef96f3d3e8a305 ]
When NEWTFILTER and DELFILTER are run concurrently it is possible to create a
race with an associated action.
Let's illustrate with CPU0 running NEWTFILTER and CPU1 running DELFILTER:
0: mutex_lock() <-- holds the idr lock
0: rcu_read_lock()
0: p = idr_find(idr, index) <-- action p is valid (RCU protects IDR)
0: mutex_unlock() <-- releases the idr lock
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index) <-- Action removed from IDR
1: mutex_unlock() <-- mutex released allowing us to delete the action
1: tcf_action_cleanup(p); kfree(p) <-- Kfrees p immediately, no deferral
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- ouch, UAF p points to freed memory
This patch fixes the race condition between NEWTFILTER and DELFILTER by
adding struct rcu_head to tc_action used in the deferral and introducing a
call_rcu() in the delete path to defer the final kfree().
Note: this is a revert of commit d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
but also modernization/simplification to directly use kfree_rcu().
Let's illustrate the new restored code path:
0: rcu_read_lock()
1: refcount_dec_and_mutex_lock() <-- refcnt 1->0, mutex held
1: idr_remove(idr, index)
1: mutex_unlock()
1: call_rcu(&p->tcfa_rcu, tcf_action_rcu_free) <-- defer kfree after grace period
0: p = idr_find(idr, index)
0: refcount_inc_not_zero(&p->tcfa_refcnt) <-- fails, refcnt already 0
1: rcu_read_unlock() <-- release so freeing can run after grace period
After CPU1 calls idr_remove(), the object is no longer reachable through the IDR.
CPU0's subsequent idr_find() will return NULL, and even if it still held a
stale pointer, the immediate kfree() is now deferred until after the RCU grace
period, so no UAF can occur.
Fixes: d7fb60b9cafb ("net_sched: get rid of tcfa_rcu")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: syzbot@syzkaller.appspotmail.com
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Link: https://patch.msgid.link/20260531160812.68020-1-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/act_api.h | 1 +
net/sched/act_api.c | 7 +------
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/include/net/act_api.h b/include/net/act_api.h
index ab67d62ff31784..29d5dc201b5cc5 100644
--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -41,6 +41,7 @@ struct tc_action {
struct tc_cookie __rcu *act_cookie;
struct tcf_chain __rcu *goto_chain;
u32 tcfa_flags;
+ struct rcu_head tcfa_rcu;
u8 hw_stats;
u8 used_hw_stats;
bool used_hw_stats_valid;
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 0b4deb33bdf7ad..20944a2e162e7f 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -109,11 +109,6 @@ struct tcf_chain *tcf_action_set_ctrlact(struct tc_action *a, int action,
}
EXPORT_SYMBOL(tcf_action_set_ctrlact);
-/* XXX: For standalone actions, we don't need a RCU grace period either, because
- * actions are always connected to filters and filters are already destroyed in
- * RCU callbacks, so after a RCU grace period actions are already disconnected
- * from filters. Readers later can not find us.
- */
static void free_tcf(struct tc_action *p)
{
struct tcf_chain *chain = rcu_dereference_protected(p->goto_chain, 1);
@@ -126,7 +121,7 @@ static void free_tcf(struct tc_action *p)
if (chain)
tcf_chain_put_by_act(chain);
- kfree(p);
+ kfree_rcu(p, tcfa_rcu);
}
static void tcf_action_cleanup(struct tc_action *p)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 157/411] 6lowpan: fix off-by-one in multicast context address compression
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 156/411] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 158/411] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
` (254 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Alexander Aring, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 2a58899d11009bffc7b4b32a571858f381121837 ]
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.
This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(),
leaking kernel stack contents
The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
data[0..1] = s6_addr[1..2] (flags/scope + RIID)
data[2..5] = s6_addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://patch.msgid.link/20260527081806.42747-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/6lowpan/iphc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
index 52fad5dad9f715..d762c49e722fae 100644
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -1086,12 +1086,12 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
const struct lowpan_iphc_ctx *ctx,
const struct in6_addr *ipaddr)
{
- u8 data[6];
+ u8 data[6] = {};
/* flags/scope, reserved (RIID) */
memcpy(data, &ipaddr->s6_addr[1], 2);
/* group ID */
- memcpy(&data[1], &ipaddr->s6_addr[11], 4);
+ memcpy(&data[2], &ipaddr->s6_addr[12], 4);
lowpan_push_hc_data(hc_ptr, data, 6);
return LOWPAN_IPHC_DAM_00;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 158/411] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 157/411] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 159/411] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
` (253 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yicong Hui, Laurentiu Palcu,
Liu Ying, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yicong Hui <yiconghui@gmail.com>
[ Upstream commit ae0383e5a9a4b12d68c76c4769857def4665deff ]
Fix the following W=1 kerneldoc warnings by adding the missing parameter
descriptions for @phase0_identity and @nn_interpolation in
dcss_scaler_filter_design() and @phase0_identity in
dcss_scaler_gaussian_filter()
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:173 function parameter 'phase0_identity' not described in 'dcss_scaler_gaussian_filter'
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:270 function parameter 'phase0_identity' not described in 'dcss_scaler_filter_design'
Warning: drivers/gpu/drm/imx/dcss/dcss-scaler.c:270 function parameter 'nn_interpolation' not described in 'dcss_scaler_filter_design'
Fixes: 9021c317b770 ("drm/imx: Add initial support for DCSS on iMX8MQ")
Signed-off-by: Yicong Hui <yiconghui@gmail.com>
Reviewed-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Link: https://patch.msgid.link/20260406180013.2442096-1-yiconghui@gmail.com
Signed-off-by: Liu Ying <victor.liu@nxp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/imx/dcss/dcss-scaler.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/imx/dcss/dcss-scaler.c b/drivers/gpu/drm/imx/dcss/dcss-scaler.c
index 47852b9dd5eaa2..d2a89a99bd71cf 100644
--- a/drivers/gpu/drm/imx/dcss/dcss-scaler.c
+++ b/drivers/gpu/drm/imx/dcss/dcss-scaler.c
@@ -166,6 +166,7 @@ static int exp_approx_q(int x)
* dcss_scaler_gaussian_filter() - Generate gaussian prototype filter.
* @fc_q: fixed-point cutoff frequency normalized to range [0, 1]
* @use_5_taps: indicates whether to use 5 taps or 7 taps
+ * @phase0_identity: whether to override phase 0 coefficients with identity filter
* @coef: output filter coefficients
*/
static void dcss_scaler_gaussian_filter(int fc_q, bool use_5_taps,
@@ -262,7 +263,9 @@ static void dcss_scaler_nearest_neighbor_filter(bool use_5_taps,
* @src_length: length of input
* @dst_length: length of output
* @use_5_taps: 0 for 7 taps per phase, 1 for 5 taps
+ * @phase0_identity: whether to override phase 0 coefficients with identity filter
* @coef: output coefficients
+ * @nn_interpolation: whether to use nearest neighbor instead of gaussian filter
*/
static void dcss_scaler_filter_design(int src_length, int dst_length,
bool use_5_taps, bool phase0_identity,
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 159/411] pcnet32: stop holding device spin lock during napi_complete_done
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 158/411] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 160/411] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
` (252 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Oscar Maes,
Alexander Lobakin, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oscar Maes <oscmaes92@gmail.com>
[ Upstream commit 73bf3cca7de6a73f53b6a52dc3b1c82ae5667a4d ]
napi_complete_done may call gro_flush_normal (though not currently, as GRO
is unsupported at the moment), which may result in packet TX. This will
eventually result in calling pcnet32_start_xmit - resulting in a deadlock
while trying to re-acquire the already locked spin lock.
It is safe to split the spinlock block into two, because the hardware
registers are still protected from concurrent access, and the two blocks
perform unrelated operations that don't need to happen atomically.
Fixes: 5b2ec6f2be51 ("pcnet32: use napi_complete_done()")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Link: https://patch.msgid.link/20260528140320.5556-1-oscmaes92@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/pcnet32.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/amd/pcnet32.c b/drivers/net/ethernet/amd/pcnet32.c
index 70d76fdb9f569d..58a59b2d70cf2b 100644
--- a/drivers/net/ethernet/amd/pcnet32.c
+++ b/drivers/net/ethernet/amd/pcnet32.c
@@ -1399,8 +1399,10 @@ static int pcnet32_poll(struct napi_struct *napi, int budget)
pcnet32_restart(dev, CSR0_START);
netif_wake_queue(dev);
}
+ spin_unlock_irqrestore(&lp->lock, flags);
if (work_done < budget && napi_complete_done(napi, work_done)) {
+ spin_lock_irqsave(&lp->lock, flags);
/* clear interrupt masks */
val = lp->a->read_csr(ioaddr, CSR3);
val &= 0x00ff;
@@ -1408,9 +1410,9 @@ static int pcnet32_poll(struct napi_struct *napi, int budget)
/* Set interrupt enable. */
lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
+ spin_unlock_irqrestore(&lp->lock, flags);
}
- spin_unlock_irqrestore(&lp->lock, flags);
return work_done;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 160/411] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 159/411] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 161/411] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
` (251 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Simon Horman, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 16e408e607a94b646fb14a2a98422c6877ae4b3c ]
The receive-side GARP attribute parser computes dlen with reversed
operands:
dlen = sizeof(*ga) - ga->len;
ga->len is the on-wire attribute length and includes the GARP attribute
header. For normal attributes with data, ga->len is larger than
sizeof(*ga), so the subtraction underflows in unsigned arithmetic.
The resulting value is later passed to garp_attr_lookup(), whose length
argument is u8. After truncation, the parsed data length usually no
longer matches the length stored for locally registered attributes, so
received Join/Leave events are ignored. This breaks the GARP receive path
for common attributes, such as GVRP VLAN registration attributes.
Compute the data length as the attribute length minus the header length.
Fixes: eca9ebac651f ("net: Add GARP applicant-only participant")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260527083200.42861-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/garp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/802/garp.c b/net/802/garp.c
index f6012f8e59f005..2c456b362621e6 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -452,7 +452,7 @@ static int garp_pdu_parse_attr(struct garp_applicant *app, struct sk_buff *skb,
if (!pskb_may_pull(skb, ga->len))
return -1;
skb_pull(skb, ga->len);
- dlen = sizeof(*ga) - ga->len;
+ dlen = ga->len - sizeof(*ga);
if (attrtype > app->app->maxattr)
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 161/411] net: lan743x: permit VLAN-tagged packets up to configured MTU
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 160/411] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 162/411] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
` (250 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Thompson, Thangaraj Samynathan,
Nicolai Buchwitz, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thompson <davthompson@nvidia.com>
[ Upstream commit 8173d22b211f615015f7b35f48ab11a6dd78dc99 ]
VLAN-tagged interfaces on lan743x devices were previously unreachable via
SSH and failed to respond to large ping packets (e.g. "ping -s 1469" given
MTU=1500). In these scenarios, "ethtool -S" reports non-zero "RX Oversize
Frame Errors". According to Microchip AN2948, the MAC_RX FSE (VLAN field
size enforcement) bit determines whether frames with VLAN tags exceeding
the base MTU plus tag length are discarded.
The driver must set the MAC_RX.FSE bit before setting MAC_RX.RXEN to allow
VLAN-tagged frames up to the interface MTU, preventing them from being
treated as oversized. As a result, both the base and VLAN-tagged interfaces
can use the same MTU without receive errors.
Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: David Thompson <davthompson@nvidia.com>
Reviewed-by: Thangaraj Samynathan <Thangaraj.s@microchip.com>
Reviewed-by: Nicolai Buchwitz <nb@tipi-net.de>
Tested-by: Nicolai Buchwitz <nb@tipi-net.de> # lan7430 on arm64 (RevPi
Link: https://patch.msgid.link/20260529210300.433135-1-davthompson@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/lan743x_main.c | 32 +++++++++++++++++++
drivers/net/ethernet/microchip/lan743x_main.h | 1 +
2 files changed, 33 insertions(+)
diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
index 49d40685136d46..8db83741aaa570 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -792,6 +792,36 @@ static void lan743x_mac_set_address(struct lan743x_adapter *adapter,
"MAC address set to %pM\n", addr);
}
+static void lan743x_mac_rx_enable_fse(struct lan743x_adapter *adapter)
+{
+ u32 mac_rx;
+ bool rxen;
+
+ mac_rx = lan743x_csr_read(adapter, MAC_RX);
+ if (mac_rx & MAC_RX_FSE_)
+ return;
+
+ rxen = mac_rx & MAC_RX_RXEN_;
+ if (rxen) {
+ mac_rx &= ~MAC_RX_RXEN_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+ lan743x_csr_wait_for_bit(adapter, MAC_RX, MAC_RX_RXD_,
+ 1, 1000, 20000, 100);
+ }
+
+ /* Per AN2948, hardware prevents modification of the FSE bit while the
+ * MAC receiver is enabled (RXEN bit set). Use separate register write
+ * to assert the FSE bit before enabling the RXEN bit in MAC_RX
+ */
+ mac_rx |= MAC_RX_FSE_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+
+ if (rxen) {
+ mac_rx |= MAC_RX_RXEN_;
+ lan743x_csr_write(adapter, MAC_RX, mac_rx);
+ }
+}
+
static int lan743x_mac_init(struct lan743x_adapter *adapter)
{
bool mac_address_valid = true;
@@ -831,6 +861,8 @@ static int lan743x_mac_init(struct lan743x_adapter *adapter)
lan743x_mac_set_address(adapter, adapter->mac_address);
eth_hw_addr_set(netdev, adapter->mac_address);
+ lan743x_mac_rx_enable_fse(adapter);
+
return 0;
}
diff --git a/drivers/net/ethernet/microchip/lan743x_main.h b/drivers/net/ethernet/microchip/lan743x_main.h
index a1226ab0fb4217..40351d38299aac 100644
--- a/drivers/net/ethernet/microchip/lan743x_main.h
+++ b/drivers/net/ethernet/microchip/lan743x_main.h
@@ -118,6 +118,7 @@
#define MAC_RX (0x104)
#define MAC_RX_MAX_SIZE_SHIFT_ (16)
#define MAC_RX_MAX_SIZE_MASK_ (0x3FFF0000)
+#define MAC_RX_FSE_ BIT(2)
#define MAC_RX_RXD_ BIT(1)
#define MAC_RX_RXEN_ BIT(0)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 162/411] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 161/411] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 163/411] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
` (249 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit 43c441edacf953b39517a44f5e5e10a93618b226 ]
rfcomm_get_sock_by_channel() scans rfcomm_sk_list under the list lock,
but returns the selected listener after dropping that lock without
taking a reference. rfcomm_connect_ind() then locks the listener,
queues a child socket on it, and may notify it after unlocking it.
The buggy scenario involves two paths, with each column showing the
order within that path:
rfcomm_connect_ind(): listener close:
1. Find parent in 1. close() enters
rfcomm_get_sock_by_channel() rfcomm_sock_release().
2. Drop rfcomm_sk_list.lock 2. rfcomm_sock_shutdown()
without pinning parent. closes the listener.
3. Call lock_sock(parent) and 3. rfcomm_sock_kill()
bt_accept_enqueue(parent, unlinks and puts parent.
sk, true).
4. Read parent flags and may 4. parent can be freed.
call sk_state_change().
If close wins the race, parent can be freed before
rfcomm_connect_ind() reaches lock_sock(), bt_accept_enqueue(), or the
deferred-setup callback.
Take a reference on the listener before leaving rfcomm_sk_list.lock.
After lock_sock() succeeds, recheck that it is still in BT_LISTEN
before queueing a child, cache the deferred-setup bit while the parent
is locked, and drop the reference after the last parent use.
KASAN reported a slab-use-after-free in lock_sock_nested() from
rfcomm_connect_ind(), with the freeing stack going through
rfcomm_sock_kill() and rfcomm_sock_release().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/rfcomm/sock.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index d1f2c936a8a811..2f091f134a606c 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -122,7 +122,7 @@ static struct sock *__rfcomm_get_listen_sock_by_addr(u8 channel, bdaddr_t *src)
}
/* Find socket with channel and source bdaddr.
- * Returns closest match.
+ * Returns closest match with an extra reference held.
*/
static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *src)
{
@@ -136,15 +136,25 @@ static struct sock *rfcomm_get_sock_by_channel(int state, u8 channel, bdaddr_t *
if (rfcomm_pi(sk)->channel == channel) {
/* Exact match. */
- if (!bacmp(&rfcomm_pi(sk)->src, src))
+ if (!bacmp(&rfcomm_pi(sk)->src, src)) {
+ sock_hold(sk);
break;
+ }
/* Closest match */
- if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY))
+ if (!bacmp(&rfcomm_pi(sk)->src, BDADDR_ANY)) {
+ if (sk1)
+ sock_put(sk1);
+
sk1 = sk;
+ sock_hold(sk1);
+ }
}
}
+ if (sk && sk1)
+ sock_put(sk1);
+
read_unlock(&rfcomm_sk_list.lock);
return sk ? sk : sk1;
@@ -941,6 +951,7 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
{
struct sock *sk, *parent;
bdaddr_t src, dst;
+ bool defer_setup = false;
int result = 0;
BT_DBG("session %p channel %d", s, channel);
@@ -954,6 +965,11 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
lock_sock(parent);
+ if (parent->sk_state != BT_LISTEN)
+ goto done;
+
+ defer_setup = test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags);
+
/* Check for backlog size */
if (sk_acceptq_is_full(parent)) {
BT_DBG("backlog full %d", parent->sk_ack_backlog);
@@ -981,9 +997,11 @@ int rfcomm_connect_ind(struct rfcomm_session *s, u8 channel, struct rfcomm_dlc *
done:
release_sock(parent);
- if (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags))
+ if (defer_setup)
parent->sk_state_change(parent);
+ sock_put(parent);
+
return result;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 163/411] Bluetooth: MGMT: validate advertising TLV before type checks
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 162/411] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 164/411] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
` (248 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Zhang Cen,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit de23fb62259aa01d294f77238ae3b835eb674413 ]
tlv_data_is_valid() reads each advertising data field length from
data[i], then inspects data[i + 1] for managed EIR types before
checking that the current field still fits inside the supplied buffer.
A malformed field whose length byte is the last byte of the buffer can
therefore make the parser read one byte past the advertising data.
KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING
request reached that path:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1
Call trace:
tlv_data_is_valid()
add_advertising()
hci_mgmt_cmd()
hci_sock_sendmsg()
Move the existing element-length check before any type-octet inspection
so each non-empty element is proven to contain its type byte before the
parser looks at data[i + 1].
Fixes: 2bb36870e8cb ("Bluetooth: Unify advertising instance flags check")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 09232c424446bc..337c3cb8eec589 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -7635,6 +7635,12 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (!cur_len)
continue;
+ /* If the current field length would exceed the total data
+ * length, then it's invalid.
+ */
+ if (i + cur_len >= len)
+ return false;
+
if (data[i + 1] == EIR_FLAGS &&
(!is_adv_data || flags_managed(adv_flags)))
return false;
@@ -7651,12 +7657,6 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (data[i + 1] == EIR_APPEARANCE &&
appearance_managed(adv_flags))
return false;
-
- /* If the current field length would exceed the total data
- * length, then it's invalid.
- */
- if (i + cur_len >= len)
- return false;
}
return true;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 164/411] Bluetooth: RFCOMM: validate skb length in MCC handlers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 163/411] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 165/411] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
` (247 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Bilal, SeungJu Cheon,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeungJu Cheon <suunj1331@gmail.com>
[ Upstream commit 23882b828c3c8c51d0c946446a396b10abb3b16b ]
The RFCOMM MCC handlers cast skb->data to protocol-specific structs
without validating skb->len first. A malicious remote device can send
truncated MCC frames and trigger out-of-bounds reads in these handlers.
Fix this by using skb_pull_data() to validate and access the required
data before dereferencing it.
rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows
1-byte RPN requests. Handle this by validating only the DLCI byte first,
and validating the full struct only when len > 1.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: SeungJu Cheon <suunj1331@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/rfcomm/core.c | 67 +++++++++++++++++++++++++++----------
1 file changed, 49 insertions(+), 18 deletions(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 4f54c7df3a94f8..374187def190da 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1427,10 +1427,15 @@ static int rfcomm_apply_pn(struct rfcomm_dlc *d, int cr, struct rfcomm_pn *pn)
static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_pn *pn = (void *) skb->data;
+ struct rfcomm_pn *pn;
struct rfcomm_dlc *d;
- u8 dlci = pn->dlci;
+ u8 dlci;
+
+ pn = skb_pull_data(skb, sizeof(*pn));
+ if (!pn)
+ return -EILSEQ;
+ dlci = pn->dlci;
BT_DBG("session %p state %ld dlci %d", s, s->state, dlci);
if (!dlci)
@@ -1479,8 +1484,8 @@ static int rfcomm_recv_pn(struct rfcomm_session *s, int cr, struct sk_buff *skb)
static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_buff *skb)
{
- struct rfcomm_rpn *rpn = (void *) skb->data;
- u8 dlci = __get_dlci(rpn->dlci);
+ struct rfcomm_rpn *rpn;
+ u8 dlci;
u8 bit_rate = 0;
u8 data_bits = 0;
@@ -1491,15 +1496,16 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
u8 xoff_char = 0;
u16 rpn_mask = RFCOMM_RPN_PM_ALL;
- BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
- dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
- rpn->xon_char, rpn->xoff_char, rpn->param_mask);
+ if (len == 1) {
+ rpn = skb_pull_data(skb, 1);
+ if (!rpn)
+ return -EILSEQ;
- if (!cr)
- return 0;
+ dlci = __get_dlci(rpn->dlci);
+
+ if (!cr)
+ return 0;
- if (len == 1) {
- /* This is a request, return default (according to ETSI TS 07.10) settings */
bit_rate = RFCOMM_RPN_BR_9600;
data_bits = RFCOMM_RPN_DATA_8;
stop_bits = RFCOMM_RPN_STOP_1;
@@ -1510,6 +1516,19 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
goto rpn_out;
}
+ rpn = skb_pull_data(skb, sizeof(*rpn));
+ if (!rpn)
+ return -EILSEQ;
+
+ dlci = __get_dlci(rpn->dlci);
+
+ BT_DBG("dlci %d cr %d len 0x%x bitr 0x%x line 0x%x flow 0x%x xonc 0x%x xoffc 0x%x pm 0x%x",
+ dlci, cr, len, rpn->bit_rate, rpn->line_settings, rpn->flow_ctrl,
+ rpn->xon_char, rpn->xoff_char, rpn->param_mask);
+
+ if (!cr)
+ return 0;
+
/* Check for sane values, ignore/accept bit_rate, 8 bits, 1 stop bit,
* no parity, no flow control lines, normal XON/XOFF chars */
@@ -1585,9 +1604,14 @@ static int rfcomm_recv_rpn(struct rfcomm_session *s, int cr, int len, struct sk_
static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_rls *rls = (void *) skb->data;
- u8 dlci = __get_dlci(rls->dlci);
+ struct rfcomm_rls *rls;
+ u8 dlci;
+ rls = skb_pull_data(skb, sizeof(*rls));
+ if (!rls)
+ return -EILSEQ;
+
+ dlci = __get_dlci(rls->dlci);
BT_DBG("dlci %d cr %d status 0x%x", dlci, cr, rls->status);
if (!cr)
@@ -1604,10 +1628,15 @@ static int rfcomm_recv_rls(struct rfcomm_session *s, int cr, struct sk_buff *skb
static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb)
{
- struct rfcomm_msc *msc = (void *) skb->data;
+ struct rfcomm_msc *msc;
struct rfcomm_dlc *d;
- u8 dlci = __get_dlci(msc->dlci);
+ u8 dlci;
+
+ msc = skb_pull_data(skb, sizeof(*msc));
+ if (!msc)
+ return -EILSEQ;
+ dlci = __get_dlci(msc->dlci);
BT_DBG("dlci %d cr %d v24 0x%x", dlci, cr, msc->v24_sig);
d = rfcomm_dlc_get(s, dlci);
@@ -1640,17 +1669,19 @@ static int rfcomm_recv_msc(struct rfcomm_session *s, int cr, struct sk_buff *skb
static int rfcomm_recv_mcc(struct rfcomm_session *s, struct sk_buff *skb)
{
- struct rfcomm_mcc *mcc = (void *) skb->data;
+ struct rfcomm_mcc *mcc;
u8 type, cr, len;
+ mcc = skb_pull_data(skb, sizeof(*mcc));
+ if (!mcc)
+ return -EILSEQ;
+
cr = __test_cr(mcc->type);
type = __get_mcc_type(mcc->type);
len = __get_mcc_len(mcc->len);
BT_DBG("%p type 0x%x cr %d", s, type, cr);
- skb_pull(skb, 2);
-
switch (type) {
case RFCOMM_PN:
rfcomm_recv_pn(s, cr, skb);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 165/411] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 164/411] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 166/411] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
` (246 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dudu Lu, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dudu Lu <phx0fer@gmail.com>
[ Upstream commit 72b8deccff17a7644e0367e1aaf1a36cfb014324 ]
In bnep_rx_frame(), the BNEP_FILTER_NET_TYPE_SET and
BNEP_FILTER_MULTI_ADDR_SET extension header parsing has two bugs:
1) The 2-byte length field is read with *(u16 *)(skb->data + 1), which
performs a native-endian read. The BNEP protocol specifies this field
in big-endian (network byte order), and the same file correctly uses
get_unaligned_be16() for the identical fields in
bnep_ctrl_set_netfilter() and bnep_ctrl_set_mcfilter().
2) The length is multiplied by 2, but unlike BNEP_SETUP_CONN_REQ where
the length byte counts UUID pairs (requiring * 2 for two UUIDs per
entry), the filter extension length field already represents the total
data size in bytes. This is confirmed by bnep_ctrl_set_netfilter()
which reads the same field as a byte count and divides by 4 to get
the number of filter entries.
The bogus * 2 means skb_pull advances twice as far as it should,
either dropping valid data from the next header or causing the pull
to fail entirely when the doubled length exceeds the remaining skb.
Fix by splitting the pull into two steps: first use skb_pull_data() to
safely pull and validate the 3-byte fixed header (ctrl type + length),
then pull the variable-length data using the properly decoded length.
Fixes: bf8b9a9cb77b ("Bluetooth: bnep: Add support to extended headers of control frames")
Signed-off-by: Dudu Lu <phx0fer@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/bnep/core.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index f3b9c1dee1bb61..1798069ce79149 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -330,11 +330,18 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
goto badframe;
break;
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET:
- /* Pull: ctrl type (1 b), len (2 b), data (len bytes) */
- if (!skb_pull(skb, 3 + *(u16 *)(skb->data + 1) * 2))
+ case BNEP_FILTER_NET_TYPE_SET: {
+ u8 *hdr;
+
+ /* Pull ctrl type (1 b) + len (2 b) */
+ hdr = skb_pull_data(skb, 3);
+ if (!hdr)
+ goto badframe;
+ /* Pull data (len bytes); length is big-endian */
+ if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
goto badframe;
break;
+ }
default:
kfree_skb(skb);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 166/411] Bluetooth: bnep: reject short frames before parsing
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 165/411] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 167/411] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
` (245 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
[ Upstream commit 6770d3a8acdf9151769180cc3710346c4cfbe6f0 ]
A BNEP peer can send a short BNEP SDU. bnep_rx_frame() reads the
packet type byte immediately and, for control packets, reads the control
opcode and setup UUID-size byte before proving that those bytes are
present. bnep_rx_control() also dereferences the control opcode without
rejecting an empty control payload.
Use skb_pull_data() for the fixed fields in bnep_rx_frame() so a NULL
return gates each dereference. Split the control handler so the frame
path can pass an opcode that has already been pulled, and keep the
byte-buffer wrapper for extension control payloads.
For BNEP_SETUP_CONN_REQ, name the UUID-size byte before pulling the
setup payload. struct bnep_setup_conn_req carries destination and source
service UUIDs after that byte, each uuid_size bytes, so the parser now
documents that tuple explicitly instead of leaving the pull length as an
opaque multiplication.
Validation reproduced this kernel report:
KASAN slab-out-of-bounds in bnep_rx_frame.isra.0+0x130c/0x1790
The buggy address belongs to the object at ffff88800c0f7908 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of allocated 1-byte
region [ffff88800c0f7908, ffff88800c0f7909)
Read of size 1
Call trace:
dump_stack_lvl+0xb3/0x140 (?:?)
print_address_description+0x57/0x3a0 (?:?)
bnep_rx_frame+0x130c/0x1790 (net/bluetooth/bnep/core.c:306)
print_report+0xb9/0x2b0 (?:?)
__virt_addr_valid+0x1ba/0x3a0 (?:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
kasan_addr_to_slab+0x21/0x60 (?:?)
kasan_report+0xe0/0x110 (?:?)
process_one_work+0xfce/0x17e0 (kernel/workqueue.c:3200)
worker_thread+0x65c/0xe40 (?:?)
__kthread_parkme+0x184/0x230 (?:?)
kthread+0x35e/0x470 (?:?)
_raw_spin_unlock_irq+0x28/0x50 (?:?)
ret_from_fork+0x586/0x870 (?:?)
__switch_to+0x74f/0xdc0 (?:?)
ret_from_fork_asm+0x1a/0x30 (?:?)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/bnep/core.c | 57 ++++++++++++++++++++++++---------------
1 file changed, 36 insertions(+), 21 deletions(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 1798069ce79149..627ce3de29c8ee 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -206,14 +206,11 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
return 0;
}
-static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+static int bnep_rx_control_cmd(struct bnep_session *s, u8 cmd, void *data,
+ int len)
{
- u8 cmd = *(u8 *)data;
int err = 0;
- data++;
- len--;
-
switch (cmd) {
case BNEP_CMD_NOT_UNDERSTOOD:
case BNEP_SETUP_CONN_RSP:
@@ -254,6 +251,14 @@ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
return err;
}
+static int bnep_rx_control(struct bnep_session *s, void *data, int len)
+{
+ if (len < 1)
+ return -EILSEQ;
+
+ return bnep_rx_control_cmd(s, *(u8 *)data, data + 1, len - 1);
+}
+
static int bnep_rx_extension(struct bnep_session *s, struct sk_buff *skb)
{
struct bnep_ext_hdr *h;
@@ -299,19 +304,26 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
{
struct net_device *dev = s->dev;
struct sk_buff *nskb;
+ u8 *data;
u8 type, ctrl_type;
dev->stats.rx_bytes += skb->len;
- type = *(u8 *) skb->data;
- skb_pull(skb, 1);
- ctrl_type = *(u8 *)skb->data;
+ data = skb_pull_data(skb, sizeof(type));
+ if (!data)
+ goto badframe;
+ type = *data;
if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
goto badframe;
if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
- if (bnep_rx_control(s, skb->data, skb->len) < 0) {
+ data = skb_pull_data(skb, sizeof(ctrl_type));
+ if (!data)
+ goto badframe;
+ ctrl_type = *data;
+
+ if (bnep_rx_control_cmd(s, ctrl_type, skb->data, skb->len) < 0) {
dev->stats.tx_errors++;
kfree_skb(skb);
return 0;
@@ -324,24 +336,27 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
/* Verify and pull ctrl message since it's already processed */
switch (ctrl_type) {
- case BNEP_SETUP_CONN_REQ:
- /* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
- if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
+ case BNEP_SETUP_CONN_REQ: {
+ u8 uuid_size;
+
+ /* Pull uuid_size and the dst/src service UUIDs. */
+ data = skb_pull_data(skb, sizeof(uuid_size));
+ if (!data)
+ goto badframe;
+ uuid_size = *data;
+ if (!skb_pull(skb, uuid_size + uuid_size))
goto badframe;
break;
+ }
case BNEP_FILTER_MULTI_ADDR_SET:
- case BNEP_FILTER_NET_TYPE_SET: {
- u8 *hdr;
-
- /* Pull ctrl type (1 b) + len (2 b) */
- hdr = skb_pull_data(skb, 3);
- if (!hdr)
+ case BNEP_FILTER_NET_TYPE_SET:
+ /* Pull: len (2 b), data (len bytes) */
+ data = skb_pull_data(skb, sizeof(u16));
+ if (!data)
goto badframe;
- /* Pull data (len bytes); length is big-endian */
- if (!skb_pull(skb, get_unaligned_be16(&hdr[1])))
+ if (!skb_pull(skb, get_unaligned_be16(data)))
goto badframe;
break;
- }
default:
kfree_skb(skb);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 167/411] Bluetooth: fix memory leak in error path of hci_alloc_dev()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 166/411] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 168/411] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
` (244 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+535ecc844591e50588a5,
Bharath Reddy, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharath Reddy <kbreddy.rpbc@gmail.com>
[ Upstream commit 37b3009bf5976e8ab77c8b9a9bc3bbd7ff49e37f ]
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbreddy.rpbc@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sysfs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index cc7d4a8ed8ce24..b1886e517a78bc 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -81,10 +81,12 @@ static void bt_host_release(struct device *dev)
{
struct hci_dev *hdev = to_hci_dev(dev);
- if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+ if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
hci_release_dev(hdev);
- else
+ } else {
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
+ }
module_put(THIS_MODULE);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 168/411] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 167/411] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 169/411] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
` (243 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tamir Shahar, Amit Klein,
Eric Dumazet, David Ahern, Ido Schimmel, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d3915a1f5a4bc0ac911032903c3c6ab8df9fcc7c ]
This patch restricts setting Loose Source and Record Route (LSRR)
and Strict Source and Record Route (SSRR) IP options to users
with CAP_NET_RAW capability.
This prevents unprivileged applications from forcing packets to route
through attacker-controlled nodes to leak TCP ISN and possibly other
protocol information.
While LSRR and SSRR are commonly filtered in many network environments,
they may still be supported and forwarded along some network paths.
RFC 7126 (Recommendations on Filtering of IPv4 Packets Containing
IPv4 Options) recommend to drop these options in 4.3 and 4.4.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Tamir Shahar <tamirthesis@gmail.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260602161547.2642155-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_options.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index da1b5038bdfd04..4afdaaab616239 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -543,6 +543,10 @@ int ip_options_get(struct net *net, struct ip_options_rcu **optp,
kfree(opt);
return -EINVAL;
}
+ if (opt->opt.srr && !ns_capable(net->user_ns, CAP_NET_RAW)) {
+ kfree(opt);
+ return -EPERM;
+ }
kfree(*optp);
*optp = opt;
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 169/411] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 168/411] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 170/411] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
` (242 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f13c19f75e1097abd116,
Eric Dumazet, Miquel Raynal, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3a5f3f7aff18bcc36a57839cf50cf0cc8de707f3 ]
The aoe driver (or similar) generates a non-IPv6 packet
(e.g., ETH_P_AOE) and queues it for transmission via dev_queue_xmit()
on a 6LoWPAN interface (configured by the user or test case).
Since the packet is not IPv6, the 6LoWPAN header_ops->create function
(lowpan_header_create or header_create) returns early without initializing
the lowpan_addr_info structure in the skb headroom.
In the transmit function (lowpan_xmit), the driver calls lowpan_header
(or setup_header) which unconditionally copies and uses the lowpan_addr_info
from the headroom, which contains uninitialized data.
Fix this by dropping non IPv6 packets.
A similar fix is needed in net/bluetooth/6lowpan.c bt_xmit().
Fixes: 4dc315e267fe ("ieee802154: 6lowpan: move transmit functionality")
Reported-by: syzbot+f13c19f75e1097abd116@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6a1fd763.278b5b03.2bcf39.0049.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20260603072955.4032221-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ieee802154/6lowpan/tx.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ieee802154/6lowpan/tx.c b/net/ieee802154/6lowpan/tx.c
index 0c07662b44c0ca..4df76ff50699ed 100644
--- a/net/ieee802154/6lowpan/tx.c
+++ b/net/ieee802154/6lowpan/tx.c
@@ -255,6 +255,11 @@ netdev_tx_t lowpan_xmit(struct sk_buff *skb, struct net_device *ldev)
pr_debug("package xmit\n");
+ if (skb->protocol != htons(ETH_P_IPV6)) {
+ kfree_skb(skb);
+ return NET_XMIT_DROP;
+ }
+
WARN_ON_ONCE(skb->len > IPV6_MIN_MTU);
/* We must take a copy of the skb before we modify/replace the ipv6
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 170/411] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 169/411] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 171/411] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
` (241 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yizhou Zhao, Yuxiang Yang, Ao Wang,
Xuewei Feng, Qi Li, Ke Xu, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
[ Upstream commit 7561c7fbc694308da73300f036719e63e42bf0b4 ]
In mrp_pdu_parse_vecattr(), vector attribute events are encoded three
per byte and valen tracks the number of events left to process.
The parser decrements valen after processing the first and second events
from each event byte, but not after processing the third one. When valen
is exactly a multiple of three, the loop continues after the last valid
event and consumes the next byte as a new event byte, applying a
spurious event to the MRP applicant state.
Additionally, when valen is zero the parser unconditionally consumes
attrlen bytes as FirstValue and advances the offset, even though per
IEEE 802.1ak a VectorAttribute with only a LeaveAllEvent has valen of
zero and no FirstValue or Vector fields. This corrupts the offset for
subsequent PDU parsing.
Also, when valen exceeds three the loop crosses byte boundaries but
the attribute value is not incremented between the last event of one
byte and the first event of the next. This causes the first event of
the next byte to use the same attribute value as the third event
rather than the next consecutive value.
Decrement valen after processing the third event, skip FirstValue
consumption when valen is zero, and increment the attribute value at
the end of each loop iteration.
Fixes: febf018d2234 ("net/802: Implement Multiple Registration Protocol (MRP)")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Link: https://patch.msgid.link/20260603060016.21522-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/802/mrp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/802/mrp.c b/net/802/mrp.c
index c10a432a5b4351..017839c141841f 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -702,6 +702,12 @@ static int mrp_pdu_parse_vecattr(struct mrp_applicant *app,
valen = be16_to_cpu(get_unaligned(&mrp_cb(skb)->vah->lenflags) &
MRP_VECATTR_HDR_LEN_MASK);
+ /* If valen is 0, only a LeaveAllEvent is present; FirstValue and
+ * Vector fields are absent per IEEE 802.1ak.
+ */
+ if (valen == 0)
+ return 0;
+
/* The VectorAttribute structure in a PDU carries event information
* about one or more attributes having consecutive values. Only the
* value for the first attribute is contained in the structure. So
@@ -752,6 +758,9 @@ static int mrp_pdu_parse_vecattr(struct mrp_applicant *app,
vaevents %= __MRP_VECATTR_EVENT_MAX;
vaevent = vaevents;
mrp_pdu_parse_vecattr_event(app, skb, vaevent);
+ valen--;
+ mrp_attrvalue_inc(mrp_cb(skb)->attrvalue,
+ mrp_cb(skb)->mh->attrlen);
}
return 0;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 171/411] sctp: purge outqueue on stale COOKIE-ECHO handling
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 170/411] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 172/411] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
` (240 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Zhengchuan Liang, Xin Liu, Yuqi Xu, Ren Wei, Xin Long,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit e374b22e9b07b72a25909621464ff74096151bfb ]
sctp_stream_update() is only invoked when the association is moved into
COOKIE_WAIT during association setup/reconfiguration. In this path, the
outbound stream scheduler state (stream->out_curr) is expected to be
clean, since no user data should have been transmitted yet unless the
state machine has already partially progressed.
However, a corner case exists in sctp_sf_do_5_2_6_stale(): when a
Stale Cookie ERROR is received, the association is rolled back from
COOKIE_ECHOED to COOKIE_WAIT. In this scenario, user data may already
have been queued and even bundled with the COOKIE-ECHO chunk.
During the rollback, sctp_stream_update() frees the old stream table
and installs a new one, but it does not invalidate stream->out_curr.
As a result, out_curr may still point to a freed sctp_stream_out
entry from the previous stream state.
Later, SCTP scheduler dequeue paths (FCFS, RR, PRIO, etc.) rely on
stream->out_curr->ext, which can lead to use-after-free once the old
stream state has been released via sctp_stream_free().
This results in crashes such as (reported by Yuqi):
BUG: KASAN: slab-use-after-free in sctp_sched_fcfs_dequeue+0x13a/0x140
Read of size 8 at addr ff1100004d4d3208 by task mini_poc/9312
CPU: 1 UID: 1001 PID: 9312 Comm: mini_poc Not tainted
7.1.0-rc1-00305-gbd3a4795d574 #5 PREEMPT(full)
sctp_sched_fcfs_dequeue+0x13a/0x140
sctp_outq_flush+0x1603/0x33e0
sctp_do_sm+0x31c9/0x5d30
sctp_assoc_bh_rcv+0x392/0x6f0
sctp_inq_push+0x1db/0x270
sctp_rcv+0x138d/0x3c10
Fix this by fully purging the association outqueue when handling the
Stale Cookie case. This ensures all pending transmit and retransmit
state is dropped, and any scheduler cached pointers are invalidated,
making it safe to rebuild stream state during COOKIE_WAIT restart.
Updating only stream->out_curr would be insufficient, since queued
and retransmittable data would still reference the old stream state and
trigger later use-after-free in dequeue paths.
Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reported-by: Yuqi Xu <xuyq21@lenovo.com>
Reported-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/94318159b9052907a6cbb7256aee8b5f8dfbfccb.1780510304.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 2f9f24b1885208..3ca6b7b81124ff 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2583,11 +2583,7 @@ static enum sctp_disposition sctp_sf_do_5_2_6_stale(
*/
sctp_add_cmd_sf(commands, SCTP_CMD_DEL_NON_PRIMARY, SCTP_NULL());
- /* If we've sent any data bundled with COOKIE-ECHO we will need to
- * resend
- */
- sctp_add_cmd_sf(commands, SCTP_CMD_T1_RETRAN,
- SCTP_TRANSPORT(asoc->peer.primary_path));
+ sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_OUTQUEUE, SCTP_NULL());
/* Cast away the const modifier, as we want to just
* rerun it through as a sideffect.
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 172/411] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 171/411] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 173/411] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
` (239 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b109633ea805cac54a61,
Aleksandr Nogikh, Christian Brauner (Amutable), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Nogikh <nogikh@google.com>
[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ]
When a multi-threaded process receives a stop signal (e.g., SIGSTOP),
do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all
threads and sets signal->group_stop_count to the number of threads. If
one of the threads concurrently calls execve(), de_thread() invokes
zap_other_threads() to kill all other threads. zap_other_threads()
aborts the pending group stop by resetting signal->group_stop_count to 0
and clears the JOBCTL_PENDING_MASK for all other threads. However, it
fails to clear the job control flags for the calling thread.
When execve() completes, the calling thread returns to user mode and
checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,
it calls do_signal_stop(), which invokes task_participate_group_stop().
Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the
already-zero signal->group_stop_count, triggering a warning:
sig->group_stop_count == 0
WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373
task_participate_group_stop+0x215/0x2d0
Call Trace:
<TASK>
do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619
get_signal+0xa8c/0x1330 kernel/signal.c:2884
arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98
do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Fix this race condition by clearing the JOBCTL_PENDING_MASK for the
calling thread in zap_other_threads(), ensuring it does not retain any
stale job control state after the thread group is destroyed. This aligns
with other functions that tear down a thread group and abort group
stops, such as zap_process() and complete_signal(), which correctly
clear these flags for all threads including the current one.
Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop")
Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot
Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61
Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3
Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/signal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/signal.c b/kernel/signal.c
index 8fc1da382448e0..10a315e461d34b 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1364,6 +1364,7 @@ int zap_other_threads(struct task_struct *p)
int count = 0;
p->signal->group_stop_count = 0;
+ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK);
while_each_thread(p, t) {
task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 173/411] time: Fix off-by-one in settimeofday() usec validation
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 172/411] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 174/411] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
` (238 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen Kumar Chaudhary,
Thomas Gleixner, John Stultz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ]
The validation check uses '>' instead of '>=' when comparing tv_usec
against USEC_PER_SEC, allowing the value 1000000 through. After
conversion to nanoseconds (*= 1000), this produces tv_nsec ==
NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be
less than NSEC_PER_SEC.
Use '>=' to reject tv_usec values that are not in the valid range of
0 to 999999.
Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()")
Signed-off-by: Naveen Kumar Chaudhary <naveen.osdev@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: John Stultz <jstultz@google.com>
Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/time/time.c b/kernel/time/time.c
index df582f24f0d7b2..b7f6b9dbf940cd 100644
--- a/kernel/time/time.c
+++ b/kernel/time/time.c
@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv,
get_user(new_ts.tv_nsec, &tv->tv_usec))
return -EFAULT;
- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0)
+ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0)
return -EINVAL;
new_ts.tv_nsec *= NSEC_PER_USEC;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 174/411] ext4: validate p_idx bounds in ext4_ext_correct_indexes
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 173/411] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 175/411] fs/ntfs3: Return error for inconsistent extended attributes Greg Kroah-Hartman
` (237 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+04c4e65cab786a2e5b7e,
Tejas Bharambe, Theodore Tso, stable, Alexey Panov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejas Bharambe <tejas.bharambe@outlook.com>
commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 upstream.
ext4_ext_correct_indexes() walks up the extent tree correcting
index entries when the first extent in a leaf is modified. Before
accessing path[k].p_idx->ei_block, there is no validation that
p_idx falls within the valid range of index entries for that
level.
If the on-disk extent header contains a corrupted or crafted
eh_entries value, p_idx can point past the end of the allocated
buffer, causing a slab-out-of-bounds read.
Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at
both access sites: before the while loop and inside it. Return
-EFSCORRUPTED if the index pointer is out of range, consistent
with how other bounds violations are handled in the ext4 extent
tree code.
Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e
Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ Alexey: Adapt goto clean to break because the clean error path is not
present in linux-5.10.y and linux-5.15.y. ]
Signed-off-by: Alexey Panov <apanov@astralinux.ru>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 80b7783c65b41e..e6dbb2dfb3318f 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1736,6 +1736,13 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
return err;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ return -EFSCORRUPTED;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
@@ -1748,6 +1755,14 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
err = ext4_ext_get_access(handle, inode, path + k);
if (err)
break;
+ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) {
+ EXT4_ERROR_INODE(inode,
+ "path[%d].p_idx %p > EXT_LAST_INDEX %p",
+ k, path[k].p_idx,
+ EXT_LAST_INDEX(path[k].p_hdr));
+ err = -EFSCORRUPTED;
+ break;
+ }
path[k].p_idx->ei_block = border;
err = ext4_ext_dirty(handle, inode, path + k);
if (err)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 175/411] fs/ntfs3: Return error for inconsistent extended attributes
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 174/411] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 176/411] nfsd: dont ignore the return code of svc_proc_register() Greg Kroah-Hartman
` (236 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Lo, Konstantin Komarov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Lo <loyuantsung@gmail.com>
[ Upstream commit c9db0ff04649aa0b45f497183c957fe260f229f6 ]
ntfs_read_ea is called when we want to read extended attributes. There
are some sanity checks for the validity of the EAs. However, it fails to
return a proper error code for the inconsistent attributes, which might
lead to unpredicted memory accesses after return.
[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0
[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199
[ 138.931132]
[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4
[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 138.947327] Call Trace:
[ 138.949557] <TASK>
[ 138.951539] dump_stack_lvl+0x4d/0x67
[ 138.956834] print_report+0x16f/0x4a6
[ 138.960798] ? ntfs_set_ea+0x453/0xbf0
[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200
[ 138.969793] ? ntfs_set_ea+0x453/0xbf0
[ 138.973523] kasan_report+0xb8/0x140
[ 138.976740] ? ntfs_set_ea+0x453/0xbf0
[ 138.980578] __asan_store4+0x76/0xa0
[ 138.984669] ntfs_set_ea+0x453/0xbf0
[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10
[ 138.993390] ? kernel_text_address+0xd3/0xe0
[ 138.998270] ? __kernel_text_address+0x16/0x50
[ 139.002121] ? unwind_get_return_address+0x3e/0x60
[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 139.010177] ? arch_stack_walk+0xa2/0x100
[ 139.013657] ? filter_irq_stacks+0x27/0x80
[ 139.017018] ntfs_setxattr+0x405/0x440
[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10
[ 139.026569] ? kvmalloc_node+0x2d/0x120
[ 139.030329] ? kasan_save_stack+0x41/0x60
[ 139.033883] ? kasan_save_stack+0x2a/0x60
[ 139.037338] ? kasan_set_track+0x29/0x40
[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30
[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0
[ 139.047255] ? __kmalloc_node+0x68/0x150
[ 139.051264] ? kvmalloc_node+0x2d/0x120
[ 139.055301] ? vmemdup_user+0x2b/0xa0
[ 139.058584] __vfs_setxattr+0x121/0x170
[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10
[ 139.066282] __vfs_setxattr_noperm+0x97/0x300
[ 139.070061] __vfs_setxattr_locked+0x145/0x170
[ 139.073580] vfs_setxattr+0x137/0x2a0
[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10
[ 139.080223] ? __kasan_check_write+0x18/0x20
[ 139.084234] do_setxattr+0xce/0x150
[ 139.087768] setxattr+0x126/0x140
[ 139.091250] ? __pfx_setxattr+0x10/0x10
[ 139.094948] ? __virt_addr_valid+0xcb/0x140
[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330
[ 139.102688] ? debug_smp_processor_id+0x1b/0x30
[ 139.105985] ? kasan_quarantine_put+0x5b/0x190
[ 139.109980] ? putname+0x84/0xa0
[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0
[ 139.117961] ? putname+0x84/0xa0
[ 139.121316] ? preempt_count_sub+0x1c/0xd0
[ 139.124427] ? __mnt_want_write+0xae/0x100
[ 139.127836] ? mnt_want_write+0x8f/0x150
[ 139.130954] path_setxattr+0x164/0x180
[ 139.133998] ? __pfx_path_setxattr+0x10/0x10
[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10
[ 139.141299] ? debug_smp_processor_id+0x1b/0x30
[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80
[ 139.150796] __x64_sys_setxattr+0x71/0x90
[ 139.155407] do_syscall_64+0x3f/0x90
[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 139.163843] RIP: 0033:0x7f108cae4469
[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc
[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469
[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6
[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618
[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0
[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15: 0000000000000000
Signed-off-by: Edward Lo <loyuantsung@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/xattr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
index 4a7753384b0e93..5016f0ef75d529 100644
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -140,6 +140,7 @@ static int ntfs_read_ea(struct ntfs_inode *ni, struct EA_FULL **ea,
memset(Add2Ptr(ea_p, size), 0, add_bytes);
+ err = -EINVAL;
/* Check all attributes for consistency. */
for (off = 0; off < size; off += ea_size) {
const struct EA_FULL *ef = Add2Ptr(ea_p, off);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 176/411] nfsd: dont ignore the return code of svc_proc_register()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 175/411] fs/ntfs3: Return error for inconsistent extended attributes Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 177/411] tap: free page on error paths in tap_get_user_xdp() Greg Kroah-Hartman
` (235 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e34ad04f27991521104c,
Jeff Layton, Chuck Lever, Vladislav Nikolaev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b upstream.
Currently, nfsd_proc_stat_init() ignores the return value of
svc_proc_register(). If the procfile creation fails, then the kernel
will WARN when it tries to remove the entry later.
Fix nfsd_proc_stat_init() to return the same type of pointer as
svc_proc_register(), and fix up nfsd_net_init() to check that and fail
the nfsd_net construction if it occurs.
svc_proc_register() can fail if the dentry can't be allocated, or if an
identical dentry already exists. The second case is pretty unlikely in
the nfsd_net construction codepath, so if this happens, return -ENOMEM.
Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/
Cc: stable@vger.kernel.org # v6.9
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Vladislav Nikolaev <vlad102nikolaev@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfsctl.c | 9 ++++++++-
fs/nfsd/stats.c | 4 ++--
fs/nfsd/stats.h | 2 +-
3 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index ba2eaf3744efa4..cc0dea883fbdb2 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1460,17 +1460,24 @@ static __net_init int nfsd_init_net(struct net *net)
retval = nfsd_stat_counters_init(nn);
if (retval)
goto out_repcache_error;
+
memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
nn->nfsd_svcstats.program = &nfsd_program;
+ if (!nfsd_proc_stat_init(net)) {
+ retval = -ENOMEM;
+ goto out_proc_error;
+ }
+
nn->nfsd_versions = NULL;
nn->nfsd4_minorversions = NULL;
nfsd4_init_leases_net(nn);
get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
seqlock_init(&nn->writeverf_lock);
- nfsd_proc_stat_init(net);
return 0;
+out_proc_error:
+ nfsd_stat_counters_destroy(nn);
out_repcache_error:
nfsd_idmap_shutdown(net);
out_idmap_error:
diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c
index 7a58dba0045c3b..6d1c6067c80e3b 100644
--- a/fs/nfsd/stats.c
+++ b/fs/nfsd/stats.c
@@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct nfsd_net *nn)
nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM);
}
-void nfsd_proc_stat_init(struct net *net)
+struct proc_dir_entry *nfsd_proc_stat_init(struct net *net)
{
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
+ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
}
void nfsd_proc_stat_shutdown(struct net *net)
diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h
index 14525e854cbac3..b9329285bc1d79 100644
--- a/fs/nfsd/stats.h
+++ b/fs/nfsd/stats.h
@@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct percpu_counter *counters, int num);
void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num);
int nfsd_stat_counters_init(struct nfsd_net *nn);
void nfsd_stat_counters_destroy(struct nfsd_net *nn);
-void nfsd_proc_stat_init(struct net *net);
+struct proc_dir_entry *nfsd_proc_stat_init(struct net *net);
void nfsd_proc_stat_shutdown(struct net *net);
static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 177/411] tap: free page on error paths in tap_get_user_xdp()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 176/411] nfsd: dont ignore the return code of svc_proc_register() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 178/411] tun: free page on build_skb failure in tun_xdp_one() Greg Kroah-Hartman
` (234 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Harshit Mogalapalli,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 ]
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.
Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendmsg()")
Fixes: ed7f2afdd0e0 ("tap: add missing verification for short frame")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260521163230.1478627-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index a08adca412b41a..3a91972485cc36 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -1143,6 +1143,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
int err, depth;
if (unlikely(xdp->data_end - xdp->data < ETH_HLEN)) {
+ put_page(virt_to_head_page(xdp->data));
err = -EINVAL;
goto err;
}
@@ -1152,6 +1153,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
skb = build_skb(xdp->data_hard_start, buflen);
if (!skb) {
+ put_page(virt_to_head_page(xdp->data));
err = -ENOMEM;
goto err;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 178/411] tun: free page on build_skb failure in tun_xdp_one()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 177/411] tap: free page on error paths in tap_get_user_xdp() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 179/411] KVM: arm64: Remove VPIPT I-cache handling Greg Kroah-Hartman
` (233 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Dongli Zhang,
Willem de Bruijn, Jakub Kicinski, Harshit Mogalapalli,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit aa8963fdce667a42fb7f0bdd2909fadcab02f9a8 ]
When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.
Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.
Fixes: 043d222f93ab ("tuntap: accept an array of XDP buffs through sendmsg()")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260521163312.1479805-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit aa8963fdce667a42fb7f0bdd2909fadcab02f9a8)
[Harshit: Backport to 5.15.y/5.10.y, use err instead of ret, no change
needed]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tun.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 803cb4722dbf4a..aad0760c8d92b7 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2468,6 +2468,7 @@ static int tun_xdp_one(struct tun_struct *tun,
build:
skb = build_skb(xdp->data_hard_start, buflen);
if (!skb) {
+ put_page(virt_to_head_page(xdp->data));
err = -ENOMEM;
goto out;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 179/411] KVM: arm64: Remove VPIPT I-cache handling
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 178/411] tun: free page on build_skb failure in tun_xdp_one() Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 180/411] arm64: tlb: Allow XZR argument to TLBI ops Greg Kroah-Hartman
` (232 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zenghui Yu, Anshuman Khandual,
Marc Zyngier, Mark Rutland, Will Deacon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
commit ced242ba9d7cb3571f6e0f165f643cb832d52148 upstream.
We have some special handling for VPIPT I-cache in critical parts
of the cache and TLB maintenance. Remove it.
Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20231204143606.1806432-2-maz@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: Backport to v5.15.y. VPIPT HW was never built; this is all dead code]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/kvm_mmu.h | 4 ++--
arch/arm64/kvm/hyp/nvhe/tlb.c | 35 --------------------------------
arch/arm64/kvm/hyp/vhe/tlb.c | 13 ------------
3 files changed, 2 insertions(+), 50 deletions(-)
diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h
index 02d37888774383..1733eb87c29fbb 100644
--- a/arch/arm64/include/asm/kvm_mmu.h
+++ b/arch/arm64/include/asm/kvm_mmu.h
@@ -207,8 +207,8 @@ static inline void __invalidate_icache_guest_page(void *va, size_t size)
if (icache_is_aliasing()) {
/* any kind of VIPT cache */
icache_inval_all_pou();
- } else if (is_kernel_in_hyp_mode() || !icache_is_vpipt()) {
- /* PIPT or VPIPT at EL2 (see comment in __kvm_tlb_flush_vmid_ipa) */
+ } else {
+ /* PIPT */
icache_inval_pou((unsigned long)va, (unsigned long)va + size);
}
}
diff --git a/arch/arm64/kvm/hyp/nvhe/tlb.c b/arch/arm64/kvm/hyp/nvhe/tlb.c
index d296d617f58963..291789df24e3ee 100644
--- a/arch/arm64/kvm/hyp/nvhe/tlb.c
+++ b/arch/arm64/kvm/hyp/nvhe/tlb.c
@@ -84,28 +84,6 @@ void __kvm_tlb_flush_vmid_ipa(struct kvm_s2_mmu *mmu,
dsb(ish);
isb();
- /*
- * If the host is running at EL1 and we have a VPIPT I-cache,
- * then we must perform I-cache maintenance at EL2 in order for
- * it to have an effect on the guest. Since the guest cannot hit
- * I-cache lines allocated with a different VMID, we don't need
- * to worry about junk out of guest reset (we nuke the I-cache on
- * VMID rollover), but we do need to be careful when remapping
- * executable pages for the same guest. This can happen when KSM
- * takes a CoW fault on an executable page, copies the page into
- * a page that was previously mapped in the guest and then needs
- * to invalidate the guest view of the I-cache for that page
- * from EL1. To solve this, we invalidate the entire I-cache when
- * unmapping a page from a guest if we have a VPIPT I-cache but
- * the host is running at EL1. As above, we could do better if
- * we had the VA.
- *
- * The moral of this story is: if you have a VPIPT I-cache, then
- * you should be running with VHE enabled.
- */
- if (icache_is_vpipt())
- icache_inval_all_pou();
-
__tlb_switch_to_host(&cxt);
}
@@ -144,18 +122,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
-
- /*
- * VIPT and PIPT caches are not affected by VMID, so no maintenance
- * is necessary across a VMID rollover.
- *
- * VPIPT caches constrain lookup and maintenance to the active VMID,
- * so we need to invalidate lines with a stale VMID to avoid an ABA
- * race after multiple rollovers.
- *
- */
- if (icache_is_vpipt())
- asm volatile("ic ialluis");
-
dsb(ish);
}
diff --git a/arch/arm64/kvm/hyp/vhe/tlb.c b/arch/arm64/kvm/hyp/vhe/tlb.c
index 24cef9b87f9e9c..fc3fcd29ccc306 100644
--- a/arch/arm64/kvm/hyp/vhe/tlb.c
+++ b/arch/arm64/kvm/hyp/vhe/tlb.c
@@ -146,18 +146,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
-
- /*
- * VIPT and PIPT caches are not affected by VMID, so no maintenance
- * is necessary across a VMID rollover.
- *
- * VPIPT caches constrain lookup and maintenance to the active VMID,
- * so we need to invalidate lines with a stale VMID to avoid an ABA
- * race after multiple rollovers.
- *
- */
- if (icache_is_vpipt())
- asm volatile("ic ialluis");
-
dsb(ish);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 180/411] arm64: tlb: Allow XZR argument to TLBI ops
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 179/411] KVM: arm64: Remove VPIPT I-cache handling Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 181/411] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Greg Kroah-Hartman
` (231 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Marc Zyngier, Oliver Upton, Ryan Roberts, Will Deacon,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit bfd9c931d19aa59fb8371d557774fa169b15db9a upstream.
The TLBI instruction accepts XZR as a register argument, and for TLBI
operations with a register argument, there is no functional difference
between using XZR or another GPR which contains zeroes. Operations
without a register argument are encoded as if XZR were used.
Allow the __TLBI_1() macro to use XZR when a register argument is all
zeroes.
Today this only results in a trivial code saving in
__do_compat_cache_op()'s workaround for Neoverse-N1 erratum #1542419. In
subsequent patches this pattern will be used more generally.
There should be no functional change as a result of this patch.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oupton@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Mark: Backport to v5.15.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/tlbflush.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h
index 412a3b9a3c25dc..2626a45849c241 100644
--- a/arch/arm64/include/asm/tlbflush.h
+++ b/arch/arm64/include/asm/tlbflush.h
@@ -37,12 +37,12 @@
: : )
#define __TLBI_1(op, arg) asm (ARM64_ASM_PREAMBLE \
- "tlbi " #op ", %0\n" \
+ "tlbi " #op ", %x0\n" \
ALTERNATIVE("nop\n nop", \
- "dsb ish\n tlbi " #op ", %0", \
+ "dsb ish\n tlbi " #op ", %x0", \
ARM64_WORKAROUND_REPEAT_TLBI, \
CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \
- : : "r" (arg))
+ : : "rZ" (arg))
#define __TLBI_N(op, arg, n, ...) __TLBI_##n(op, arg)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 181/411] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 180/411] arm64: tlb: Allow XZR argument to TLBI ops Greg Kroah-Hartman
@ 2026-06-16 14:56 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 182/411] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
` (230 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Marc Zyngier, Oliver Upton, Ryan Roberts, Will Deacon,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit a8f78680ee6bf795086384e8aea159a52814f827 upstream.
The ARM64_WORKAROUND_REPEAT_TLBI workaround is used to mitigate several
errata where broadcast TLBI;DSB sequences don't provide all the
architecturally required synchronization. The workaround performs more
work than necessary, and can have significant overhead. This patch
optimizes the workaround, as explained below.
The workaround was originally added for Qualcomm Falkor erratum 1009 in
commit:
d9ff80f83ecb ("arm64: Work around Falkor erratum 1009")
As noted in the message for that commit, the workaround is applied even
in cases where it is not strictly necessary.
The workaround was later reused without changes for:
* Arm Cortex-A76 erratum #1286807
SDEN v33: https://developer.arm.com/documentation/SDEN-885749/33-0/
* Arm Cortex-A55 erratum #2441007
SDEN v16: https://developer.arm.com/documentation/SDEN-859338/1600/
* Arm Cortex-A510 erratum #2441009
SDEN v19: https://developer.arm.com/documentation/SDEN-1873351/1900/
The important details to note are as follows:
1. All relevant errata only affect the ordering and/or completion of
memory accesses which have been translated by an invalidated TLB
entry. The actual invalidation of TLB entries is unaffected.
2. The existing workaround is applied to both broadcast and local TLB
invalidation, whereas for all relevant errata it is only necessary to
apply a workaround for broadcast invalidation.
3. The existing workaround replaces every TLBI with a TLBI;DSB;TLBI
sequence, whereas for all relevant errata it is only necessary to
execute a single additional TLBI;DSB sequence after any number of
TLBIs are completed by a DSB.
For example, for a sequence of batched TLBIs:
TLBI <op1>[, <arg1>]
TLBI <op2>[, <arg2>]
TLBI <op3>[, <arg3>]
DSB ISH
... the existing workaround will expand this to:
TLBI <op1>[, <arg1>]
DSB ISH // additional
TLBI <op1>[, <arg1>] // additional
TLBI <op2>[, <arg2>]
DSB ISH // additional
TLBI <op2>[, <arg2>] // additional
TLBI <op3>[, <arg3>]
DSB ISH // additional
TLBI <op3>[, <arg3>] // additional
DSB ISH
... whereas it is sufficient to have:
TLBI <op1>[, <arg1>]
TLBI <op2>[, <arg2>]
TLBI <op3>[, <arg3>]
DSB ISH
TLBI <opX>[, <argX>] // additional
DSB ISH // additional
Using a single additional TBLI and DSB at the end of the sequence can
have significantly lower overhead as each DSB which completes a TLBI
must synchronize with other PEs in the system, with potential
performance effects both locally and system-wide.
4. The existing workaround repeats each specific TLBI operation, whereas
for all relevant errata it is sufficient for the additional TLBI to
use *any* operation which will be broadcast, regardless of which
translation regime or stage of translation the operation applies to.
For example, for a single TLBI:
TLBI ALLE2IS
DSB ISH
... the existing workaround will expand this to:
TLBI ALLE2IS
DSB ISH
TLBI ALLE2IS // additional
DSB ISH // additional
... whereas it is sufficient to have:
TLBI ALLE2IS
DSB ISH
TLBI VALE1IS, XZR // additional
DSB ISH // additional
As the additional TLBI doesn't have to match a specific earlier TLBI,
the additional TLBI can be implemented in separate code, with no
memory of the earlier TLBIs. The additional TLBI can also use a
cheaper TLBI operation.
5. The existing workaround is applied to both Stage-1 and Stage-2 TLB
invalidation, whereas for all relevant errata it is only necessary to
apply a workaround for Stage-1 invalidation.
Architecturally, TLBI operations which invalidate only Stage-2
information (e.g. IPAS2E1IS) are not required to invalidate TLB
entries which combine information from Stage-1 and Stage-2
translation table entries, and consequently may not complete memory
accesses translated by those combined entries. In these cases,
completion of memory accesses is only guaranteed after subsequent
invalidation of Stage-1 information (e.g. VMALLE1IS).
Taking the above points into account, this patch reworks the workaround
logic to reduce overhead:
* New __tlbi_sync_s1ish() and __tlbi_sync_s1ish_hyp() functions are
added and used in place of any dsb(ish) which is used to complete
broadcast Stage-1 TLB maintenance. When the
ARM64_WORKAROUND_REPEAT_TLBI workaround is enabled, these helpers will
execute an additional TLBI;DSB sequence.
For consistency, it might make sense to add __tlbi_sync_*() helpers
for local and stage 2 maintenance. For now I've left those with
open-coded dsb() to keep the diff small.
* The duplication of TLBIs in __TLBI_0() and __TLBI_1() is removed. This
is no longer needed as the necessary synchronization will happen in
__tlbi_sync_s1ish() or __tlbi_sync_s1ish_hyp().
* The additional TLBI operation is chosen to have minimal impact:
- __tlbi_sync_s1ish() uses "TLBI VALE1IS, XZR". This is only used at
EL1 or at EL2 with {E2H,TGE}=={1,1}, where it will target an unused
entry for the reserved ASID in the kernel's own translation regime,
and have no adverse affect.
- __tlbi_sync_s1ish_hyp() uses "TLBI VALE2IS, XZR". This is only used
in hyp code, where it will target an unused entry in the hyp code's
TTBR0 mapping, and should have no adverse effect.
* As __TLBI_0() and __TLBI_1() no longer replace each TLBI with a
TLBI;DSB;TLBI sequence, batching TLBIs is worthwhile, and there's no
need for arch_tlbbatch_should_defer() to consider
ARM64_WORKAROUND_REPEAT_TLBI.
When building defconfig with GCC 15.1.0, compared to v6.19-rc1, this
patch saves ~1KiB of text, makes the vmlinux ~42KiB smaller, and makes
the resulting Image 64KiB smaller:
| [mark@lakrids:~/src/linux]% size vmlinux-*
| text data bss dec hex filename
| 21179831 19660919 708216 41548966 279fca6 vmlinux-after
| 21181075 19660903 708216 41550194 27a0172 vmlinux-before
| [mark@lakrids:~/src/linux]% ls -l vmlinux-*
| -rwxr-xr-x 1 mark mark 157771472 Feb 4 12:05 vmlinux-after
| -rwxr-xr-x 1 mark mark 157815432 Feb 4 12:05 vmlinux-before
| [mark@lakrids:~/src/linux]% ls -l Image-*
| -rw-r--r-- 1 mark mark 41007616 Feb 4 12:05 Image-after
| -rw-r--r-- 1 mark mark 41073152 Feb 4 12:05 Image-before
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oupton@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Mark: Backport to v5.15.y; use inline ALTERNATIVE() sequence]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/tlbflush.h | 51 ++++++++++++++++++++++---------
arch/arm64/kernel/sys_compat.c | 2 +-
arch/arm64/kvm/hyp/nvhe/tlb.c | 6 ++--
arch/arm64/kvm/hyp/vhe/tlb.c | 6 ++--
4 files changed, 44 insertions(+), 21 deletions(-)
diff --git a/arch/arm64/include/asm/tlbflush.h b/arch/arm64/include/asm/tlbflush.h
index 2626a45849c241..cc6e47172f8fa7 100644
--- a/arch/arm64/include/asm/tlbflush.h
+++ b/arch/arm64/include/asm/tlbflush.h
@@ -30,18 +30,10 @@
*/
#define __TLBI_0(op, arg) asm (ARM64_ASM_PREAMBLE \
"tlbi " #op "\n" \
- ALTERNATIVE("nop\n nop", \
- "dsb ish\n tlbi " #op, \
- ARM64_WORKAROUND_REPEAT_TLBI, \
- CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \
: : )
#define __TLBI_1(op, arg) asm (ARM64_ASM_PREAMBLE \
"tlbi " #op ", %x0\n" \
- ALTERNATIVE("nop\n nop", \
- "dsb ish\n tlbi " #op ", %x0", \
- ARM64_WORKAROUND_REPEAT_TLBI, \
- CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \
: : "rZ" (arg))
#define __TLBI_N(op, arg, n, ...) __TLBI_##n(op, arg)
@@ -158,6 +150,37 @@ static inline unsigned long get_trans_granule(void)
#define __TLBI_RANGE_NUM(pages, scale) \
((((pages) >> (5 * (scale) + 1)) & TLBI_RANGE_MASK) - 1)
+#define __repeat_tlbi_sync(op, arg) \
+do { \
+ asm volatile( \
+ ALTERNATIVE("nop\n nop", \
+ "tlbi " #op ", %x0\n dsb ish", \
+ ARM64_WORKAROUND_REPEAT_TLBI, \
+ CONFIG_ARM64_WORKAROUND_REPEAT_TLBI) \
+ : \
+ : "rZ" (arg)); \
+} while (0)
+
+/*
+ * Complete broadcast TLB maintenance issued by the host which invalidates
+ * stage 1 information in the host's own translation regime.
+ */
+static inline void __tlbi_sync_s1ish(void)
+{
+ dsb(ish);
+ __repeat_tlbi_sync(vale1is, 0);
+}
+
+/*
+ * Complete broadcast TLB maintenance issued by hyp code which invalidates
+ * stage 1 translation information in any translation regime.
+ */
+static inline void __tlbi_sync_s1ish_hyp(void)
+{
+ dsb(ish);
+ __repeat_tlbi_sync(vale2is, 0);
+}
+
/*
* TLB Invalidation
* ================
@@ -239,7 +262,7 @@ static inline void flush_tlb_all(void)
{
dsb(ishst);
__tlbi(vmalle1is);
- dsb(ish);
+ __tlbi_sync_s1ish();
isb();
}
@@ -251,7 +274,7 @@ static inline void flush_tlb_mm(struct mm_struct *mm)
asid = __TLBI_VADDR(0, ASID(mm));
__tlbi(aside1is, asid);
__tlbi_user(aside1is, asid);
- dsb(ish);
+ __tlbi_sync_s1ish();
}
static inline void flush_tlb_page_nosync(struct vm_area_struct *vma,
@@ -269,7 +292,7 @@ static inline void flush_tlb_page(struct vm_area_struct *vma,
unsigned long uaddr)
{
flush_tlb_page_nosync(vma, uaddr);
- dsb(ish);
+ __tlbi_sync_s1ish();
}
/*
@@ -357,7 +380,7 @@ static inline void __flush_tlb_range(struct vm_area_struct *vma,
}
scale++;
}
- dsb(ish);
+ __tlbi_sync_s1ish();
}
static inline void flush_tlb_range(struct vm_area_struct *vma,
@@ -386,7 +409,7 @@ static inline void flush_tlb_kernel_range(unsigned long start, unsigned long end
dsb(ishst);
for (addr = start; addr < end; addr += 1 << (PAGE_SHIFT - 12))
__tlbi(vaale1is, addr);
- dsb(ish);
+ __tlbi_sync_s1ish();
isb();
}
@@ -400,7 +423,7 @@ static inline void __flush_tlb_kernel_pgtable(unsigned long kaddr)
dsb(ishst);
__tlbi(vaae1is, addr);
- dsb(ish);
+ __tlbi_sync_s1ish();
isb();
}
#endif
diff --git a/arch/arm64/kernel/sys_compat.c b/arch/arm64/kernel/sys_compat.c
index b88a52f7188fcc..416195f376816b 100644
--- a/arch/arm64/kernel/sys_compat.c
+++ b/arch/arm64/kernel/sys_compat.c
@@ -38,7 +38,7 @@ __do_compat_cache_op(unsigned long start, unsigned long end)
* We pick the reserved-ASID to minimise the impact.
*/
__tlbi(aside1is, __TLBI_VADDR(0, 0));
- dsb(ish);
+ __tlbi_sync_s1ish();
}
ret = caches_clean_inval_user_pou(start, start + chunk);
diff --git a/arch/arm64/kvm/hyp/nvhe/tlb.c b/arch/arm64/kvm/hyp/nvhe/tlb.c
index 291789df24e3ee..76973e3b48a076 100644
--- a/arch/arm64/kvm/hyp/nvhe/tlb.c
+++ b/arch/arm64/kvm/hyp/nvhe/tlb.c
@@ -81,7 +81,7 @@ void __kvm_tlb_flush_vmid_ipa(struct kvm_s2_mmu *mmu,
*/
dsb(ish);
__tlbi(vmalle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -97,7 +97,7 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)
__tlb_switch_to_guest(mmu, &cxt);
__tlbi(vmalls12e1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -122,5 +122,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
}
diff --git a/arch/arm64/kvm/hyp/vhe/tlb.c b/arch/arm64/kvm/hyp/vhe/tlb.c
index fc3fcd29ccc306..59aa22b48e9538 100644
--- a/arch/arm64/kvm/hyp/vhe/tlb.c
+++ b/arch/arm64/kvm/hyp/vhe/tlb.c
@@ -105,7 +105,7 @@ void __kvm_tlb_flush_vmid_ipa(struct kvm_s2_mmu *mmu,
*/
dsb(ish);
__tlbi(vmalle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -121,7 +121,7 @@ void __kvm_tlb_flush_vmid(struct kvm_s2_mmu *mmu)
__tlb_switch_to_guest(mmu, &cxt);
__tlbi(vmalls12e1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
isb();
__tlb_switch_to_host(&cxt);
@@ -146,5 +146,5 @@ void __kvm_flush_vm_context(void)
{
dsb(ishst);
__tlbi(alle1is);
- dsb(ish);
+ __tlbi_sync_s1ish_hyp();
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 182/411] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-06-16 14:56 ` [PATCH 5.15 181/411] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 183/411] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
` (229 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanghyun Park, Steffen Klassert,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanghyun Park <sanghyun.park.cnu@gmail.com>
[ Upstream commit 7f2d76c9c03257c0782afef9d95321fa04096f60 ]
Fix the race by pruning the bin while still holding xfrm_policy_lock,
before dropping it. Use __xfrm_policy_inexact_prune_bin() directly since
the lock is already held. The wrapper xfrm_policy_inexact_prune_bin()
becomes unused and is removed.
Race:
CPU0 (XFRM_MSG_DELPOLICY) CPU1 (XFRM_MSG_NEWSPDINFO)
========================== ==========================
xfrm_policy_bysel_ctx():
spin_lock_bh(xfrm_policy_lock)
bin = xfrm_policy_inexact_lookup()
__xfrm_policy_unlink(pol)
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_kill(ret)
// wide window, lock not held
xfrm_hash_rebuild():
spin_lock_bh(xfrm_policy_lock)
__xfrm_policy_inexact_flush():
kfree_rcu(bin) // bin freed
spin_unlock_bh(xfrm_policy_lock)
xfrm_policy_inexact_prune_bin(bin)
// UAF: bin is freed
Fixes: 6be3b0db6db8 ("xfrm: policy: add inexact policy search tree infrastructure")
Signed-off-by: Sanghyun Park <sanghyun.park.cnu@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 13 ++-----------
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6c52ba6cbb5b7e..d8348730e2d0e6 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1124,15 +1124,6 @@ static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool
}
}
-static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b)
-{
- struct net *net = read_pnet(&b->k.net);
-
- spin_lock_bh(&net->xfrm.xfrm_policy_lock);
- __xfrm_policy_inexact_prune_bin(b, false);
- spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
-}
-
static void __xfrm_policy_inexact_flush(struct net *net)
{
struct xfrm_pol_inexact_bin *bin, *t;
@@ -1720,12 +1711,12 @@ xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
}
ret = pol;
}
+ if (bin && delete)
+ __xfrm_policy_inexact_prune_bin(bin, false);
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
if (ret && delete)
xfrm_policy_kill(ret);
- if (bin && delete)
- xfrm_policy_inexact_prune_bin(bin);
return ret;
}
EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 183/411] netlabel: validate unlabeled address and mask attribute lengths
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 182/411] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 184/411] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
` (228 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenguang Zhao, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenguang Zhao <zhaochenguang@kylinos.cn>
[ Upstream commit 9772589b57e44aedc240211c5c3f7a684a034d3a ]
netlbl_unlabel_addrinfo_get() used the address attribute length to
determine whether the attribute data could be read as an IPv4 or IPv6
address, but did not independently validate the corresponding mask
attribute length. A crafted Generic Netlink request could therefore
provide a valid IPv4/IPv6 address attribute with a shorter mask
attribute, which would later be read as a full struct in_addr or
struct in6_addr.
NLA_BINARY policy lengths are maximum lengths by default, so use
NLA_POLICY_EXACT_LEN() for the unlabeled IPv4/IPv6 address and mask
attributes. This rejects short attributes during policy validation and
also exposes the exact length requirements through policy introspection.
Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections")
Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlabel/netlabel_unlabeled.c | 30 ++++++++++--------------------
1 file changed, 10 insertions(+), 20 deletions(-)
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 566ba4397ee400..4c4b91ce446dfa 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -114,14 +114,14 @@ static struct genl_family netlbl_unlabel_gnl_family;
/* NetLabel Netlink attribute policy */
static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1] = {
[NLBL_UNLABEL_A_ACPTFLG] = { .type = NLA_U8 },
- [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
- [NLBL_UNLABEL_A_IPV6MASK] = { .type = NLA_BINARY,
- .len = sizeof(struct in6_addr) },
- [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
- [NLBL_UNLABEL_A_IPV4MASK] = { .type = NLA_BINARY,
- .len = sizeof(struct in_addr) },
+ [NLBL_UNLABEL_A_IPV6ADDR] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [NLBL_UNLABEL_A_IPV6MASK] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [NLBL_UNLABEL_A_IPV4ADDR] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
+ [NLBL_UNLABEL_A_IPV4MASK] =
+ NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
[NLBL_UNLABEL_A_IFACE] = { .type = NLA_NUL_STRING,
.len = IFNAMSIZ - 1 },
[NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
@@ -764,24 +764,14 @@ static int netlbl_unlabel_addrinfo_get(struct genl_info *info,
void **mask,
u32 *len)
{
- u32 addr_len;
-
if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
- addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
- if (addr_len != sizeof(struct in_addr) &&
- addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
- return -EINVAL;
- *len = addr_len;
+ *len = sizeof(struct in_addr);
*addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
*mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV4MASK]);
return 0;
} else if (info->attrs[NLBL_UNLABEL_A_IPV6ADDR]) {
- addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
- if (addr_len != sizeof(struct in6_addr) &&
- addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV6MASK]))
- return -EINVAL;
- *len = addr_len;
+ *len = sizeof(struct in6_addr);
*addr = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6ADDR]);
*mask = nla_data(info->attrs[NLBL_UNLABEL_A_IPV6MASK]);
return 0;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 184/411] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 183/411] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 185/411] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
` (227 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
[ Upstream commit a2171131ecda1ed61a594a1eb715e75fdad0fef5 ]
In qrtr_port_remove(), the socket reference count is decremented via
__sock_put() before the port is removed from the qrtr_ports XArray and
before the RCU grace period elapses.
This breaks the fundamental RCU update paradigm. It exposes a race
window where a concurrent RCU reader (such as qrtr_reset_ports() or
qrtr_port_lookup()) can obtain a pointer to the socket from the XArray,
and attempt to call sock_hold() on a socket whose reference count has
already dropped to zero.
This exact race condition was hit during syzkaller fuzzing, leading to
the following refcount saturation warning and a potential Use-After-Free:
refcount_t: saturated; leaking memory.
WARNING: CPU: 3 PID: 1273 at lib/refcount.c:22 refcount_warn_saturate+0xae/0x1d0
Modules linked in: qrtr(+) bochs drm_shmem_helper ...
Call Trace:
<TASK>
qrtr_reset_ports net/qrtr/af_qrtr.c:768 [inline] [qrtr]
__qrtr_bind.isra.0+0x48b/0x570 net/qrtr/af_qrtr.c:805 [qrtr]
qrtr_bind+0x17d/0x210 net/qrtr/af_qrtr.c:901 [qrtr]
kernel_bind+0xe4/0x120 net/socket.c:3592
qrtr_ns_init+0x1a6/0x380 net/qrtr/ns.c:715 [qrtr]
qrtr_proto_init+0x3b/0xff0 net/qrtr/af_qrtr.c:169 [qrtr]
do_one_initcall+0xf5/0x5e0 init/main.c:1283
...
</TASK>
Fix this by deferring the reference count decrement until after the
xa_erase() and the synchronize_rcu() complete.
(Note: The v1 of this patch incorrectly replaced __sock_put() with
sock_put(). As Simon Horman pointed out, the callers of qrtr_port_remove()
still hold a reference to the socket, so freeing the socket memory here
would lead to a subsequent UAF in the caller. Thus, the __sock_put() is
kept, but only repositioned to close the RCU race.)
Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260604064801.1180388-1-w15303746062@163.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/qrtr/af_qrtr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
index 431fd1f2b80c18..6f4b901afc330c 100644
--- a/net/qrtr/af_qrtr.c
+++ b/net/qrtr/af_qrtr.c
@@ -702,13 +702,13 @@ static void qrtr_port_remove(struct qrtr_sock *ipc)
if (port == QRTR_PORT_CTRL)
port = 0;
- __sock_put(&ipc->sk);
-
xa_erase(&qrtr_ports, port);
/* Ensure that if qrtr_port_lookup() did enter the RCU read section we
* wait for it to up increment the refcount */
synchronize_rcu();
+
+ __sock_put(&ipc->sk);
}
/* Assign port number to socket.
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 185/411] ipv6: sit: reload inner IPv6 header after GSO offloads
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 184/411] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 186/411] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
` (226 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Eric Dumazet,
syzbot+6eb9ca986d80f6f88cf9, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit f0e42f0c4337b1f220de1ddd63f47197c7dee4de ]
ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function
entry and continues using it after iptunnel_handle_offloads().
For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone().
When the skb header is cloned, skb_header_unclone() can call
pskb_expand_head(), which may move the skb head. The pskb_expand_head()
contract requires pointers into the skb header to be reloaded after the
call.
If the later skb_realloc_headroom() branch is not taken, SIT uses the
stale iph6 pointer to read the inner hop limit and DS field. That can
read from a freed skb head after the old head's remaining clone is
released.
Reload iph6 after the offload helper succeeds and before subsequent
reads from the inner IPv6 header. Keep the existing reload after
skb_realloc_headroom(), since that branch can also replace the skb.
Fixes: 14909664e4e1 ("sit: Setup and TX path for sit/UDP foo-over-udp encapsulation")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+6eb9ca986d80f6f88cf9@syzkaller.appspotmail.com
Link: https://patch.msgid.link/20260605073448.6524-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/sit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 3bc02ab9ceaca0..bc5db4a9dbfaf1 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -971,6 +971,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
ip_rt_put(rt);
goto tx_error;
}
+ iph6 = ipv6_hdr(skb);
if (df) {
mtu = dst_mtu(&rt->dst) - t_hlen;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 186/411] net: openvswitch: fix possible kfree_skb of ERR_PTR
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 185/411] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 187/411] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
` (225 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Moreno, Aaron Conole,
Eelco Chaudron, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Moreno <amorenoz@redhat.com>
[ Upstream commit ee30dd2909d8b98619f4341c70ec8dc8e155ab02 ]
After the patch in the "Fixes" tag, the allocation of the "reply" skb
can happen either before or after locking the ovs_mutex.
However, error cleanups still follow the classical reversed order,
assuming "reply" is allocated before locking: it is freed after unlocking.
If "reply" allocation happens after locking the mutex and it fails,
"reply" is left with an ERR_PTR, and execution jumps to the correspondent
cleanup stage which will try to free an invalid pointer.
Fix this by setting the pointer to NULL after having saved its error
value.
Fixes: 893f139b9a6c ("openvswitch: Minimize ovs_flow_cmd_new|set critical sections.")
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Link: https://patch.msgid.link/20260604121946.942164-1-amorenoz@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 16ee704bab04db..0202111cda3531 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1261,6 +1261,7 @@ static int ovs_flow_cmd_set(struct sk_buff *skb, struct genl_info *info)
if (IS_ERR(reply)) {
error = PTR_ERR(reply);
+ reply = NULL;
goto err_unlock_ovs;
}
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 187/411] sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 186/411] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 188/411] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
` (224 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Xin Long,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit f8373d7090b745728de66308deeecc67e8d319ce ]
__sctp_rcv_asconf_lookup() in net/sctp/input.c only checks that the ASCONF
chunk can hold the ADDIP header and a parameter header, then calls
af->from_addr_param(), which reads the full address (16 bytes for IPv6)
trusting the parameter's declared length.
An unauthenticated peer can send a truncated trailing ASCONF chunk that
declares an IPv6 address parameter but stops after the 4-byte parameter
header; reached from the no-association lookup path, from_addr_param() then
reads uninitialized bytes past the parameter.
Impact: an unauthenticated SCTP peer makes the receive path read up to 16
bytes of uninitialized memory past a truncated ASCONF address parameter.
The sibling __sctp_rcv_init_lookup() bounds parameters with
sctp_walk_params(); this path open-codes the fetch and omits the bound.
Verify the whole address parameter lies within the chunk before
from_addr_param() reads it, the same class of fix as commit 51e5ad549c43
("net: sctp: fix KMSAN uninit-value in sctp_inq_pop").
Fixes: df2185771439 ("[SCTP]: Update association lookup to look at ASCONF chunks as well")
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260608122234.459098-1-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/input.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 182898cb754a52..70530cbe57d0a7 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1197,6 +1197,14 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
/* Skip over the ADDIP header and find the Address parameter */
param = (union sctp_addr_param *)(asconf + 1);
+ /* The whole address parameter must lie within the chunk before
+ * af->from_addr_param() reads the variable-length address; otherwise a
+ * truncated trailing ASCONF chunk lets it read uninitialized bytes past
+ * the parameter.
+ */
+ if (sizeof(*asconf) + ntohs(param->p.length) > ntohs(ch->length))
+ return NULL;
+
af = sctp_get_af_specific(param_type2af(param->p.type));
if (unlikely(!af))
return NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 188/411] net: guard timestamp cmsgs to real error queue skbs
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 187/411] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 189/411] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
` (223 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Kuniyuki Iwashima,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit 1ee90b77b727df903033db873c75caac5c27ec98 ]
skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
from sk_error_queue. That assumption is not true for AF_PACKET sockets:
outgoing packet taps are also delivered to packet sockets with
skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
instead of struct sock_exterr_skb.
If such an skb is received with timestamping enabled, the generic
timestamp cmsg path can read AF_PACKET control-buffer state as
sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
counter overlaps opt_stats. An odd drop count makes the path emit
SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
skbs this copies past the linear head and can trigger hardened usercopy or
disclose adjacent heap contents.
Keep skb_is_err_queue() local to net/socket.c, but make it verify that
the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
receive ownership and no longer pass as error-queue skbs, while legitimate
sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
ownership.
Fixes: 8605330aac5a ("tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260607021819.49698-1-kylebot@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 1 +
net/core/skbuff.c | 6 +++---
net/socket.c | 11 ++++++-----
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index ee9c398dd8f25e..962acf4a644da9 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1868,6 +1868,7 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size,
gfp_t priority);
void skb_orphan_partial(struct sk_buff *skb);
void sock_rfree(struct sk_buff *skb);
+void sock_rmem_free(struct sk_buff *skb);
void sock_efree(struct sk_buff *skb);
#ifdef CONFIG_INET
void sock_edemux(struct sk_buff *skb);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a8d09eff26f11c..1d3784480834bb 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4814,7 +4814,7 @@ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
}
EXPORT_SYMBOL_GPL(skb_cow_data);
-static void sock_rmem_free(struct sk_buff *skb)
+void sock_rmem_free(struct sk_buff *skb)
{
struct sock *sk = skb->sk;
@@ -4823,8 +4823,8 @@ static void sock_rmem_free(struct sk_buff *skb)
static void skb_set_err_queue(struct sk_buff *skb)
{
- /* pkt_type of skbs received on local sockets is never PACKET_OUTGOING.
- * So, it is safe to (mis)use it to mark skbs on the error queue.
+ /* The error-queue test in skb_is_err_queue() matches this marker
+ * with the sock_rmem_free destructor installed by sock_queue_err_skb().
*/
skb->pkt_type = PACKET_OUTGOING;
BUILD_BUG_ON(PACKET_OUTGOING == 0);
diff --git a/net/socket.c b/net/socket.c
index f3d0a8d66cceee..cc7ba4702d1380 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -795,12 +795,13 @@ EXPORT_SYMBOL(kernel_sendmsg_locked);
static bool skb_is_err_queue(const struct sk_buff *skb)
{
- /* pkt_type of skbs enqueued on the error queue are set to
- * PACKET_OUTGOING in skb_set_err_queue(). This is only safe to do
- * in recvmsg, since skbs received on a local socket will never
- * have a pkt_type of PACKET_OUTGOING.
+ /* Error-queue skbs are marked as PACKET_OUTGOING in
+ * skb_set_err_queue() and use the destructor installed by
+ * sock_queue_err_skb(). PACKET_OUTGOING alone is not unique:
+ * AF_PACKET outgoing taps use the same pkt_type.
*/
- return skb->pkt_type == PACKET_OUTGOING;
+ return skb->pkt_type == PACKET_OUTGOING &&
+ skb->destructor == sock_rmem_free;
}
/* On transmit, software and hardware timestamps are returned independently.
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 189/411] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 188/411] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 190/411] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
` (222 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi,
Allison Henderson, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 34080db3e70ddf94c38512ad2331e3c3afca6cc1 ]
rds_ib_xmit_atomic() always programs a masked atomic opcode
(IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD)
for every RDS atomic cmsg. But the completion-side switch in
rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked
atomic completion falls through to default and returns rm == NULL while
send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the
NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged
AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection
triggers it; on hardware that natively accepts masked atomics (mlx4,
mlx5) no extra setup is needed.
RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR!
Oops: general protection fault [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197]
RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282)
Call Trace:
<IRQ>
rds_ib_send_cqe_handler (net/rds/ib_send.c:282)
poll_scq (net/rds/ib_cm.c:274)
rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294)
tasklet_action_common (kernel/softirq.c:943)
handle_softirqs (kernel/softirq.c:573)
run_ksoftirqd (kernel/softirq.c:479)
</IRQ>
Kernel panic - not syncing: Fatal exception in interrupt
Handle the masked atomic opcodes in the same case as the non-masked
ones: they map to the same struct rds_message.atomic union member, so
the existing container_of()/rds_ib_send_unmap_atomic() body is correct
for them.
Fixes: 20c72bd5f5f9 ("RDS: Implement masked atomic operations")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260606192447.1179255-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/ib_send.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index 4190b90ff3b18a..1909cd440a4b66 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -170,6 +170,8 @@ static struct rds_message *rds_ib_send_unmap_op(struct rds_ib_connection *ic,
break;
case IB_WR_ATOMIC_FETCH_AND_ADD:
case IB_WR_ATOMIC_CMP_AND_SWP:
+ case IB_WR_MASKED_ATOMIC_FETCH_AND_ADD:
+ case IB_WR_MASKED_ATOMIC_CMP_AND_SWP:
if (send->s_op) {
rm = container_of(send->s_op, struct rds_message, atomic);
rds_ib_send_unmap_atomic(ic, send->s_op, wc_status);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 190/411] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 189/411] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 191/411] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
` (221 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Steffen Klassert,
Nicolas Dichtel, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9 ]
In vti6_tnl_lookup(), when an exact match for a tunnel fails,
the code falls back to searching for wildcard tunnels:
- Tunnels matching the packet's local address, with any remote address
wildcard remote).
- Tunnels matching the packet's remote address, with any local address
(wildcard local).
However, vti6 stores all these different types of tunnels in the same
hash table (ip6n->tnls_r_l) prone to hash collisions.
The bug is that the fallback search loops in vti6_tnl_lookup() were
missing checks to ensure that the candidate tunnel actually has
a wildcard address.
Fixes: fbe68ee87522 ("vti6: Add a lookup method for tunnels with wildcard endpoints.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Reviewed-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Link: https://patch.msgid.link/20260608164613.933023-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_vti.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 4f5093b36b3e36..077aae4b1bb332 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -105,6 +105,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
hash = HASH(&any, local);
for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
if (ipv6_addr_equal(local, &t->parms.laddr) &&
+ ipv6_addr_any(&t->parms.raddr) &&
(t->dev->flags & IFF_UP))
return t;
}
@@ -112,6 +113,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,
hash = HASH(remote, &any);
for_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {
if (ipv6_addr_equal(remote, &t->parms.raddr) &&
+ ipv6_addr_any(&t->parms.laddr) &&
(t->dev->flags & IFF_UP))
return t;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 191/411] rds: mark snapshot pages dirty in rds_info_getsockopt()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 190/411] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 192/411] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
` (220 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Allison Henderson,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 512db8267b73a220a64180d95ab5eebe7c4964a8 ]
rds_info_getsockopt() pins the destination user pages with FOLL_WRITE and
the RDS_INFO_* producers memcpy the snapshot into them through
kmap_atomic(). Because that copy goes through the kernel direct map, the
dirty bit on the user PTE is never set, so unpin_user_pages() releases the
pages without marking them dirty. A file-backed destination page can then
be reclaimed without writeback, silently discarding the copied data.
Use unpin_user_pages_dirty_lock() with make_dirty=true so the modified
pages are marked dirty before they are unpinned.
Fixes: a8c879a7ee98 ("RDS: Info and stats")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/20260608-rds_fix-v1-1-006c88543408@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rds/info.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rds/info.c b/net/rds/info.c
index b6b46a8214a0a5..b3ee5f8238c44d 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -235,7 +235,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
out:
if (pages)
- unpin_user_pages(pages, nr_pages);
+ unpin_user_pages_dirty_lock(pages, nr_pages, true);
kfree(pages);
return ret;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 192/411] netfilter: x_tables: avoid leaking percpu counter pointers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 191/411] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 193/411] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
` (219 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Pablo Neira Ayuso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Zeng <kylebot@openai.com>
[ Upstream commit f7f2fbb0e893a0238dc464f8d8c0f5609bec584f ]
The native and compat get-entries paths copy the fixed rule entry header
from the kernelized rule blob to userspace before overwriting the entry's
counter fields with a sanitized counter snapshot.
On SMP kernels, entry->counters.pcnt contains the percpu allocation
address used by x_tables rule counters. A caller can provide a userspace
buffer that faults during the initial fixed-header copy after pcnt has
been copied but before the later sanitized counter copy runs. The syscall
then returns -EFAULT while leaving the raw percpu pointer in userspace.
Copy only the fixed entry prefix before counters from the kernelized rule
blob, then copy the sanitized counter snapshot into the counter field.
Apply this ordering to the IPv4, IPv6, and ARP native and compat
get-entries implementations so a fault cannot expose the internal percpu
counter pointer.
Fixes: 71ae0dff02d7 ("netfilter: xtables: use percpu rule counters")
Signed-off-by: Kyle Zeng <kylebot@openai.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/arp_tables.c | 15 ++++++---------
net/ipv4/netfilter/ip_tables.c | 15 ++++++---------
net/ipv6/netfilter/ip6_tables.c | 15 ++++++---------
3 files changed, 18 insertions(+), 27 deletions(-)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 92bc90ee767484..2c39529769f19a 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -701,14 +701,12 @@ static int copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct arpt_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct arpt_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1326,9 +1324,8 @@ static int compat_copy_entry_to_user(struct arpt_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct arpt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_arpt_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_arpt_entry);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index aee7cd584c9262..15a9e303a15317 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -833,14 +833,12 @@ copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct ipt_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct ipt_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1229,9 +1227,8 @@ compat_copy_entry_to_user(struct ipt_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct ipt_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_ipt_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_ipt_entry);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index afd22ea9f555ba..f2de34f0de239c 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -850,14 +850,12 @@ copy_entries_to_user(unsigned int total_size,
const struct xt_entry_target *t;
e = loc_cpu_entry + off;
- if (copy_to_user(userptr + off, e, sizeof(*e))) {
- ret = -EFAULT;
- goto free_counters;
- }
- if (copy_to_user(userptr + off
+ if (copy_to_user(userptr + off, e,
+ offsetof(struct ip6t_entry, counters)) ||
+ copy_to_user(userptr + off
+ offsetof(struct ip6t_entry, counters),
&counters[num],
- sizeof(counters[num])) != 0) {
+ sizeof(counters[num]))) {
ret = -EFAULT;
goto free_counters;
}
@@ -1246,9 +1244,8 @@ compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
origsize = *size;
ce = *dstptr;
- if (copy_to_user(ce, e, sizeof(struct ip6t_entry)) != 0 ||
- copy_to_user(&ce->counters, &counters[i],
- sizeof(counters[i])) != 0)
+ if (copy_to_user(ce, e, offsetof(struct compat_ip6t_entry, counters)) ||
+ copy_to_user(&ce->counters, &counters[i], sizeof(counters[i])))
return -EFAULT;
*dstptr += sizeof(struct compat_ip6t_entry);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 193/411] netfilter: nf_log: validate MAC header was set before dumping it
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 192/411] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 194/411] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
` (218 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Weiming Shi, Xiang Mei,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit a84b6fedbc97078788be78dbdd7517d143ad1a77 ]
The fallback path of dump_mac_header() guards the MAC header access
only with "skb->mac_header != skb->network_header", without checking
skb_mac_header_was_set(). When the MAC header is unset, mac_header is
0xffff, so the test passes and skb_mac_header(skb) returns
skb->head + 0xffff, ~64 KiB past the buffer; the loop then reads
dev->hard_header_len bytes out of bounds into the kernel log.
This is reachable via the netdev logger: nf_log_unknown_packet() calls
dump_mac_header() unconditionally, and an skb sent through AF_PACKET
with PACKET_QDISC_BYPASS reaches the egress hook with mac_header still
unset (__dev_queue_xmit(), which would reset it, is bypassed).
Add the skb_mac_header_was_set() check the ARPHRD_ETHER path already
uses, and replace the open-coded MAC header length test with
skb_mac_header_len(). Only skbs with an unset MAC header are affected;
valid ones are dumped as before.
BUG: KASAN: slab-out-of-bounds in dump_mac_header (net/netfilter/nf_log_syslog.c:831)
Read of size 1 at addr ffff88800ea49d3f by task exploit/148
Call Trace:
kasan_report (mm/kasan/report.c:595)
dump_mac_header (net/netfilter/nf_log_syslog.c:831)
nf_log_netdev_packet (net/netfilter/nf_log_syslog.c:938 net/netfilter/nf_log_syslog.c:963)
nf_log_packet (net/netfilter/nf_log.c:260)
nft_log_eval (net/netfilter/nft_log.c:60)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_netdev (net/netfilter/nft_chain_filter.c:307)
nf_hook_slow (net/netfilter/core.c:619)
nf_hook_direct_egress (net/packet/af_packet.c:257)
packet_xmit (net/packet/af_packet.c:280)
packet_sendmsg (net/packet/af_packet.c:3114)
__sys_sendto (net/socket.c:2265)
Fixes: 7eb9282cd0ef ("netfilter: ipt_LOG/ip6t_LOG: add option to print decoded MAC header")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_log_syslog.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_log_syslog.c b/net/netfilter/nf_log_syslog.c
index 7000e069bc0760..2b0edb22ba511b 100644
--- a/net/netfilter/nf_log_syslog.c
+++ b/net/netfilter/nf_log_syslog.c
@@ -793,8 +793,8 @@ static void dump_ipv4_mac_header(struct nf_log_buf *m,
fallback:
nf_log_buf_add(m, "MAC=");
- if (dev->hard_header_len &&
- skb->mac_header != skb->network_header) {
+ if (dev->hard_header_len && skb_mac_header_was_set(skb) &&
+ skb_mac_header_len(skb) != 0) {
const unsigned char *p = skb_mac_header(skb);
unsigned int i;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 194/411] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 193/411] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 195/411] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
` (217 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Zhou, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 772cecf198da732faebb5dcfc46d66a505be8495 ]
nft_exthdr_init() passes user-controlled priv->len to
nft_parse_register_store(), which marks that many bytes in the
register bitmap as initialized. However, when NFT_EXTHDR_F_PRESENT
is set, the eval paths write only 1 byte (nft_reg_store8) or
4 bytes (*dest = 0 on TCP/DCCP error path). When len > 4,
registers beyond the first are never written, retaining
uninitialized stack data from nft_regs.
Bail out if userspace requests too much data when F_PRESENT is set.
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_exthdr.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 7c2931e024bb05..e8978a0aa7408f 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -454,6 +454,9 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
return err;
}
+ if ((flags & NFT_EXTHDR_F_PRESENT) && len != 1)
+ return -EINVAL;
+
priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
priv->offset = offset;
priv->len = len;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 195/411] net: mvpp2: sync RX data at the hardware packet offset
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 194/411] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 196/411] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
` (216 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 180235600934bef6add3be637c296d6cf3272e67 ]
mvpp2 programs the RX queue packet offset, so hardware writes received
data at dma_addr + MVPP2_SKB_HEADROOM. The current CPU sync starts at
dma_addr and only covers rx_bytes + MVPP2_MH_SIZE bytes, which syncs the
unused headroom and misses the same number of bytes at the packet tail.
On non-coherent DMA systems this can leave the CPU reading stale cache
contents for the end of the received frame.
Use dma_sync_single_range_for_cpu() with MVPP2_SKB_HEADROOM as the range
offset so the sync covers the Marvell header and packet data actually
written by hardware.
Fixes: e1921168bbd4 ("mvpp2: sync only the received frame")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-2-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index fdfdd55fdb1dcf..ad6325c80f9868 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3945,9 +3945,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
dma_dir = DMA_FROM_DEVICE;
}
- dma_sync_single_for_cpu(dev->dev.parent, dma_addr,
- rx_bytes + MVPP2_MH_SIZE,
- dma_dir);
+ dma_sync_single_range_for_cpu(dev->dev.parent, dma_addr,
+ MVPP2_SKB_HEADROOM,
+ rx_bytes + MVPP2_MH_SIZE,
+ dma_dir);
/* Buffer header not supported */
if (rx_status & MVPP2_RXD_BUF_HDR)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 196/411] net: mvpp2: limit XDP frame size to the RX buffer
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 195/411] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 197/411] net: mvpp2: Add metadata support for xdp mode Greg Kroah-Hartman
` (215 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit f3c6aa078927e6fe8121c9c591ddee8716c5305a ]
mvpp2 has short and long BM pools, and short pool buffers can be smaller
than PAGE_SIZE. The XDP path nevertheless initializes every xdp_buff with
PAGE_SIZE as frame size.
XDP helpers use frame_sz to validate tail growth and to derive the hard
end of the data area. Advertising PAGE_SIZE for short buffers can let
bpf_xdp_adjust_tail() grow a packet past the real allocation, corrupting
memory or later tripping skb tailroom checks.
Initialize the XDP buffer with bm_pool->frag_size so XDP tailroom matches
the actual buffer backing the packet.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-3-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index ad6325c80f9868..d8a2268b88187a 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3978,7 +3978,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
else
xdp_rxq = &rxq->xdp_rxq_long;
- xdp_init_buff(&xdp, PAGE_SIZE, xdp_rxq);
+ xdp_init_buff(&xdp, bm_pool->frag_size, xdp_rxq);
xdp_prepare_buff(&xdp, data,
MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM,
rx_bytes, false);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 197/411] net: mvpp2: Add metadata support for xdp mode
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 196/411] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 198/411] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
` (214 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Kubiak, Lorenzo Bianconi,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 9a45e193c88a55a536d7fd0ebfa29823d588c2cf ]
Set metadata size building the skb from xdp_buff in mvpp2 driver
mvpp2 driver sets xdp headroom to:
MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM
where
MVPP2_MH_SIZE 2
MVPP2_SKB_HEADROOM min(max(XDP_PACKET_HEADROOM, NET_SKB_PAD), 224)
so the headroom is large enough to contain xdp_frame and xdp metadata.
Please note this patch is just compiled tested.
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20250318-mvneta-xdp-meta-v2-2-b6075778f61f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 77a6b90ce56b ("net: mvpp2: build skb from XDP-adjusted data on XDP_PASS")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index d8a2268b88187a..d55c3f1526c38b 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3912,13 +3912,13 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
while (rx_done < rx_todo) {
struct mvpp2_rx_desc *rx_desc = mvpp2_rxq_next_desc_get(rxq);
+ u32 rx_status, timestamp, metasize = 0;
struct mvpp2_bm_pool *bm_pool;
struct page_pool *pp = NULL;
struct sk_buff *skb;
unsigned int frag_size;
dma_addr_t dma_addr;
phys_addr_t phys_addr;
- u32 rx_status, timestamp;
int pool, rx_bytes, err, ret;
struct page *page;
void *data;
@@ -3981,7 +3981,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
xdp_init_buff(&xdp, bm_pool->frag_size, xdp_rxq);
xdp_prepare_buff(&xdp, data,
MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM,
- rx_bytes, false);
+ rx_bytes, true);
ret = mvpp2_run_xdp(port, xdp_prog, &xdp, pp, &ps);
@@ -3997,6 +3997,8 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
ps.rx_bytes += rx_bytes;
continue;
}
+
+ metasize = xdp.data - xdp.data_meta;
}
skb = build_skb(data, frag_size);
@@ -4033,6 +4035,8 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb_reserve(skb, MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM);
skb_put(skb, rx_bytes);
+ if (metasize)
+ skb_metadata_set(skb, metasize);
skb->ip_summed = mvpp2_rx_csum(port, rx_status);
skb->protocol = eth_type_trans(skb, dev);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 198/411] net: mvpp2: refill RX buffers before XDP or skb use
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 197/411] net: mvpp2: Add metadata support for xdp mode Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 199/411] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
` (213 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 5e8e2a9624df72fca7c736b2966b2cbf6c9c3ff6 ]
The RX error path returns the current descriptor buffer to the hardware
BM pool. That is only valid while the driver still owns the buffer.
mvpp2_rx_refill() can fail after the current buffer has been handed to
XDP or attached to an skb. In those cases mvpp2_run_xdp() may have
recycled, redirected, or queued the page for XDP_TX, and an skb free also
retires the data buffer. Returning such a buffer to BM lets hardware DMA
into memory that is no longer owned by the RX ring.
Refill the BM pool before handing the current buffer to XDP or to the
skb. If the allocation fails there, drop the packet and return the
still-owned current buffer to BM, preserving the pool depth. Once the
refill succeeds, later local drops retire/free the current buffer instead
of returning it to BM.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Fixes: d6526926de73 ("net: mvpp2: fix memory leak in mvpp2_rx")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-4-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 77a6b90ce56b ("net: mvpp2: build skb from XDP-adjusted data on XDP_PASS")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 43 +++++++++++--------
1 file changed, 24 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index d55c3f1526c38b..04002548a46327 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3970,6 +3970,12 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
else
frag_size = bm_pool->frag_size;
+ err = mvpp2_rx_refill(port, bm_pool, pp, pool);
+ if (err) {
+ netdev_err(port->dev, "failed to refill BM pools\n");
+ goto err_drop_frame;
+ }
+
if (xdp_prog) {
struct xdp_rxq_info *xdp_rxq;
@@ -3987,12 +3993,6 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
if (ret) {
xdp_ret |= ret;
- err = mvpp2_rx_refill(port, bm_pool, pp, pool);
- if (err) {
- netdev_err(port->dev, "failed to refill BM pools\n");
- goto err_drop_frame;
- }
-
ps.rx_packets++;
ps.rx_bytes += rx_bytes;
continue;
@@ -4004,8 +4004,21 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb = build_skb(data, frag_size);
if (!skb) {
netdev_warn(port->dev, "skb build failed\n");
- goto err_drop_frame;
+ if (pp) {
+ page_pool_put_page(pp, virt_to_head_page(data),
+ rx_bytes + MVPP2_MH_SIZE,
+ true);
+ } else {
+ dma_unmap_single_attrs(dev->dev.parent, dma_addr,
+ bm_pool->buf_size,
+ DMA_FROM_DEVICE,
+ DMA_ATTR_SKIP_CPU_SYNC);
+ mvpp2_frag_free(bm_pool, pp, data);
+ }
+ goto err_drop_frame_retired;
}
+ if (pp)
+ skb_mark_for_recycle(skb);
/* If we have RX hardware timestamping enabled, grab the
* timestamp from the queue and convert.
@@ -4016,16 +4029,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
skb_hwtstamps(skb));
}
- err = mvpp2_rx_refill(port, bm_pool, pp, pool);
- if (err) {
- netdev_err(port->dev, "failed to refill BM pools\n");
- dev_kfree_skb_any(skb);
- goto err_drop_frame;
- }
-
- if (pp)
- skb_mark_for_recycle(skb);
- else
+ if (!pp)
dma_unmap_single_attrs(dev->dev.parent, dma_addr,
bm_pool->buf_size, DMA_FROM_DEVICE,
DMA_ATTR_SKIP_CPU_SYNC);
@@ -4044,13 +4048,14 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
continue;
err_drop_frame:
- dev->stats.rx_errors++;
- mvpp2_rx_error(port, rx_desc);
/* Return the buffer to the pool */
if (rx_status & MVPP2_RXD_BUF_HDR)
mvpp2_buff_hdr_pool_put(port, rx_desc, pool, rx_status);
else
mvpp2_bm_pool_put(port, pool, dma_addr, phys_addr);
+err_drop_frame_retired:
+ dev->stats.rx_errors++;
+ mvpp2_rx_error(port, rx_desc);
}
if (xdp_ret & MVPP2_XDP_REDIR)
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 199/411] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 198/411] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 200/411] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
` (212 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Til Kaiser, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Til Kaiser <mail@tk154.de>
[ Upstream commit 77a6b90ce56bc982dcfa94229b8e28e6abb16e95 ]
When an XDP program uses bpf_xdp_adjust_head() or bpf_xdp_adjust_tail()
and then returns XDP_PASS, mvpp2 still builds the skb from fixed offsets
derived from the original RX descriptor. Packet geometry changes made by
the XDP program are therefore discarded before the skb reaches the stack.
Update rx_offset and rx_bytes from xdp.data and xdp.data_end for
XDP_PASS. This makes skb_reserve() and skb_put() reflect the packet seen
by XDP, and makes RX byte accounting for XDP_PASS follow the length of the
skb passed to the network stack.
Keep a separate rx_sync_size for page-pool recycling on skb allocation
failure, which must stay tied to the received buffer range.
Non-PASS verdicts continue to account the descriptor length because no skb
is passed up in those cases.
Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://patch.msgid.link/20260607134943.21996-5-mail@tk154.de
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/marvell/mvpp2/mvpp2_main.c | 21 +++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
index 04002548a46327..c4951eb88241b0 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
@@ -3916,10 +3916,10 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
struct mvpp2_bm_pool *bm_pool;
struct page_pool *pp = NULL;
struct sk_buff *skb;
- unsigned int frag_size;
+ unsigned int frag_size, rx_sync_size;
dma_addr_t dma_addr;
phys_addr_t phys_addr;
- int pool, rx_bytes, err, ret;
+ int pool, rx_bytes, rx_offset, err, ret;
struct page *page;
void *data;
@@ -3932,6 +3932,8 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
rx_status = mvpp2_rxdesc_status_get(port, rx_desc);
rx_bytes = mvpp2_rxdesc_size_get(port, rx_desc);
rx_bytes -= MVPP2_MH_SIZE;
+ rx_sync_size = rx_bytes + MVPP2_MH_SIZE;
+ rx_offset = MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM;
dma_addr = mvpp2_rxdesc_dma_addr_get(port, rx_desc);
pool = (rx_status & MVPP2_RXD_BM_POOL_ID_MASK) >>
@@ -3947,7 +3949,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
dma_sync_single_range_for_cpu(dev->dev.parent, dma_addr,
MVPP2_SKB_HEADROOM,
- rx_bytes + MVPP2_MH_SIZE,
+ rx_sync_size,
dma_dir);
/* Buffer header not supported */
@@ -3998,6 +4000,14 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
continue;
}
+ rx_sync_size = max_t(unsigned int, rx_sync_size,
+ xdp.data_end - xdp.data_hard_start -
+ MVPP2_SKB_HEADROOM);
+
+ /* Update offset and length to reflect any XDP adjustments. */
+ rx_offset = xdp.data - data;
+ rx_bytes = xdp.data_end - xdp.data;
+
metasize = xdp.data - xdp.data_meta;
}
@@ -4006,8 +4016,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
netdev_warn(port->dev, "skb build failed\n");
if (pp) {
page_pool_put_page(pp, virt_to_head_page(data),
- rx_bytes + MVPP2_MH_SIZE,
- true);
+ rx_sync_size, true);
} else {
dma_unmap_single_attrs(dev->dev.parent, dma_addr,
bm_pool->buf_size,
@@ -4037,7 +4046,7 @@ static int mvpp2_rx(struct mvpp2_port *port, struct napi_struct *napi,
ps.rx_packets++;
ps.rx_bytes += rx_bytes;
- skb_reserve(skb, MVPP2_MH_SIZE + MVPP2_SKB_HEADROOM);
+ skb_reserve(skb, rx_offset);
skb_put(skb, rx_bytes);
if (metasize)
skb_metadata_set(skb, metasize);
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 200/411] drm/vc4: fix krealloc() memory leak
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 199/411] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 201/411] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
` (211 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander A. Klimov,
Maíra Canal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander A. Klimov <grandmaster@al2klimov.de>
[ Upstream commit 5d563a5da8717629ae72f9eadf1e0e340bd1658b ]
Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:
MEM = krealloc(MEM, SZ, GFP);
If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:
TMP = krealloc(MEM, SZ, GFP);
if (!TMP) return;
MEM = TMP;
While on it, use krealloc_array().
Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patch.msgid.link/20260606123817.37222-1-grandmaster@al2klimov.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_validate_shaders.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vc4/vc4_validate_shaders.c b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
index 7cf82b071de290..82543a23ec0638 100644
--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
+++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
@@ -288,15 +288,16 @@ static bool require_uniform_address_uniform(struct vc4_validated_shader_info *va
{
uint32_t o = validated_shader->num_uniform_addr_offsets;
uint32_t num_uniforms = validated_shader->uniforms_size / 4;
+ u32 *offsets;
- validated_shader->uniform_addr_offsets =
- krealloc(validated_shader->uniform_addr_offsets,
- (o + 1) *
- sizeof(*validated_shader->uniform_addr_offsets),
- GFP_KERNEL);
- if (!validated_shader->uniform_addr_offsets)
+ offsets = krealloc_array(validated_shader->uniform_addr_offsets,
+ o + 1,
+ sizeof(*validated_shader->uniform_addr_offsets),
+ GFP_KERNEL);
+ if (!offsets)
return false;
+ validated_shader->uniform_addr_offsets = offsets;
validated_shader->uniform_addr_offsets[o] = num_uniforms;
validated_shader->num_uniform_addr_offsets++;
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 201/411] netfilter: nft_tunnel: fix use-after-free on object destroy
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 200/411] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 202/411] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
` (210 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tristan Madani,
Fernando Fernandez Mancera, Florian Westphal, Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.
Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.
Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -669,7 +669,7 @@ static void nft_tunnel_obj_destroy(const
{
struct nft_tunnel_obj *priv = nft_obj_data(obj);
- metadata_dst_free(priv->md);
+ dst_release(&priv->md->dst);
}
static struct nft_object_type nft_tunnel_obj_type;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 202/411] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 201/411] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 203/411] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
` (209 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz,
Michael Bommarito, Luiz Augusto von Dentz
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit dd214733544427587a95f66dbf3adff072568990 upstream.
net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
signaling packets up to the channel MTU and dispatches each command
without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
within radio range can send a fixed-channel CID 0x0001 packet that is
larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
pairing. In a real-radio stock-kernel run, one 681-byte signaling
packet containing 168 zero-length ECHO_REQ commands made the target
transmit 168 ECHO_RSP frames over about 220 ms.
Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
packet containing packed ECHO_REQ commands.
Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
The Bluetooth Core spec wording for MTUExceeded says the reject
identifier shall match the first request command in the packet, and
that packets containing only responses shall be silently discarded.
Linux intentionally deviates from that prescription: silently
discarding desynchronizes the peer because the remote stack never
learns its responses were dropped, and locating the first request
command requires walking command headers past MTUsig, i.e. processing
bytes from a packet we have already decided is too large to process.
We therefore always emit one reject and use the identifier from the
first command header, a single fixed-offset byte read.
The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
trace to the initial git import; no later introducing commit is
available for a Fixes tag.
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-7
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/l2cap.h | 1
net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 47 insertions(+)
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -33,6 +33,7 @@
/* L2CAP defaults */
#define L2CAP_DEFAULT_MTU 672
#define L2CAP_DEFAULT_MIN_MTU 48
+#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
#define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
#define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
#define L2CAP_DEFAULT_TX_WINDOW 63
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6608,6 +6608,15 @@ static inline void l2cap_sig_send_rej(st
l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
}
+static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
+{
+ struct l2cap_cmd_rej_mtu rej;
+
+ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
+ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+}
+
static inline void l2cap_sig_channel(struct l2cap_conn *conn,
struct sk_buff *skb)
{
@@ -6620,6 +6629,43 @@ static inline void l2cap_sig_channel(str
if (hcon->type != ACL_LINK)
goto drop;
+ /*
+ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
+ * signaling channel has a fixed signaling MTU (MTUsig) whose
+ * minimum and default is 48 octets. Section 4.1 says that on
+ * an MTUExceeded command reject the identifier "shall match
+ * the first request command in the L2CAP packet" and that
+ * packets containing only response commands "shall be
+ * silently discarded".
+ *
+ * Linux intentionally deviates from that prescription:
+ *
+ * 1. Silently discarding desynchronizes the peer. The
+ * remote stack never learns its responses were dropped,
+ * so any state machine waiting on a paired response
+ * stalls until its own timer fires.
+ *
+ * 2. Locating "the first request command" requires walking
+ * command headers past MTUsig, i.e. processing bytes
+ * from a packet we have already decided is too large to
+ * process.
+ *
+ * Reject every over-MTUsig signaling packet with one
+ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
+ * reason field is what tells the peer that the whole packet
+ * was discarded; the identifier value is informational, so
+ * we use the identifier from the first command header, a
+ * single fixed-offset byte read.
+ */
+ if (skb->len > L2CAP_SIG_MTU) {
+ u8 ident = skb->data[1];
+
+ BT_DBG("signaling packet exceeds MTU: %u > %u",
+ skb->len, L2CAP_SIG_MTU);
+ l2cap_sig_send_mtu_rej(conn, ident);
+ goto drop;
+ }
+
while (skb->len >= L2CAP_CMD_HDR_SIZE) {
u16 len;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 203/411] drm/i915/gem: Fix phys BO pread/pwrite with offset
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 202/411] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 204/411] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
` (208 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Tvrtko Ursulin, Simona Vetter, Jani Nikula, Rodrigo Vivi,
Joonas Lahtinen, Tvrtko Ursulin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
commit d21ad938398bca695a511307de38a65889e3b354 upstream.
sg_page() returns struct page pointer not (void *) so the scaling
of pread/pwrite is wrong for phys BO and wrong parts of BO would be
accessed if non-zero offset is used.
Last impacted platform with overlay or cursor planes using phys
mapping was Gen3/945G/Lakeport.
Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
Cc: <stable@vger.kernel.org> # v4.5+
Cc: Tvrtko Ursulin <tursulin@ursulin.net>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
@@ -16,6 +16,17 @@
#include "i915_gem_region.h"
#include "i915_scatterlist.h"
+/* Abuse scatterlist to store pointer instead of struct page. */
+static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
+{
+ sg_assign_page(sg, (struct page *)vaddr);
+}
+
+static inline void *__get_phys_vaddr(struct scatterlist *sg)
+{
+ return (void *)sg_page(sg);
+}
+
static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
{
struct address_space *mapping = obj->base.filp->f_mapping;
@@ -51,7 +62,7 @@ static int i915_gem_object_get_pages_phy
sg->offset = 0;
sg->length = obj->base.size;
- sg_assign_page(sg, (struct page *)vaddr);
+ __set_phys_vaddr(sg, vaddr);
sg_dma_address(sg) = dma;
sg_dma_len(sg) = obj->base.size;
@@ -95,7 +106,7 @@ i915_gem_object_put_pages_phys(struct dr
struct sg_table *pages)
{
dma_addr_t dma = sg_dma_address(pages->sgl);
- void *vaddr = sg_page(pages->sgl);
+ void *vaddr = __get_phys_vaddr(pages->sgl);
__i915_gem_object_release_shmem(obj, pages, false);
@@ -138,7 +149,7 @@ i915_gem_object_put_pages_phys(struct dr
int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj,
const struct drm_i915_gem_pwrite *args)
{
- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
+ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
char __user *user_data = u64_to_user_ptr(args->data_ptr);
int err;
@@ -168,7 +179,7 @@ int i915_gem_object_pwrite_phys(struct d
int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj,
const struct drm_i915_gem_pread *args)
{
- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
+ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
char __user *user_data = u64_to_user_ptr(args->data_ptr);
int err;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 204/411] xfrm: espintcp: do not reuse an in-progress partial send
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 203/411] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 205/411] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
` (207 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Wyatt Feng, Ren Wei,
Steffen Klassert
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wyatt Feng <bronzed_45_vested@icloud.com>
commit c381039ade2e161ab08c0eda73c4f8b9a7115928 upstream.
espintcp keeps a single in-flight transmit in ctx->partial.
Before building a new sk_msg, espintcp_sendmsg() first tries to flush
that state through espintcp_push_msgs().
For blocking callers, espintcp_push_msgs() may return success even when
the previous partial send is still pending. espintcp_sendmsg() would
then reinitialize emsg->skmsg and reuse ctx->partial while the old
transfer still owns that state.
Do not rebuild the send message when ctx->partial is still in progress.
If espintcp_push_msgs() returns with emsg->len still set, fail the new
send instead of overwriting the live partial state.
This is a memory-safety fix: reusing the live partial-send state can
leave a stale offset attached to a new sk_msg and lead to an out-of-
bounds read in the send path.
tcp_sendmsg_locked() already handles waiting for send buffer memory, so
the fix here is just to preserve espintcp's one-message-at-a-time
transmit state.
Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/espintcp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/xfrm/espintcp.c
+++ b/net/xfrm/espintcp.c
@@ -342,6 +342,10 @@ static int espintcp_sendmsg(struct sock
err = -ENOBUFS;
goto unlock;
}
+ if (emsg->len) {
+ err = -ENOBUFS;
+ goto unlock;
+ }
sk_msg_init(&emsg->skmsg);
while (1) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 205/411] USB: serial: io_ti: fix heap overflow in get_manuf_info()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 204/411] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 206/411] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
` (206 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Korwel, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Korwel <adriank20047@gmail.com>
commit 183c1076eca43bbb3e7bdf597456f91d81c73e74 upstream.
get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.
valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.
Fix by rejecting descriptors with unexpected length before calling
read_rom().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
[ johan: amend commit message; also check for short descriptors ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -772,6 +772,12 @@ static int get_manuf_info(struct edgepor
}
/* Read the descriptor data */
+ if (le16_to_cpu(rom_desc->Size) != sizeof(struct edge_ti_manuf_descriptor)) {
+ dev_err(dev, "unexpected Edge descriptor length: %u\n",
+ le16_to_cpu(rom_desc->Size));
+ status = -EINVAL;
+ goto exit;
+ }
status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc),
le16_to_cpu(rom_desc->Size), buffer);
if (status)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 206/411] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 205/411] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 207/411] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
` (205 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Korwel, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Korwel <adriank20047@gmail.com>
commit 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae upstream.
build_i2c_fw_hdr() allocates a fixed-size buffer of
(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
copies le16_to_cpu(img_header->Length) bytes into it without
validating that Length fits within the available space after the
firmware record header.
img_header->Length is a __le16 from the firmware file and can be
up to 65535. check_fw_sanity() validates the total firmware size
but not img_header->Length specifically.
Fix by rejecting images where img_header->Length exceeds the
available destination space.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Korwel <adriank20047@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/io_ti.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -843,6 +843,11 @@ static int build_i2c_fw_hdr(u8 *header,
/* Pointer to fw_down memory image */
img_header = (struct ti_i2c_image_header *)&fw->data[4];
+ if (le16_to_cpu(img_header->Length) >
+ buffer_size - sizeof(struct ti_i2c_firmware_rec)) {
+ kfree(buffer);
+ return -EINVAL;
+ }
memcpy(buffer + sizeof(struct ti_i2c_firmware_rec),
&fw->data[4 + sizeof(struct ti_i2c_image_header)],
le16_to_cpu(img_header->Length));
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 207/411] USB: serial: option: add usb-id for Dell Wireless DW5826e-m
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 206/411] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 208/411] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
` (204 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jack Wu, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Wu <jackbb_wu@compal.com>
commit 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 upstream.
Add support for Dell DW5826e-m with USB-id 0x413c:0x81ea
T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=413c ProdID=81ea Rev= 5.04
S: Manufacturer=DELL
S: Product=DW5826e-m Qualcomm Snapdragon X12 Global LTE-A
S: SerialNumber=358988870177734
C:* #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Jack Wu <jackbb_wu@compal.com>
Reviewed-by: Lars Melin <larsm17@gmail>
Cc: stable@vger.kernel.org
[ johan: reserve also interface 4 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -202,6 +202,7 @@ static void option_instat_callback(struc
#define DELL_PRODUCT_5821E_ESIM 0x81e0
#define DELL_PRODUCT_5829E_ESIM 0x81e4
#define DELL_PRODUCT_5829E 0x81e6
+#define DELL_PRODUCT_5826E_ESIM 0x81ea
#define DELL_PRODUCT_FM101R_ESIM 0x8213
#define DELL_PRODUCT_FM101R 0x8215
@@ -1123,6 +1124,8 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | RSVD(6) },
{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM),
.driver_info = RSVD(0) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_5826E_ESIM, 0xff),
+ .driver_info = RSVD(1) | RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) },
{ USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) },
{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 208/411] USB: serial: kl5kusb105: fix bulk-out buffer overflow
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 207/411] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 209/411] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
` (203 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HyeongJun An, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: HyeongJun An <sammiee5311@gmail.com>
commit 96d47e40bf9db4a9efd5c8fb53287a508d165f14 upstream.
klsi_105_prepare_write_buffer() is called by the generic write path
with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It
stores a two-byte length header at the start of the buffer and copies
the payload from the write fifo starting at buf + KLSI_HDR_LEN, but
passes the full buffer size as the number of bytes to copy:
count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
size, &port->lock);
When the fifo holds at least size bytes, size bytes are copied starting
two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its
end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for
the header as safe_serial already does.
Writing bulk_out_size or more bytes to the tty triggers a slab
out-of-bounds write, observed with KASAN by emulating the device with
dummy_hcd and raw-gadget:
BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0
Write of size 64 at addr ffff888112c62202 by task python3
kfifo_copy_out
klsi_105_prepare_write_buffer [kl5kusb105]
usb_serial_generic_write_start [usbserial]
Allocated by task 139:
usb_serial_probe [usbserial]
The buggy address is located 2 bytes inside of allocated 64-byte region
The out-of-bounds write no longer occurs with this change applied.
Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/kl5kusb105.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -357,8 +357,8 @@ static int klsi_105_prepare_write_buffer
unsigned char *buf = dest;
int count;
- count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size,
- &port->lock);
+ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN,
+ size - KLSI_HDR_LEN, &port->lock);
put_unaligned_le16(count, buf);
return count + KLSI_HDR_LEN;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 209/411] ALSA: timer: Fix UAF at snd_timer_user_params()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 208/411] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 210/411] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
` (202 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 053a401b592be424fea9d57c789f66cd5d8cec11 upstream.
At releasing a timer object, e.g. when a userspace timer
(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
tries to detach the timer instances and release the resources.
However, it's still possible that other in-flight tasks are holding
the timer instance where the to-be-deleted timer object is associated,
and this may lead to racy accesses.
Fortunately, most of ioctls dealing with the timer instance list
already have the protection with register_mutex, and this also avoids
such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
concurrent ioctl may lead to use-after-free.
This patch just adds the guard with register_mutex to protect
snd_timer_user_params() for covering the code path as a quick
workaround. It's no hot-path but rather a rarely issued ioctl, so the
performance penalty doesn't matter.
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1842,6 +1842,7 @@ static int snd_timer_user_params(struct
struct snd_timer *t;
int err;
+ guard(mutex)(®ister_mutex);
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 210/411] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 209/411] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 211/411] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
` (201 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit 49c3da65961fe9857c831d47fa1989084e87514a upstream.
[Why & How]
gpio_bitshift is a uint8_t read directly from the VBIOS GPIO pin table.
If the value is >= 32, the expression "1 << gpio_bitshift" triggers
undefined behaviour in C (shift count exceeds type width). On x86 the
shift is silently masked to 5 bits, producing an incorrect GPIO mask
that may cause wrong MMIO register bits to be toggled.
Validate gpio_bitshift before use and return BP_RESULT_BADBIOSTABLE for
out-of-range values.
Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit eadf438ab8d370b9d19acee9359918c85afeb80d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -547,8 +547,10 @@ static enum bp_result bios_parser_get_gp
info->offset_en = info->offset + 1;
info->offset_mask = info->offset - 1;
- info->mask = (uint32_t) (1 <<
- header->gpio_pin[i].gpio_bitshift);
+ if (header->gpio_pin[i].gpio_bitshift >= 32)
+ return BP_RESULT_BADBIOSTABLE;
+
+ info->mask = 1u << header->gpio_pin[i].gpio_bitshift;
info->mask_y = info->mask + 2;
info->mask_en = info->mask + 1;
info->mask_mask = info->mask - 1;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 211/411] RDMA/srp: bound SRP_RSP sense copy by the received length
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 210/411] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 212/411] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
` (200 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Bart Van Assche,
Jason Gunthorpe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 13e91fd076306f5d0cdfa14f53d69e37274723c4 upstream.
srp_process_rsp() copies sense data from rsp->data + resp_data_len,
where resp_data_len is the full 32-bit value supplied by the SRP target
and is never checked against the number of bytes actually received
(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so
at most 96 bytes are copied, but the source offset is not bounded.
A malicious or compromised SRP target on the InfiniBand/RoCE fabric that
the initiator has logged into can return an SRP_RSP with
SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer
is allocated at the target-chosen max_ti_iu_len, so the source of the
sense copy lands past the bytes actually received; with resp_data_len
near 0xFFFFFFFF it is gigabytes past the buffer and the read faults.
Copy the sense data only if it has not been truncated, that is, only if
the response header, the response data, and the sense region fit within
the bytes actually received; otherwise drop the sense and log. The
in-tree iSER and NVMe-RDMA receive paths already bound their parse by
wc->byte_len; this brings ib_srp into line with them.
Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/srp/ib_srp.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -1929,7 +1929,8 @@ static int srp_post_recv(struct srp_rdma
return ib_post_recv(ch->qp, &wr, NULL);
}
-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp)
+static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp,
+ u32 byte_len)
{
struct srp_target_port *target = ch->target;
struct srp_request *req;
@@ -1970,10 +1971,27 @@ static void srp_process_rsp(struct srp_r
scmnd->result = rsp->status;
if (rsp->flags & SRP_RSP_FLAG_SNSVALID) {
- memcpy(scmnd->sense_buffer, rsp->data +
- be32_to_cpu(rsp->resp_data_len),
- min_t(int, be32_to_cpu(rsp->sense_data_len),
- SCSI_SENSE_BUFFERSIZE));
+ u32 resp_len = be32_to_cpu(rsp->resp_data_len);
+ u32 sense_len = be32_to_cpu(rsp->sense_data_len);
+
+ /*
+ * The sense data starts resp_data_len bytes past the
+ * response data area; both lengths come from the
+ * target-controlled response. Copy the sense data
+ * only if it has not been truncated, that is, only if
+ * the full sense region fits within the bytes actually
+ * received. Otherwise the copy source would run past
+ * the receive buffer (sized to the target-chosen
+ * max_ti_iu_len), reading out of bounds.
+ */
+ if (sizeof(*rsp) + (u64)resp_len + sense_len <= byte_len)
+ memcpy(scmnd->sense_buffer,
+ rsp->data + resp_len,
+ min(sense_len, SCSI_SENSE_BUFFERSIZE));
+ else
+ shost_printk(KERN_ERR, target->scsi_host,
+ "dropping truncated sense data (resp_data_len %u sense_data_len %u, %u bytes received)\n",
+ resp_len, sense_len, byte_len);
}
if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER))
@@ -2083,7 +2101,7 @@ static void srp_recv_done(struct ib_cq *
switch (opcode) {
case SRP_RSP:
- srp_process_rsp(ch, iu->buf);
+ srp_process_rsp(ch, iu->buf, wc->byte_len);
break;
case SRP_CRED_REQ:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 212/411] ARM: socfpga: Fix OF node refcount leak in SMP setup
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 211/411] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 213/411] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
` (199 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuho Choi, Dinh Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
commit 63838c323924fe4a78b2323bd45aa1030f72ca60 upstream.
socfpga_smp_prepare_cpus() looks up the Cortex-A9 SCU node with
of_find_compatible_node(), which returns a node reference that must be
released with of_node_put().
The function maps the SCU registers and then returns without dropping
that reference, leaking the node on both the success path and the
of_iomap() failure path.
Drop the reference once the mapping attempt is complete. The returned
MMIO mapping does not depend on keeping the device node reference held.
Fixes: 122694a0c712 ("ARM: socfpga: use of_iomap to map the SCU")
Cc: stable@vger.kernel.org
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-socfpga/platsmp.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/mach-socfpga/platsmp.c
+++ b/arch/arm/mach-socfpga/platsmp.c
@@ -78,6 +78,7 @@ static void __init socfpga_smp_prepare_c
}
socfpga_scu_base_addr = of_iomap(np, 0);
+ of_node_put(np);
if (!socfpga_scu_base_addr)
return;
scu_enable(socfpga_scu_base_addr);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 213/411] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 212/411] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 214/411] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
` (198 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karl Mehltretter, Linus Walleij,
Russell King
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karl Mehltretter <kmehltretter@gmail.com>
commit d59ed803715a71fb9582e139d648ece8d66dc743 upstream.
For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented
as C volatile halfword accesses so the compiler can generate an access
sequence that is safe for those machines. With KASAN enabled, those C
accesses are instrumented as normal memory accesses.
That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled,
PL011 probing traps in __asan_store2() while registering the UART, because
the instrumented writew() tries to check KASAN shadow for an MMIO address.
Keep the existing volatile halfword access, but move the ARMv5 definitions
into __no_kasan_or_inline functions so raw MMIO halfword accesses are not
instrumented by KASAN. The ARMv6-and-newer inline assembly path is
unchanged.
Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
Cc: stable@vger.kernel.org # v5.11+
Signed-off-by: Karl Mehltretter <kmehltretter@gmail.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/include/asm/io.h | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/arch/arm/include/asm/io.h
+++ b/arch/arm/include/asm/io.h
@@ -56,8 +56,19 @@ void __raw_readsl(const volatile void __
* the bus. Rather than special-case the machine, just let the compiler
* generate the access for CPUs prior to ARMv6.
*/
-#define __raw_readw(a) (__chk_io_ptr(a), *(volatile unsigned short __force *)(a))
-#define __raw_writew(v,a) ((void)(__chk_io_ptr(a), *(volatile unsigned short __force *)(a) = (v)))
+#define __raw_writew __raw_writew
+static __no_kasan_or_inline void __raw_writew(u16 val, volatile void __iomem *addr)
+{
+ __chk_io_ptr(addr);
+ *(volatile unsigned short __force *)addr = val;
+}
+
+#define __raw_readw __raw_readw
+static __no_kasan_or_inline u16 __raw_readw(const volatile void __iomem *addr)
+{
+ __chk_io_ptr(addr);
+ return *(const volatile unsigned short __force *)addr;
+}
#else
/*
* When running under a hypervisor, we want to avoid I/O accesses with
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 214/411] mptcp: fix retransmission loop when csum is enabled
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 213/411] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 215/411] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
` (197 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 upstream.
Sashiko noted that retransmission with csum enabled can actually
transmit new data, but currently the relevant code does not update
accordingly snd_nxt.
The may cause incoming ack drop and an endless retransmission loop.
Address the issue incrementing snd_nxt as needed.
Fixes: 4e14867d5e91 ("mptcp: tune re-injections for csum enabled mode")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2539,6 +2539,10 @@ static void __mptcp_retrans(struct sock
release_sock(ssk);
+ /* With csum enabled retransmission can send new data. */
+ if (after64(dfrag->already_sent + dfrag->data_seq, msk->snd_nxt))
+ WRITE_ONCE(msk->snd_nxt, dfrag->already_sent + dfrag->data_seq);
+
reset_timer:
if (!mptcp_rtx_timer_pending(sk))
mptcp_reset_rtx_timer(sk);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 215/411] mptcp: sockopt: check timestamping ret value
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 214/411] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 216/411] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
` (196 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 57132affbc89c02e1bf73fdf5724311bdc9a29da upstream.
sock_set_timestamping() can fail for different reasons. The returned
value should then be checked.
If sock_set_timestamping() fails for at least one subflow, the first
error is now reported to the userspace, similar to what is done with
other socket options.
Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows")
Cc: stable@vger.kernel.org
Reported-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Closes: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/sockopt.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -231,15 +231,19 @@ static int mptcp_setsockopt_sol_socket_t
mptcp_for_each_subflow(msk, subflow) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+ int err;
lock_sock(ssk);
- sock_set_timestamping(ssk, optname, timestamping);
+ err = sock_set_timestamping(ssk, optname, timestamping);
release_sock(ssk);
+
+ if (err < 0 && ret == 0)
+ ret = err;
}
release_sock(sk);
- return 0;
+ return ret;
}
static int mptcp_setsockopt_sol_socket_linger(struct mptcp_sock *msk, sockptr_t optval,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 216/411] vsock/vmci: fix sk_ack_backlog leak on failed handshake
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 215/411] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 217/411] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
` (195 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raf Dickson, Stefano Garzarella,
Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raf Dickson <rafdog35@gmail.com>
commit c05fa14db43ebef3bd862ca9d073981c0358b3f0 upstream.
When vmci_transport_recv_connecting_server() returns an error,
vmci_transport_recv_listen() calls vsock_remove_pending() but never
calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented
permanently.
Repeated handshake failures (malformed packets, queue pair alloc
failure, event subscribe failure) cause sk_ack_backlog to climb
toward sk_max_ack_backlog. Once it reaches the limit the listener
permanently refuses all new connections with -ECONNREFUSED, a
silent denial of service requiring a process restart to recover.
The two existing sk_acceptq_removed() calls in af_vsock.c do not
cover this path: line 764 checks vsock_is_pending() which returns
false after vsock_remove_pending(), and line 1889 is only reached
on successful accept().
Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on
the error path.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Cc: stable@vger.kernel.org
Signed-off-by: Raf Dickson <rafdog35@gmail.com>
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/vmci_transport.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -972,8 +972,10 @@ static int vmci_transport_recv_listen(st
err = -EINVAL;
}
- if (err < 0)
+ if (err < 0) {
vsock_remove_pending(sk, pending);
+ sk_acceptq_removed(sk);
+ }
release_sock(pending);
vmci_transport_release_pending(pending);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 217/411] bnxt_en: Fix NULL pointer dereference
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 216/411] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 218/411] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
` (194 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Meyer, Pavan Chebbi,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kyle Meyer <kyle.meyer@hpe.com>
commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d upstream.
PCIe errors detected by a Root Port or Downstream Port cause error
recovery services to run on all subordinate devices regardless of
administrative state.
The .error_detected() callback, bnxt_io_error_detected(), disables
and synchronizes IRQs via bnxt_disable_int_sync(), which calls
bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
bp->bnapi.
Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
error recovery on a closed NIC can dereference a NULL pointer.
Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.")
Cc: stable@vger.kernel.org
Signed-off-by: Kyle Meyer <kyle.meyer@hpe.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -4552,7 +4552,7 @@ static void bnxt_disable_int_sync(struct
{
int i;
- if (!bp->irq_tbl)
+ if (!bp->irq_tbl || !bp->bnapi)
return;
atomic_inc(&bp->intr_sem);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 218/411] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 217/411] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 219/411] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
` (193 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jason Gunthorpe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 29e7b925ae6df64894e82ab6419994dc25580a8a upstream.
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done()
computes the login request payload length as wc->byte_len minus
ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int.
A remote iSER initiator can post a login Send work request carrying
fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows
and login_req_len becomes negative.
isert_rx_login_req() then reads that negative length back into a signed
int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the
min() is signed it keeps the negative value; the value is then passed as
the memcpy() length and sign-extended to a multi-gigabyte size_t. The
copy into the 8192-byte login->req_buf runs far out of bounds and
faults, crashing the target node. The login phase precedes iSCSI
authentication, so no credentials are required to reach this path.
Reject any login PDU shorter than ISER_HEADERS_LEN before the
subtraction, mirroring the existing early return on a failed work
completion, so login_req_len can never go negative. The upper bound was
already safe: a posted login buffer cannot deliver more than
ISER_RX_PAYLOAD_SIZE, so the difference stays at or below
MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing
lower bound needs to be added.
Fixes: b8d26b3be8b3 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver")
Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -1388,6 +1388,12 @@ isert_login_recv_done(struct ib_cq *cq,
ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_desc->dma_addr,
ISER_RX_SIZE, DMA_FROM_DEVICE);
+ if (unlikely(wc->byte_len < ISER_HEADERS_LEN)) {
+ isert_dbg("login request length %u is too short\n",
+ wc->byte_len);
+ return;
+ }
+
isert_conn->login_req_len = wc->byte_len - ISER_HEADERS_LEN;
if (isert_conn->conn) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 219/411] pidfd: refuse access to tasks that have started exiting harder
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 218/411] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 220/411] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
` (192 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Brauner (Amutable)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
commit 62c4d31d78294bd61cf3403626b789e854357177 upstream.
The recent ptrace fix closed a hole where someone could rely on task->mm
becoming NULL during do_exit() to bypass dumpability checks. This api
here leans on on the very same check and so inherits the fix.
But there is no good reason to let it succeed at all once the target has
entered do_exit(). PF_EXITING is set by exit_signals() at the very top
of do_exit(), before exit_mm() and exit_files() run. Once we observe it,
the task is committed to dying and exit_files() will release the fdtable
shortly.
Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/pid.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -637,10 +637,12 @@ static struct file *__pidfd_fget(struct
if (ret)
return ERR_PTR(ret);
- if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
- file = fget_task(task, fd);
- else
+ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
file = ERR_PTR(-EPERM);
+ else if (task->flags & PF_EXITING)
+ file = ERR_PTR(-ESRCH);
+ else
+ file = fget_task(task, fd);
up_read(&task->signal->exec_update_lock);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 220/411] fuse: reject fuse_notify() pagecache ops on directories
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 219/411] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 221/411] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
` (191 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Miklos Szeredi,
Christian Brauner (Amutable)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream.
The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the
FUSE daemon to actively write/read pagecache contents.
For directories with FOPEN_CACHE_DIR, the pagecache is used as
kernel-internal cache storage, and userspace is not supposed to have
direct access to this cache - in particular, fuse_parse_cache() will hit
WARN_ON() if the cache contains bogus data.
Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than
regular files with -EINVAL.
Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/dev.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1599,6 +1599,10 @@ static int fuse_notify_store(struct fuse
inode = fuse_ilookup(fc, nodeid, NULL);
if (!inode)
goto out_up_killsb;
+ if (!S_ISREG(inode->i_mode)) {
+ err = -EINVAL;
+ goto out_iput;
+ }
mapping = inode->i_mapping;
index = outarg.offset >> PAGE_SHIFT;
@@ -1770,7 +1774,10 @@ static int fuse_notify_retrieve(struct f
inode = fuse_ilookup(fc, nodeid, &fm);
if (inode) {
- err = fuse_retrieve(fm, inode, &outarg);
+ if (!S_ISREG(inode->i_mode))
+ err = -EINVAL;
+ else
+ err = fuse_retrieve(fm, inode, &outarg);
iput(inode);
}
up_read(&fc->killsb);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 221/411] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 220/411] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 222/411] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
` (190 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Konrad Dybcio,
Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream.
On all modern platforms Qualcomm CCI controller provides two I2C masters,
and on particular boards only one I2C master may be initialized, and in
such cases the device unbinding or driver removal causes a NULL pointer
dereference, because cci_halt() is called for all two I2C masters, but
a completion is initialized only for the single enabled master:
% rmmod i2c-qcom-cci
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
<snip>
Call trace:
__wait_for_common+0x194/0x1a8 (P)
wait_for_completion_timeout+0x20/0x2c
cci_remove+0xc4/0x138 [i2c_qcom_cci]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
platform_driver_unregister+0x14/0x20
qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
....
Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Cc: <stable@vger.kernel.org> # v5.8+
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-qcom-cci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-qcom-cci.c
+++ b/drivers/i2c/busses/i2c-qcom-cci.c
@@ -683,8 +683,8 @@ static int cci_remove(struct platform_de
if (cci->master[i].cci) {
i2c_del_adapter(&cci->master[i].adap);
of_node_put(cci->master[i].adap.dev.of_node);
+ cci_halt(cci, i);
}
- cci_halt(cci, i);
}
disable_irq(cci->irq);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 222/411] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 221/411] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 223/411] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
` (189 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guillermo Rodríguez,
Alain Volmat, Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guillermo Rodríguez <guille.rodriguez@gmail.com>
commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream.
stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick
the analog filter delay, but i2c_dev->analog_filter is parsed from
the "i2c-analog-filter" DT property only after the compute_timing
loop in stm32f7_i2c_setup_timing(), so in practice the timing
calculations always ignore the analog filter. On an STM32MP1 board
with clock-frequency = <400000> and i2c-analog-filter set, measured
SCL frequency was ~382 kHz.
This also affects (widens) the computed SDADEL range. At high bus
clock speeds, this can select an SDADEL value that violates tVD;DAT
(data valid time).
Fix by parsing "i2c-analog-filter" before the compute_timing loop.
Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter")
Signed-off-by: Guillermo Rodríguez <guille.rodriguez@gmail.com>
Cc: <stable@vger.kernel.org> # v5.13+
Acked-by: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-stm32f7.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -673,6 +673,9 @@ static int stm32f7_i2c_setup_timing(stru
if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter"))
i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT;
+ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
+ "i2c-analog-filter");
+
do {
ret = stm32f7_i2c_compute_timing(i2c_dev, setup,
&i2c_dev->timing);
@@ -694,9 +697,6 @@ static int stm32f7_i2c_setup_timing(stru
return ret;
}
- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node,
- "i2c-analog-filter");
-
dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n",
setup->speed_freq, setup->clock_src);
dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n",
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 223/411] i2c: tegra: Fix NOIRQ suspend/resume
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 222/411] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 224/411] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
` (188 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Akhil R, Jon Hunter, Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil R <akhilrajeev@nvidia.com>
commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream.
The Tegra I2C driver relies on runtime PM to wake up the controller before
each transfer. However, runtime PM is disabled between the system suspend
and NOIRQ suspend. If an I2C device initiates a transfer during this
window, the I2C controller fails to wake up and the transfer fails. To
handle this, the controller must be kept available for this period to
allow transfers.
Rework the I2C controller's system PM callbacks such that the controller
is resumed from runtime suspend during system suspend and it stays
RPM_ACTIVE throughout the suspend-resume cycle until it is runtime
suspended back in the system resume. The clocks are disabled in NOIRQ
suspend and enabled back in NOIRQ resume by calling the controller's
runtime PM functions directly.
Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase")
Assisted-by: Cursor:claude-4.6-opus
Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
Cc: <stable@vger.kernel.org> # v5.4+
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------
1 file changed, 30 insertions(+), 23 deletions(-)
--- a/drivers/i2c/busses/i2c-tegra.c
+++ b/drivers/i2c/busses/i2c-tegra.c
@@ -1874,28 +1874,37 @@ static int __maybe_unused tegra_i2c_runt
static int __maybe_unused tegra_i2c_suspend(struct device *dev)
{
+ /*
+ * Bring the controller up and hold a usage count so it stays
+ * available until the noirq phase.
+ */
+ return pm_runtime_resume_and_get(dev);
+}
+
+static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev)
+{
struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
- int err;
i2c_mark_adapter_suspended(&i2c_dev->adapter);
- if (!pm_runtime_status_suspended(dev)) {
- err = tegra_i2c_runtime_suspend(dev);
- if (err)
- return err;
- }
-
- return 0;
+ /*
+ * Runtime PM is already disabled at this point, so invoke the
+ * runtime_suspend callback directly to put the controller down.
+ */
+ return tegra_i2c_runtime_suspend(dev);
}
-static int __maybe_unused tegra_i2c_resume(struct device *dev)
+static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev)
{
struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev);
int err;
/*
- * We need to ensure that clocks are enabled so that registers can be
- * restored in tegra_i2c_init().
+ * Runtime PM is still disabled at this point, so invoke the
+ * runtime_resume callback directly to bring the controller back up
+ * before re-initializing the hardware. The adapter is then marked
+ * resumed so that consumers can issue transfers from their own
+ * resume_noirq() handlers and onwards.
*/
err = tegra_i2c_runtime_resume(dev);
if (err)
@@ -1905,24 +1914,22 @@ static int __maybe_unused tegra_i2c_resu
if (err)
return err;
- /*
- * In case we are runtime suspended, disable clocks again so that we
- * don't unbalance the clock reference counts during the next runtime
- * resume transition.
- */
- if (pm_runtime_status_suspended(dev)) {
- err = tegra_i2c_runtime_suspend(dev);
- if (err)
- return err;
- }
-
i2c_mark_adapter_resumed(&i2c_dev->adapter);
return 0;
}
+static int __maybe_unused tegra_i2c_resume(struct device *dev)
+{
+ pm_runtime_put(dev);
+
+ return 0;
+}
+
static const struct dev_pm_ops tegra_i2c_pm = {
- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
+ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume)
+ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq,
+ tegra_i2c_resume_noirq)
SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume,
NULL)
};
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 224/411] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 223/411] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 225/411] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
` (187 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeyu WANG, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeyu WANG <zeyu.thomas.wang@gmail.com>
commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream.
The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive
after the standard atkbd init sequence. Controlled testing on the
actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate)
command specifically corrupts the EC state, causing zero IRQ1
interrupts after init.
Skipping only the deactivate command (while keeping F4 ENABLE)
resolves the issue completely: both keystroke input and CapsLock
LED toggle work correctly. The reverse test - skipping only F4
while keeping F5 - makes the problem worse (zero keystroke
interrupts), confirming F5 is the sole culprit.
Add a DMI quirk entry for LENOVO/83QK using the existing
atkbd_deactivate_fixup callback, consistent with the existing
entries for LG Electronics and HONOR FMB-P that address the
same EC F5 deactivate issue.
Signed-off-by: Zeyu WANG <zeyu.thomas.wang@gmail.com>
Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/atkbd.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -1939,6 +1939,14 @@ static const struct dmi_system_id atkbd_
},
.callback = atkbd_deactivate_fixup,
},
+ {
+ /* Lenovo Yoga Air 14 (83QK) */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"),
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
{ }
};
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 225/411] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 224/411] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 226/411] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
` (186 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hongfei Ren, stable,
Cryolitia PukNgae, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
commit fb402386af4cdce108ff991a796386de55439735 upstream.
After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd -
do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR
BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops
working. Adding the atkbd_deactivate_fixup quirk fixes it.
DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026
Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID")
Reported-by: Hongfei Ren <lcrhf@outlook.com>
Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891
Tested-by: Hongfei Ren <lcrhf@outlook.com>
Cc: stable@kernel.org
Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/atkbd.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/input/keyboard/atkbd.c
+++ b/drivers/input/keyboard/atkbd.c
@@ -1947,6 +1947,13 @@ static const struct dmi_system_id atkbd_
},
.callback = atkbd_deactivate_fixup,
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"),
+ },
+ .callback = atkbd_deactivate_fixup,
+ },
{ }
};
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 226/411] ipc/shm: serialize orphan cleanup with shm_nattch updates
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 225/411] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 227/411] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
` (185 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Tan, Yifan Wu, Juefei Pu,
Xin Liu, Yilin Zhu, Ren Wei, Christian Brauner, Jeongjun Park,
Kees Cook, Liam Howlett, Lorenzo Stoakes, Serge Hallyn,
Vasiliy Kulikov, Davidlohr Bueso, Oleg Nesterov, Serge Hallyn,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yilin Zhu <zylzyl2333@gmail.com>
commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream.
shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that
does not serialize all fields tested by shm_may_destroy(). In particular,
shm_nattch is updated while holding shm_perm.lock, and attach paths can do
that without holding the rwsem.
Do not decide that an orphaned segment is unused before taking the object
lock. Move the shm_may_destroy() check under shm_perm.lock, matching the
other destroy paths, and unlock the segment when it no longer qualifies
for removal.
Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com
Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jeongjun Park <aha310510@gmail.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Liam Howlett <liam@infradead.org>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Serge Hallyn <sergeh@kernel.org>
Cc: Vasiliy Kulikov <segoon@openwall.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/shm.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -402,15 +402,17 @@ static int shm_try_destroy_orphaned(int
* We want to destroy segments without users and with already
* exit'ed originating process.
*
- * As shp->* are changed under rwsem, it's safe to skip shp locking.
+ * shm_nattch can be changed under shm_perm.lock without holding the
+ * rwsem, so take the object lock before checking shm_may_destroy().
*/
if (!list_empty(&shp->shm_clist))
return 0;
- if (shm_may_destroy(shp)) {
- shm_lock_by_ptr(shp);
+ shm_lock_by_ptr(shp);
+ if (shm_may_destroy(shp))
shm_destroy(ns, shp);
- }
+ else
+ shm_unlock(shp);
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 227/411] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 226/411] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 228/411] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
` (184 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Anandu Krishnan E,
Srinivas Kandagatla
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream.
There is a race between fastrpc_device_release() and the workqueue
that processes DSP responses. When the user closes the file descriptor,
fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
schedules context cleanup via schedule_work(&ctx->put_work). If the
workqueue runs fastrpc_context_free() in parallel with or after
fastrpc_device_release() has freed the user structure, it dereferences
the freed fastrpc_user. Depending on the state of the context at the
time of the race, any one of the following accesses can be hit:
1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
to strip the SID bits from the stored IOVA before passing the
physical address to dma_free_coherent().
2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the
qcom_scm_assign_mem() call that returns memory from the DSP VM
back to HLOS.
3. fastrpc_free_map() acquires map->fl->lock to safely remove the
map node from the fl->maps list.
The resulting use-after-free manifests as:
pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
process_one_work+0x180/0x450
worker_thread+0x26c/0x388
Add kref-based reference counting to fastrpc_user. Have each invoke
context take a reference on the user at allocation time and release it
when the context is freed. Release the initial reference in
fastrpc_device_release() at file close. Move the teardown of the user
structure — freeing pending contexts, maps, mmaps, and the channel
context reference — into the kref release callback fastrpc_user_free(),
so that it runs only when the last reference is dropped, regardless of
whether that happens at device close or after the final in-flight
context completes.
Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter")
Cc: stable@kernel.org
Signed-off-by: Anandu Krishnan E <anandu.e@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++----------------
1 file changed, 52 insertions(+), 23 deletions(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -232,6 +232,8 @@ struct fastrpc_user {
spinlock_t lock;
/* lock for allocations */
struct mutex mutex;
+ /* Reference count */
+ struct kref refcount;
};
static void fastrpc_free_map(struct kref *ref)
@@ -352,15 +354,57 @@ static void fastrpc_channel_ctx_put(stru
kref_put(&cctx->refcount, fastrpc_channel_ctx_free);
}
+static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx);
+
+static void fastrpc_user_free(struct kref *ref)
+{
+ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
+ struct fastrpc_invoke_ctx *ctx, *n;
+ struct fastrpc_map *map, *m;
+ struct fastrpc_buf *buf, *b;
+
+ if (fl->init_mem)
+ fastrpc_buf_free(fl->init_mem);
+
+ list_for_each_entry_safe(ctx, n, &fl->pending, node) {
+ list_del(&ctx->node);
+ fastrpc_context_put(ctx);
+ }
+
+ list_for_each_entry_safe(map, m, &fl->maps, node)
+ fastrpc_map_put(map);
+
+ list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
+ list_del(&buf->node);
+ fastrpc_buf_free(buf);
+ }
+
+ fastrpc_channel_ctx_put(fl->cctx);
+ mutex_destroy(&fl->mutex);
+ kfree(fl);
+}
+
+static void fastrpc_user_get(struct fastrpc_user *fl)
+{
+ kref_get(&fl->refcount);
+}
+
+static void fastrpc_user_put(struct fastrpc_user *fl)
+{
+ kref_put(&fl->refcount, fastrpc_user_free);
+}
+
static void fastrpc_context_free(struct kref *ref)
{
struct fastrpc_invoke_ctx *ctx;
struct fastrpc_channel_ctx *cctx;
+ struct fastrpc_user *fl;
unsigned long flags;
int i;
ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount);
cctx = ctx->cctx;
+ fl = ctx->fl;
for (i = 0; i < ctx->nscalars; i++)
fastrpc_map_put(ctx->maps[i]);
@@ -376,6 +420,8 @@ static void fastrpc_context_free(struct
kfree(ctx->olaps);
kfree(ctx);
+ /* Release the reference taken in fastrpc_context_alloc() */
+ fastrpc_user_put(fl);
fastrpc_channel_ctx_put(cctx);
}
@@ -485,6 +531,8 @@ static struct fastrpc_invoke_ctx *fastrp
/* Released in fastrpc_context_put() */
fastrpc_channel_ctx_get(cctx);
+ /* Take a reference to user, released in fastrpc_context_free() */
+ fastrpc_user_get(user);
ctx->sc = sc;
ctx->retval = -1;
@@ -515,6 +563,7 @@ err_idr:
spin_lock(&user->lock);
list_del(&ctx->node);
spin_unlock(&user->lock);
+ fastrpc_user_put(user);
fastrpc_channel_ctx_put(cctx);
kfree(ctx->maps);
kfree(ctx->olaps);
@@ -1181,9 +1230,6 @@ static int fastrpc_device_release(struct
{
struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
struct fastrpc_channel_ctx *cctx = fl->cctx;
- struct fastrpc_invoke_ctx *ctx, *n;
- struct fastrpc_map *map, *m;
- struct fastrpc_buf *buf, *b;
unsigned long flags;
fastrpc_release_current_dsp_process(fl);
@@ -1192,28 +1238,10 @@ static int fastrpc_device_release(struct
list_del(&fl->user);
spin_unlock_irqrestore(&cctx->lock, flags);
- if (fl->init_mem)
- fastrpc_buf_free(fl->init_mem);
-
- list_for_each_entry_safe(ctx, n, &fl->pending, node) {
- list_del(&ctx->node);
- fastrpc_context_put(ctx);
- }
-
- list_for_each_entry_safe(map, m, &fl->maps, node)
- fastrpc_map_put(map);
-
- list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
- list_del(&buf->node);
- fastrpc_buf_free(buf);
- }
-
fastrpc_session_free(cctx, fl->sctx);
- fastrpc_channel_ctx_put(cctx);
-
- mutex_destroy(&fl->mutex);
- kfree(fl);
file->private_data = NULL;
+ /* Release the reference taken in fastrpc_device_open */
+ fastrpc_user_put(fl);
return 0;
}
@@ -1253,6 +1281,7 @@ static int fastrpc_device_open(struct in
spin_lock_irqsave(&cctx->lock, flags);
list_add_tail(&fl->user, &cctx->users);
spin_unlock_irqrestore(&cctx->lock, flags);
+ kref_init(&fl->refcount);
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 228/411] misc: fastrpc: fix DMA address corruption due to find_vma misuse
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 227/411] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 229/411] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
` (183 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Dmitry Baryshkov, Srinivas Kandagatla
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream.
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided
pointer and compute a DMA address offset. When the address falls in a gap
before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows,
corrupting the DMA address sent to the DSP.
Replace find_vma() with vma_lookup(), which returns NULL when the address
is not contained within any VMA.
Cc: stable@vger.kernel.org
Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/fastrpc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -875,7 +875,7 @@ static int fastrpc_get_args(u32 kernel,
pages[i].addr = ctx->maps[i]->phys;
mmap_read_lock(current->mm);
- vma = find_vma(current->mm, ctx->args[i].ptr);
+ vma = vma_lookup(current->mm, ctx->args[i].ptr);
if (vma)
pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
vma->vm_start;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 229/411] net: bonding: fix NULL pointer dereference in bond_do_ioctl()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 228/411] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 230/411] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
` (182 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZhaoJinming, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZhaoJinming <zhaojinming@uniontech.com>
commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream.
In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which
can return NULL if the requested interface name does not exist. However,
the subsequent slave_dbg() call is placed before the NULL check:
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here
if (!slave_dev)
return -ENODEV;
The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt,
(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name
before the NULL check is performed. This results in a NULL pointer
dereference kernel oops when a user calls bonding ioctl (e.g.
SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave
interface name.
This is reachable from userspace via the bonding ioctl interface with
CAP_NET_ADMIN capability, making it a potential local denial-of-service
vector.
Fix by moving the slave_dbg() call after the NULL check.
Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: ZhaoJinming <zhaojinming@uniontech.com>
Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4250,11 +4250,11 @@ static int bond_do_ioctl(struct net_devi
slave_dev = __dev_get_by_name(net, ifr->ifr_slave);
- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
-
if (!slave_dev)
return -ENODEV;
+ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev);
+
switch (cmd) {
case SIOCBONDENSLAVE:
res = bond_enslave(bond_dev, slave_dev, NULL);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 230/411] net: mv643xx: fix OF node refcount
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 229/411] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 231/411] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
` (181 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream.
Platform devices created with platform_device_alloc() call
platform_device_release() when the last reference to the device's
kobject is dropped. This function calls of_node_put() unconditionally.
This works fine for devices created with platform_device_register_full()
but users of the split approach (platform_device_alloc() +
platform_device_add()) must bump the reference of the of_node they
assign manually. Add the missing call to of_node_get().
Cc: stable@vger.kernel.org
Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
@@ -2777,7 +2777,7 @@ static int mv643xx_eth_shared_of_add_por
goto put_err;
}
ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32);
- ppdev->dev.of_node = pnp;
+ ppdev->dev.of_node = of_node_get(pnp);
ret = platform_device_add_resources(ppdev, &res, 1);
if (ret)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 231/411] net: rds: clear i_sends on setup unwind
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 230/411] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 232/411] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
` (180 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Zhengchuan Liang,
Xin Liu, Yuqi Xu, Ren Wei, Allison Henderson, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuqi Xu <xuyq21@lenovo.com>
commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream.
The RDS IB connection teardown path is written so it can run during
partial startup and on repeated shutdown attempts. It uses NULL
pointers to distinguish resources that are still owned from resources
that have already been released.
When rds_ib_setup_qp() fails after allocating i_sends but before
allocating i_recvs, the sends_out path frees i_sends without clearing
the pointer. A later shutdown pass can still treat that stale pointer
as a live send ring allocation.
Clear i_sends after vfree() in the error unwind path so the existing
shutdown logic continues to use the correct ownership state.
Fixes: 3b12f73a5c29 ("rds: ib: add error handle")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Allison Henderson <achender@kernel.org>
Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/ib_cm.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/rds/ib_cm.c
+++ b/net/rds/ib_cm.c
@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co
sends_out:
vfree(ic->i_sends);
+ ic->i_sends = NULL;
ack_dma_out:
rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 232/411] mmc: core: Fix host controller programming for fixed driver type
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 231/411] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 233/411] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
` (179 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kamal Dasu, Shawn Lin, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Dasu <kamal.dasu@broadcom.com>
commit 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 upstream.
When using the fixed-emmc-driver-type device tree property, the MMC core
correctly selects the driver strength for the card but fails to program
the host controller accordingly. This causes a mismatch where the card
uses the specified driver type while the host controller defaults to
Type B (since ios->drv_type remains zero).
Split the driver type programming logic to handle both fixed and dynamic
driver type selection paths. For fixed driver types, program the host
controller with the selected drive_strength value. For dynamic selection,
use the existing drv_type as before.
This ensures both the eMMC device and host controller use matching driver
strengths, preventing potential signal integrity issues.
Fixes: 6186d06c519e ("mmc: parse new binding for eMMC fixed driver type")
Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/mmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1339,7 +1339,9 @@ static void mmc_select_driver_type(struc
card->drive_strength = drive_strength;
- if (drv_type)
+ if (fixed_drv_type >= 0 && drive_strength)
+ mmc_set_driver_type(card->host, drive_strength);
+ else if (drv_type)
mmc_set_driver_type(card->host, drv_type);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 233/411] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 232/411] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 234/411] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
` (178 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, Wolfram Sang,
Geert Uytterhoeven, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
commit f48ee49726ee4ab545fd2dc644f169c0809b19b3 upstream.
The RZ/G2H (R8A774E1) SoC was previously handled via the generic
"renesas,rcar-gen3-sdhi" fallback compatible string. However, because
the SDHI IP on RZ/G2H is identical with the R-Car H3-N (R8A77951), it
requires the specific quirks and configuration defined in
`of_r8a7795_compatible` rather than the generic Gen3 data.
Add the explicit "renesas,sdhi-r8a774e1" match entry to map it correctly.
Note that the DT binding file renesas,sdhi.yaml does not need an update
as the entry for this SoC is already present.
Fixes: 31941342888d ("arm64: dts: renesas: r8a774e1: Add SDHI nodes")
Cc: stable@vger.kernel.org
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c
+++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c
@@ -231,6 +231,7 @@ static const struct renesas_sdhi_of_data
static const struct of_device_id renesas_sdhi_internal_dmac_of_match[] = {
{ .compatible = "renesas,sdhi-r7s9210", .data = &of_rza2_compatible, },
{ .compatible = "renesas,sdhi-mmc-r8a77470", .data = &of_rcar_gen3_compatible, },
+ { .compatible = "renesas,sdhi-r8a774e1", .data = &of_r8a7795_compatible, },
{ .compatible = "renesas,sdhi-r8a7795", .data = &of_r8a7795_compatible, },
{ .compatible = "renesas,sdhi-r8a7796", .data = &of_rcar_gen3_compatible, },
{ .compatible = "renesas,sdhi-r8a77961", .data = &of_r8a77961_compatible, },
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 234/411] mmc: sdhci: add signal voltage switch in sdhci_resume_host
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 233/411] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 235/411] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
` (177 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Adrian Hunter,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
commit f595e8e77a51eee35e331f69321766593a845ef2 upstream.
I met one suspend/resume issue with sdr104 capable sdio wifi card (with
"keep-power-in-suspend" set in DT property):
After resuming from suspend to ram, the sdio wifi card stops working.
Further debug shows that although ios shows the sdio card is at sdr104
mode, the voltage is still at 3V3. This is due to missing the calling
of ->start_signal_voltage_switch() in sdhci_resume_host().
Fix this issue by adding ->start_signal_voltage_switch() in
sdhci_resume_host(). This also matches what we do for
sdhci_runtime_resume_host().
Then the question is: why this issue hasn't reported and fixed for so
long time. IMHO, several reasons: Some host controllers just kick off
the runtime resume for system resume, so they benefit from the well
supported runtime pm code; Some platforms just use the old sdio wifi
card which doesn't need signal voltage switch at all, the default
voltage is 3v3 after resuming.
Fixes: 6308d2905bd3 ("mmc: sdhci: add quirk for keeping card power during suspend")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -3760,6 +3760,7 @@ int sdhci_resume_host(struct sdhci_host
host->pwr = 0;
host->clock = 0;
host->reinit_uhs = true;
+ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios);
mmc->ops->set_ios(mmc, &mmc->ios);
} else {
sdhci_init(host, (mmc->pm_flags & MMC_PM_KEEP_POWER));
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 235/411] sctp: diag: reject stale associations in dump_one path
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 234/411] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 236/411] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
` (176 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Zhao Zhang, Ren Wei,
Xin Long, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Zhang <zzhan461@ucr.edu>
commit 5eba3e48d78edd7551b992cb7ba687019b3a78da upstream.
The SCTP exact sock_diag lookup can hold a transport reference, block on
lock_sock(sk), and then resume after sctp_association_free() has marked
the association dead and freed its bind address list.
When that happens, inet_assoc_attr_size() and
inet_diag_msg_sctpasoc_fill() can still dereference association state
that is no longer valid for reporting. In particular,
inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
real sctp_sockaddr_entry and trigger an out-of-bounds read from
unrelated association memory.
Reject the association after taking the socket lock if it has been
reaped or detached from the endpoint, and report the lookup as stale.
This keeps the exact dump-one path from formatting torn association
state.
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461@ucr.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/diag.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sct
lock_sock(sk);
- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
- if (!rep) {
- release_sock(sk);
- return -ENOMEM;
+ if (ep != assoc->ep || assoc->base.dead) {
+ err = -ESTALE;
+ goto out_unlock;
}
- if (ep != assoc->ep) {
- err = -EAGAIN;
- goto out;
+ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
+ if (!rep) {
+ err = -ENOMEM;
+ goto out_unlock;
}
err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sct
return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
out:
- release_sock(sk);
kfree_skb(rep);
+out_unlock:
+ release_sock(sk);
return err;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 236/411] sctp: stream: fully roll back denied add-stream state
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 235/411] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 237/411] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
` (175 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Zhengchuan Liang, Xin Liu, Wyatt Feng, Ren Wei,
Xin Long, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wyatt Feng <bronzed_45_vested@icloud.com>
commit a5f8a90ac9f77c678a9781c0a464b635e0d63e49 upstream.
When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and
then lowers outcnt. That leaves removed stream metadata behind, so a
later re-add can reuse a stale ext and hit a null-pointer dereference in
the scheduler get path.
Fix the rollback by tearing down the removed stream state the same way
other stream resizes do. Unschedule the current scheduler state, drop
the removed stream ext state with sctp_stream_outq_migrate(), and then
reschedule the remaining streams.
This keeps scheduler-private RR/FC/PRIO lists consistent while fully
rolling back denied outgoing stream additions.
Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/stream.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -1038,6 +1038,7 @@ struct sctp_chunk *sctp_process_strreset
stsn, rtsn, GFP_ATOMIC);
} else if (req->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) {
struct sctp_strreset_addstrm *addstrm;
+ const struct sctp_sched_ops *sched;
__u16 number;
addstrm = (struct sctp_strreset_addstrm *)req;
@@ -1048,7 +1049,10 @@ struct sctp_chunk *sctp_process_strreset
for (i = number; i < stream->outcnt; i++)
SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
} else {
- sctp_stream_shrink_out(stream, number);
+ sched = sctp_sched_ops_from_stream(stream);
+ sched->unsched_all(stream);
+ sctp_stream_outq_migrate(stream, NULL, number);
+ sched->sched_all(stream);
stream->outcnt = number;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 237/411] thunderbolt: Reject zero-length property entries in validator
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 236/411] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 238/411] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
` (174 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit cff8eb65d1eafe7793e54b4d0cf6bf831644630b upstream.
tb_property_entry_valid() accepts entries with length == 0 for
DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:
property->value.text[property->length * 4 - 1] = '\0';
When property->length is 0 this writes to offset -1 relative to
the allocation.
Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -59,6 +59,8 @@ static bool tb_property_entry_valid(cons
case TB_PROPERTY_TYPE_DIRECTORY:
case TB_PROPERTY_TYPE_DATA:
case TB_PROPERTY_TYPE_TEXT:
+ if (!entry->length)
+ return false;
if (entry->length > block_len)
return false;
if (check_add_overflow(entry->value, entry->length, &end) ||
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 238/411] thunderbolt: Bound root directory content to block size
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 237/411] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 239/411] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
` (173 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 65423079c7420e3dbf9a7aa345c243a3f5752e5d upstream.
__tb_property_parse_dir() does not check that content_offset +
content_len fits within block_len for the root directory case.
When rootdir->length equals or exceeds block_len - 2, the entry
loop reads past the allocated property block.
Add a bounds check after computing content_offset and content_len
to reject directories whose content extends past the block.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -181,6 +181,10 @@ static struct tb_property_dir *__tb_prop
if (is_root) {
content_offset = dir_offset + 2;
content_len = dir_len;
+ if (content_offset + content_len > block_len) {
+ tb_property_free_dir(dir);
+ return NULL;
+ }
} else {
if (dir_len < 4) {
tb_property_free_dir(dir);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 239/411] thunderbolt: Clamp XDomain response data copy to allocation size
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 238/411] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 240/411] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
` (172 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 322e93448d908434ae5545660fcbe8f5a7a8e141 upstream.
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -370,6 +370,8 @@ static int tb_xdp_properties_request(str
}
}
+ if (req.offset + len > data_len)
+ len = data_len - req.offset;
memcpy(data + req.offset, res->data, len * 4);
req.offset += len;
} while (!data_len || req.offset < data_len);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 240/411] thunderbolt: Limit XDomain response copy to actual frame size
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 239/411] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 241/411] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
` (171 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb upstream.
tb_xdomain_copy() copies req->response_size bytes from the received
packet buffer regardless of the actual frame size. When a short
response arrives, this reads past the valid frame data in the DMA
pool buffer into stale contents from previous transactions.
Use the minimum of frame size and expected response size for the
copy length.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/xdomain.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -96,7 +96,9 @@ static bool tb_xdomain_match(const struc
static bool tb_xdomain_copy(struct tb_cfg_request *req,
const struct ctl_pkg *pkg)
{
- memcpy(req->response, pkg->buffer, req->response_size);
+ size_t len = min_t(size_t, pkg->frame.size, req->response_size);
+
+ memcpy(req->response, pkg->buffer, len);
req->result.err = 0;
return true;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 241/411] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 240/411] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
@ 2026-06-16 14:57 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 242/411] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
` (170 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bjorn Andersson, Srinivas Kandagatla
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
commit 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec upstream.
During the SSR/PDR down notification the tx_lock is taken with the
intent to provide synchronization with active DMA transfers.
But during this period qcom_slim_ngd_down() is invoked, which ends up in
slim_report_absent(), which takes the slim_controller lock. In multiple
other codepaths these two locks are taken in the opposite order (i.e.
slim_controller then tx_lock).
The result is a lockdep splat, and a possible deadlock:
rprocctl/449 is trying to acquire lock:
ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus
but task is already holding lock:
ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl
which lock already depends on the new lock.
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
lock(&ctrl->tx_lock);
lock(&ctrl->lock);
The assumption is that the comment refers to the desire to not call
qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.
But any such transaction is initiated and completed within a single
qcom_slim_ngd_xfer_msg().
Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn
down, all child devices are notified that the slimbus is gone and the
child devices are removed.
Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the
deadlock.
Fixes: a899d324863a ("slimbus: qcom-ngd-ctrl: add Sub System Restart support")
Cc: stable@vger.kernel.org
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260530204421.116824-9-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1394,15 +1394,12 @@ static int qcom_slim_ngd_ssr_pdr_notify(
switch (action) {
case QCOM_SSR_BEFORE_SHUTDOWN:
case SERVREG_SERVICE_STATE_DOWN:
- /* Make sure the last dma xfer is finished */
- mutex_lock(&ctrl->tx_lock);
if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) {
pm_runtime_get_noresume(ctrl->ctrl.dev);
ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN;
qcom_slim_ngd_down(ctrl);
qcom_slim_ngd_exit_dma(ctrl);
}
- mutex_unlock(&ctrl->tx_lock);
break;
case QCOM_SSR_AFTER_POWERUP:
case SERVREG_SERVICE_STATE_UP:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 242/411] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-06-16 14:57 ` [PATCH 5.15 241/411] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 243/411] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
` (169 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit f0f3981c43b32cadfe373d636d9e9ca522bb3702 upstream.
[Why & How]
During HDCP 2.x repeater authentication over HDMI, the driver reads the
sink's RxStatus register and extracts a 10-bit message size field (max
value 1023). This value is used as the read length for the ReceiverID
list without being clamped to the size of the destination buffer
rx_id_list[177]. A malicious HDMI repeater could advertise a message
size larger than the buffer, causing an out-of-bounds write during the
I2C read.
Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the
rx_id_list buffer, matching the approach already used in the DP branch.
Fixes: eff682f83c9c ("drm/amd/display: Add DDC handles for HDCP2.2")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
@@ -533,7 +533,8 @@ enum mod_hdcp_status mod_hdcp_read_rx_id
} else {
status = read(hdcp, MOD_HDCP_MESSAGE_ID_READ_REPEATER_AUTH_SEND_RECEIVERID_LIST,
hdcp->auth.msg.hdcp2.rx_id_list,
- hdcp->auth.msg.hdcp2.rx_id_list_size);
+ MIN(hdcp->auth.msg.hdcp2.rx_id_list_size,
+ sizeof(hdcp->auth.msg.hdcp2.rx_id_list)));
}
return status;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 243/411] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 242/411] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 244/411] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
` (168 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit fb0707ce00eef4e2d60c3020e1c0432739703e4a upstream.
[Why & How]
The VBIOS integrated info tables (v1_11 and v2_1) contain HdmiRegNum and
Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C
register settings into fixed-size arrays (dp*_ext_hdmi_reg_settings[9]
and dp*_ext_hdmi_6g_reg_settings[3]). These u8 fields are not validated
before use, so a malformed VBIOS can specify values up to 255, causing an
out-of-bounds heap write during driver probe.
Clamp each register count to the destination array size using min_t()
before the copy loops, in both get_integrated_info_v11() and
get_integrated_info_v2_1().
Assisted-by: GitHub Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5a7f0ef90195940c54b0f5bb85b87da55f038c69)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 48 ++++++++++++++-------
1 file changed, 32 insertions(+), 16 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -1858,14 +1858,16 @@ static enum bp_result get_integrated_inf
info_v11->extdispconninfo.checksum;
info->dp0_ext_hdmi_slv_addr = info_v11->dp0_retimer_set.HdmiSlvAddr;
- info->dp0_ext_hdmi_reg_num = info_v11->dp0_retimer_set.HdmiRegNum;
+ info->dp0_ext_hdmi_reg_num = min_t(u8, info_v11->dp0_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_reg_num; i++) {
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp0_ext_hdmi_6g_reg_num = info_v11->dp0_retimer_set.Hdmi6GRegNum;
+ info->dp0_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp0_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_6g_reg_num; i++) {
info->dp0_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -1874,14 +1876,16 @@ static enum bp_result get_integrated_inf
}
info->dp1_ext_hdmi_slv_addr = info_v11->dp1_retimer_set.HdmiSlvAddr;
- info->dp1_ext_hdmi_reg_num = info_v11->dp1_retimer_set.HdmiRegNum;
+ info->dp1_ext_hdmi_reg_num = min_t(u8, info_v11->dp1_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_reg_num; i++) {
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp1_ext_hdmi_6g_reg_num = info_v11->dp1_retimer_set.Hdmi6GRegNum;
+ info->dp1_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp1_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_6g_reg_num; i++) {
info->dp1_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -1890,14 +1894,16 @@ static enum bp_result get_integrated_inf
}
info->dp2_ext_hdmi_slv_addr = info_v11->dp2_retimer_set.HdmiSlvAddr;
- info->dp2_ext_hdmi_reg_num = info_v11->dp2_retimer_set.HdmiRegNum;
+ info->dp2_ext_hdmi_reg_num = min_t(u8, info_v11->dp2_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_reg_num; i++) {
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp2_ext_hdmi_6g_reg_num = info_v11->dp2_retimer_set.Hdmi6GRegNum;
+ info->dp2_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp2_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_6g_reg_num; i++) {
info->dp2_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -1906,14 +1912,16 @@ static enum bp_result get_integrated_inf
}
info->dp3_ext_hdmi_slv_addr = info_v11->dp3_retimer_set.HdmiSlvAddr;
- info->dp3_ext_hdmi_reg_num = info_v11->dp3_retimer_set.HdmiRegNum;
+ info->dp3_ext_hdmi_reg_num = min_t(u8, info_v11->dp3_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_reg_num; i++) {
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v11->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v11->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp3_ext_hdmi_6g_reg_num = info_v11->dp3_retimer_set.Hdmi6GRegNum;
+ info->dp3_ext_hdmi_6g_reg_num = min_t(u8, info_v11->dp3_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_6g_reg_num; i++) {
info->dp3_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v11->dp3_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2061,14 +2069,16 @@ static enum bp_result get_integrated_inf
info->ext_disp_conn_info.checksum =
info_v2_1->extdispconninfo.checksum;
info->dp0_ext_hdmi_slv_addr = info_v2_1->dp0_retimer_set.HdmiSlvAddr;
- info->dp0_ext_hdmi_reg_num = info_v2_1->dp0_retimer_set.HdmiRegNum;
+ info->dp0_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp0_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_reg_num; i++) {
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp0_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp0_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp0_ext_hdmi_6g_reg_num = info_v2_1->dp0_retimer_set.Hdmi6GRegNum;
+ info->dp0_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp0_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp0_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp0_ext_hdmi_6g_reg_num; i++) {
info->dp0_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2076,14 +2086,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp0_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp1_ext_hdmi_slv_addr = info_v2_1->dp1_retimer_set.HdmiSlvAddr;
- info->dp1_ext_hdmi_reg_num = info_v2_1->dp1_retimer_set.HdmiRegNum;
+ info->dp1_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp1_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_reg_num; i++) {
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp1_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp1_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp1_ext_hdmi_6g_reg_num = info_v2_1->dp1_retimer_set.Hdmi6GRegNum;
+ info->dp1_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp1_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp1_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp1_ext_hdmi_6g_reg_num; i++) {
info->dp1_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2091,14 +2103,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp1_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp2_ext_hdmi_slv_addr = info_v2_1->dp2_retimer_set.HdmiSlvAddr;
- info->dp2_ext_hdmi_reg_num = info_v2_1->dp2_retimer_set.HdmiRegNum;
+ info->dp2_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp2_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_reg_num; i++) {
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp2_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp2_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp2_ext_hdmi_6g_reg_num = info_v2_1->dp2_retimer_set.Hdmi6GRegNum;
+ info->dp2_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp2_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp2_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp2_ext_hdmi_6g_reg_num; i++) {
info->dp2_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
@@ -2106,14 +2120,16 @@ static enum bp_result get_integrated_inf
info_v2_1->dp2_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegVal;
}
info->dp3_ext_hdmi_slv_addr = info_v2_1->dp3_retimer_set.HdmiSlvAddr;
- info->dp3_ext_hdmi_reg_num = info_v2_1->dp3_retimer_set.HdmiRegNum;
+ info->dp3_ext_hdmi_reg_num = min_t(u8, info_v2_1->dp3_retimer_set.HdmiRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_reg_num; i++) {
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_index =
info_v2_1->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegIndex;
info->dp3_ext_hdmi_reg_settings[i].i2c_reg_val =
info_v2_1->dp3_retimer_set.HdmiRegSetting[i].ucI2cRegVal;
}
- info->dp3_ext_hdmi_6g_reg_num = info_v2_1->dp3_retimer_set.Hdmi6GRegNum;
+ info->dp3_ext_hdmi_6g_reg_num = min_t(u8, info_v2_1->dp3_retimer_set.Hdmi6GRegNum,
+ ARRAY_SIZE(info->dp3_ext_hdmi_6g_reg_settings));
for (i = 0; i < info->dp3_ext_hdmi_6g_reg_num; i++) {
info->dp3_ext_hdmi_6g_reg_settings[i].i2c_reg_index =
info_v2_1->dp3_retimer_set.Hdmi6GhzRegSetting[i].ucI2cRegIndex;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 244/411] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 243/411] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 245/411] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
` (167 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit adf67034b1f61f7119295208085bfd43f85f56af upstream.
[Why & How]
dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc
without checking for NULL. A connector can be connected but not bound to
any CRTC (e.g. after hot-plug before the next atomic commit), causing a
kernel crash when writing to the sdp_message debugfs node.
The function also ignores the user-provided size argument and always
passes 36 bytes to copy_from_user(), reading past the user buffer when
size < 36.
Fix both issues by:
- Returning -ENODEV when connector->base.state or state->crtc is NULL
- Clamping write_size to min(size, sizeof(data))
Fixes: c7ba3653e977 ("drm/amd/display: Generic SDP message access in amdgpu")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -1016,8 +1016,13 @@ static ssize_t dp_sdp_message_debugfs_wr
if (size == 0)
return 0;
+ if (!connector->base.state || !connector->base.state->crtc)
+ return -ENODEV;
+
acrtc_state = to_dm_crtc_state(connector->base.state->crtc->state);
+ write_size = min_t(size_t, size, sizeof(data));
+
r = copy_from_user(data, buf, write_size);
write_size -= r;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 245/411] drm/amd/display: Use krealloc_array() in dal_vector_reserve()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 244/411] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 246/411] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
` (166 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Harry Wentland, Ray Wu,
Daniel Wheeler, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Wentland <harry.wentland@amd.com>
commit da48bc4461b8a5ebfb9264c9b191a701d8e99009 upstream.
[Why & How]
dal_vector_reserve() computes the allocation size as
"capacity * vector->struct_size" using uint32_t arithmetic, which can
silently wrap to a small value on overflow. This would cause krealloc to
return a smaller buffer than expected, leading to heap overflows on
subsequent vector appends.
Replace krealloc() with krealloc_array() which performs an internal
overflow check and returns NULL on wrap, preventing the issue.
Fixes: 2004f45ef83f ("drm/amd/display: Use kernel alloc/free")
Assisted-by: Copilot:claude-opus-4.6
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/basics/vector.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/basics/vector.c
+++ b/drivers/gpu/drm/amd/display/dc/basics/vector.c
@@ -291,8 +291,8 @@ bool dal_vector_reserve(struct vector *v
if (capacity <= vector->capacity)
return true;
- new_container = krealloc(vector->container,
- capacity * vector->struct_size, GFP_KERNEL);
+ new_container = krealloc_array(vector->container,
+ capacity, vector->struct_size, GFP_KERNEL);
if (new_container) {
vector->container = new_container;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 246/411] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 245/411] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 247/411] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
` (165 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Mingyu Wang,
Christian Brauner (Amutable)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 00633c4683828acd5256fa8d5163f440d74bbe71 upstream.
A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
send_sigio() and send_sigurg() when a process group receives a signal.
When FASYNC is configured for a process group (PIDTYPE_PGID), both
functions use read_lock(&tasklist_lock) to traverse the task list.
However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)
The deadlock is caused by the rwlock writer fairness mechanism:
1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
fork() or exit() and spins, which blocks all new readers.
3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
4. The softirq calls send_sigurg() and attempts to acquire
read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.
Since PID hashing and do_each_pid_task() traversals are already
RCU-protected, the read_lock on tasklist_lock is no longer strictly
required for safe traversal. Fix this by replacing tasklist_lock with
rcu_read_lock(), aligning the process group signaling path with the
single-PID path. This also mitigates a potential remote denial of
service vector via TCP URG packets.
Lockdep splat:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[...]
Chain exists of:
&dev->event_lock --> &f_owner->lock --> tasklist_lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(tasklist_lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&f_owner->lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Link: https://patch.msgid.link/20260523135210.590928-1-w15303746062@163.com
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fcntl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -801,11 +801,11 @@ void send_sigio(struct fown_struct *fown
send_sigio_to_task(p, fown, fd, band, type);
rcu_read_unlock();
} else {
- read_lock(&tasklist_lock);
+ rcu_read_lock();
do_each_pid_task(pid, type, p) {
send_sigio_to_task(p, fown, fd, band, type);
} while_each_pid_task(pid, type, p);
- read_unlock(&tasklist_lock);
+ rcu_read_unlock();
}
out_unlock_fown:
read_unlock_irqrestore(&fown->lock, flags);
@@ -842,11 +842,11 @@ int send_sigurg(struct fown_struct *fown
send_sigurg_to_task(p, fown, type);
rcu_read_unlock();
} else {
- read_lock(&tasklist_lock);
+ rcu_read_lock();
do_each_pid_task(pid, type, p) {
send_sigurg_to_task(p, fown, type);
} while_each_pid_task(pid, type, p);
- read_unlock(&tasklist_lock);
+ rcu_read_unlock();
}
out_unlock_fown:
read_unlock_irqrestore(&fown->lock, flags);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 247/411] mm/damon/ops-common: call folio_test_lru() after folio_get()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 246/411] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 248/411] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
` (164 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Fernand Sieber,
Leonard Foerster, Shakeel Butt, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
[ Upstream commit d6b8b02a27b3dd09ec12144322b3dac46d9bc9ef ]
damon_get_folio() speculatively calls folio_test_lru() before
folio_try_get(). The folio can get freed and reallocated to a tail page.
In the case, VM_BUG_ON_PGFLAGS() in const_folio_flags() can be triggered.
Remove the speculative call.
Also mark folio_test_lru() check right after folio_try_get() success as no
more unlikely.
The race should be rare. Also the problem can happen only if the kernel
has enabled CONFIG_DEBUG_VM_PGFLAGS. No real world report of this issue
has been made so far. This fix is based on only theoretical analysis.
That said, a bug is a bug. A similar issue was also fixed via commit
3203b3ab0fcf ("mm/filemap: don't call folio_test_locked() without a
reference in next_uptodate_folio()"). I don't expect this change will
make a meaningful impact to DAMON performance in the real world, though I
will be happy to be corrected from the real world reports.
The issue was discovered [1] by Sashiko.
Link: https://lore.kernel.org/20260525162256.8317-1-sj@kernel.org
Link: https://lore.kernel.org/20260517234112.89245-1-sj@kernel.org [1]
Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Fernand Sieber <sieberf@amazon.com>
Cc: Leonard Foerster <foersleo@amazon.de>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: <stable@vger.kernel.org> # 5.15.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/damon/vaddr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/damon/vaddr.c b/mm/damon/vaddr.c
index 6d8036671e60e5..dbb0f0fb2e598c 100644
--- a/mm/damon/vaddr.c
+++ b/mm/damon/vaddr.c
@@ -383,10 +383,10 @@ static struct page *damon_get_page(unsigned long pfn)
{
struct page *page = pfn_to_online_page(pfn);
- if (!page || !PageLRU(page) || !get_page_unless_zero(page))
+ if (!page || !get_page_unless_zero(page))
return NULL;
- if (unlikely(!PageLRU(page))) {
+ if (!PageLRU(page)) {
put_page(page);
page = NULL;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 413+ messages in thread
* [PATCH 5.15 248/411] io_uring/poll: fix signed comparison in io_poll_get_ownership()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 247/411] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 249/411] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (163 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yifan Wu, Juefei Pu, Yuan Tan,
Xin Liu, Zhengchuan Liang, Longxuan Yu, Ren Wei, Pavel Begunkov,
Jens Axboe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Longxuan Yu <ylong030@ucr.edu>
Commit 326941b22806cbf2df1fbfe902b7908b368cce42 usptream.
io_poll_get_ownership() uses a signed comparison to check whether
poll_refs has reached the threshold for the slowpath:
if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG
(BIT(31)) is set in poll_refs, the value becomes negative in
signed arithmetic, so the >= 128 comparison always evaluates to
false and the slowpath is never taken.
Fix this by casting the atomic_read() result to unsigned int
before the comparison, so that the cancel flag is treated as a
large positive value and correctly triggers the slowpath.
Fixes: a26a35e9019f ("io_uring: make poll refs more robust")
Cc: stable@vger.kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Longxuan Yu <ylong030@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://patch.msgid.link/3a3508b08bcd7f1bc3beff848ae6e1d73d355043.1775965597.git.ylong030@ucr.edu
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -5525,7 +5525,7 @@ static bool io_poll_get_ownership_slowpa
*/
static inline bool io_poll_get_ownership(struct io_kiocb *req)
{
- if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
+ if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS))
return io_poll_get_ownership_slowpath(req);
return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 249/411] net/tcp-md5: Fix MAC comparison to be constant-time
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 248/411] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 250/411] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
` (162 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Jakub Kicinski,
Li hongliang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 46d0d6f50dab706637f4c18a470aac20a21900d3 upstream.
To prevent timing attacks, MACs need to be compared in constant
time. Use the appropriate helper function for this.
Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
Fixes: 658ddaaf6694 ("tcp: md5: RST: getting md5 key from listener")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://patch.msgid.link/20260302203409.13388-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_ipv4.c | 5 +++--
net/ipv6/tcp_ipv6.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -78,6 +78,7 @@
#include <linux/inetdevice.h>
#include <linux/btf_ids.h>
+#include <crypto/algapi.h>
#include <crypto/hash.h>
#include <linux/scatterlist.h>
@@ -763,7 +764,7 @@ static void tcp_v4_send_reset(const stru
genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb);
- if (genhash || memcmp(hash_location, newhash, 16) != 0)
+ if (genhash || crypto_memneq(hash_location, newhash, 16))
goto out;
}
@@ -1467,7 +1468,7 @@ static bool tcp_v4_inbound_md5_hash(cons
hash_expected,
NULL, skb);
- if (genhash || memcmp(hash_location, newhash, 16) != 0) {
+ if (genhash || crypto_memneq(hash_location, newhash, 16)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s L3 index %d\n",
&iph->saddr, ntohs(th->source),
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -63,6 +63,7 @@
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
+#include <crypto/algapi.h>
#include <crypto/hash.h>
#include <linux/scatterlist.h>
@@ -810,7 +811,7 @@ static bool tcp_v6_inbound_md5_hash(cons
hash_expected,
NULL, skb);
- if (genhash || memcmp(hash_location, newhash, 16) != 0) {
+ if (genhash || crypto_memneq(hash_location, newhash, 16)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u L3 index %d\n",
genhash ? "failed" : "mismatch",
@@ -1088,7 +1089,7 @@ static void tcp_v6_send_reset(const stru
goto out;
genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb);
- if (genhash || memcmp(hash_location, newhash, 16) != 0)
+ if (genhash || crypto_memneq(hash_location, newhash, 16))
goto out;
}
#endif
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 250/411] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 249/411] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 251/411] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
` (161 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Ignat Korchagin,
Jarkko Sakkinen, Eric Biggers, Yiming Qian
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 upstream.
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:
sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.
Fix it.
Reported-by: Yiming Qian <yimingqian591@gmail.com> # off-list
Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Ignat Korchagin <ignat@linux.win>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/r/59eca92ff4f87e2081777f1423a0efaaadcfdb39.1776003111.git.lukas@wunner.de
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/mpi/mpicoder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/mpi/mpicoder.c
+++ b/lib/mpi/mpicoder.c
@@ -453,7 +453,7 @@ MPI mpi_read_raw_from_sgl(struct scatter
lzeros = 0;
len = 0;
while (nbytes > 0) {
- while (len && !*buff) {
+ while (len && !*buff && lzeros < nbytes) {
lzeros++;
len--;
buff++;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 251/411] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 250/411] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 252/411] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
` (160 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+62538b67389ee582837a,
Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6af249c996f7d73a3435f9e577956fa259347d18 ]
Syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:1900!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6527 Comm: syz.5.110 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:f2fs_issue_discard_timeout+0x59b/0x5a0 fs/f2fs/segment.c:1900
Code: d9 80 e1 07 80 c1 03 38 c1 0f 8c d6 fe ff ff 48 89 df e8 a8 5e fa fd e9 c9 fe ff ff e8 4e 46 94 fd 90 0f 0b e8 46 46 94 fd 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
RSP: 0018:ffffc9000494f940 EFLAGS: 00010283
RAX: ffffffff843009ca RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc9001ca78000 RSI: 00000000000029f3 RDI: 00000000000029f4
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed100893a431 R12: 1ffff1100893a430
R13: 1ffff1100c2b702c R14: dffffc0000000000 R15: ffff8880449d2160
FS: 00007ffa35fed6c0(0000) GS:ffff88812643d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2b68634000 CR3: 0000000039f62000 CR4: 00000000003526f0
Call Trace:
<TASK>
__f2fs_remount fs/f2fs/super.c:2960 [inline]
f2fs_reconfigure+0x108a/0x1710 fs/f2fs/super.c:5443
reconfigure_super+0x227/0x8a0 fs/super.c:1080
do_remount fs/namespace.c:3391 [inline]
path_mount+0xdc5/0x10e0 fs/namespace.c:4151
do_mount fs/namespace.c:4172 [inline]
__do_sys_mount fs/namespace.c:4361 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4338
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffa37dbda0a
The root cause is there will be race condition in between f2fs_ioc_fitrim()
and f2fs_remount():
- f2fs_remount - f2fs_ioc_fitrim
- f2fs_issue_discard_timeout
- __issue_discard_cmd
- __drop_discard_cmd
- __wait_all_discard_cmd
- f2fs_trim_fs
- f2fs_write_checkpoint
- f2fs_clear_prefree_segments
- f2fs_issue_discard
- __issue_discard_async
- __queue_discard_cmd
- __update_discard_tree_range
- __insert_discard_cmd
- __create_discard_cmd
: atomic_inc(&dcc->discard_cmd_cnt);
- sanity check on dcc->discard_cmd_cnt (expect discard_cmd_cnt to be zero)
This will only happen when fitrim races w/ remount rw, if we remount to
readonly filesystem, remount will wait until mnt_pcp.mnt_writers to zero,
that means fitrim is not in process at that time.
Cc: stable@kernel.org
Fixes: 2482c4325dfe ("f2fs: detect bug_on in f2fs_wait_discard_bios")
Reported-by: syzbot+62538b67389ee582837a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/69b07d7c.050a0220.8df7.09a1.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ Different function signatures ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 2 +-
fs/f2fs/segment.c | 6 +++---
fs/f2fs/super.c | 9 +++++++--
3 files changed, 11 insertions(+), 6 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3467,7 +3467,7 @@ bool f2fs_is_checkpointed_data(struct f2
int f2fs_start_discard_thread(struct f2fs_sb_info *sbi);
void f2fs_drop_discard_cmd(struct f2fs_sb_info *sbi);
void f2fs_stop_discard_thread(struct f2fs_sb_info *sbi);
-bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi);
+bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check);
void f2fs_clear_prefree_segments(struct f2fs_sb_info *sbi,
struct cp_control *cpc);
void f2fs_dirty_to_prefree(struct f2fs_sb_info *sbi);
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -1741,7 +1741,7 @@ void f2fs_stop_discard_thread(struct f2f
}
/* This comes from f2fs_put_super */
-bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi)
+bool f2fs_issue_discard_timeout(struct f2fs_sb_info *sbi, bool need_check)
{
struct discard_cmd_control *dcc = SM_I(sbi)->dcc_info;
struct discard_policy dpolicy;
@@ -1755,7 +1755,7 @@ bool f2fs_issue_discard_timeout(struct f
/* just to make sure there is no pending discard commands */
__wait_all_discard_cmd(sbi, NULL);
- f2fs_bug_on(sbi, atomic_read(&dcc->discard_cmd_cnt));
+ f2fs_bug_on(sbi, need_check && atomic_read(&dcc->discard_cmd_cnt));
return dropped;
}
@@ -2197,7 +2197,7 @@ static void destroy_discard_cmd_control(
* fill_super(), it needs to give a chance to handle them.
*/
if (unlikely(atomic_read(&dcc->discard_cmd_cnt)))
- f2fs_issue_discard_timeout(sbi);
+ f2fs_issue_discard_timeout(sbi, true);
kfree(dcc);
SM_I(sbi)->dcc_info = NULL;
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1600,7 +1600,7 @@ static void f2fs_put_super(struct super_
}
/* be sure to wait for any on-going discard commands */
- dropped = f2fs_issue_discard_timeout(sbi);
+ dropped = f2fs_issue_discard_timeout(sbi, true);
if ((f2fs_hw_support_discard(sbi) || f2fs_hw_should_discard(sbi)) &&
!sbi->discard_blks && !dropped) {
@@ -2409,8 +2409,13 @@ static int f2fs_remount(struct super_blo
} else {
dcc = SM_I(sbi)->dcc_info;
f2fs_stop_discard_thread(sbi);
+ /*
+ * f2fs_ioc_fitrim() won't race w/ "remount ro"
+ * so it's safe to check discard_cmd_cnt in
+ * f2fs_issue_discard_timeout().
+ */
if (atomic_read(&dcc->discard_cmd_cnt))
- f2fs_issue_discard_timeout(sbi);
+ f2fs_issue_discard_timeout(sbi, *flags & SB_RDONLY);
need_restart_discard = true;
}
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 252/411] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 251/411] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 253/411] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
` (159 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+6e4cb1cac5efc96ea0ca,
Yongpeng Yang, Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53 ]
The xfstests case "generic/107" and syzbot have both reported a NULL
pointer dereference.
The concurrent scenario that triggers the panic is as follows:
F2FS_WB_CP_DATA write callback umount
- f2fs_write_checkpoint
- f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)
- blk_mq_end_request
- bio_endio
- f2fs_write_end_io
: dec_page_count(sbi, F2FS_WB_CP_DATA)
: wake_up(&sbi->cp_wait)
- kill_f2fs_super
- kill_block_super
- f2fs_put_super
: iput(sbi->node_inode)
: sbi->node_inode = NULL
: f2fs_in_warm_node_list
- is_node_folio // sbi->node_inode is NULL and panic
The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and
sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is
decremented to zero. As a result, f2fs_in_warm_node_list() may
dereference a NULL node_inode when checking whether a folio belongs to
the node inode, leading to a panic.
This patch fixes the issue by calling f2fs_in_warm_node_list() before
decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the
use-after-free condition.
Cc: stable@kernel.org
Fixes: 50fa53eccf9f ("f2fs: fix to avoid broken of dnode block list")
Reported-by: syzbot+6e4cb1cac5efc96ea0ca@syzkaller.appspotmail.com
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -339,6 +339,8 @@ static void f2fs_write_end_io(struct bio
f2fs_bug_on(sbi, page->mapping == NODE_MAPPING(sbi) &&
page->index != nid_of_node(page));
+ if (f2fs_in_warm_node_list(sbi, page))
+ f2fs_del_fsync_node_entry(sbi, page);
dec_page_count(sbi, type);
@@ -350,8 +352,6 @@ static void f2fs_write_end_io(struct bio
wq_has_sleeper(&sbi->cp_wait))
wake_up(&sbi->cp_wait);
- if (f2fs_in_warm_node_list(sbi, page))
- f2fs_del_fsync_node_entry(sbi, page);
clear_page_private_gcing(page);
end_page_writeback(page);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 253/411] smb: server: fix active_num_conn leak on transport allocation failure
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 252/411] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 254/411] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
` (158 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 6551300dc452ac16a855a83dbd1e74899542d3b3 ]
Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in
ksmbd_tcp_new_connection()") addressed the kthread_run() failure
path. The earlier alloc_transport() == NULL path in the same
function has the same leak, is reachable pre-authentication via any
TCP connect to port 445, and was empirically reproduced on UML
(ARCH=um, v7.0-rc7): a small number of forced allocation failures
were sufficient to put ksmbd into a state where every subsequent
connection attempt was rejected for the remainder of the boot.
ksmbd_kthread_fn() increments active_num_conn before calling
ksmbd_tcp_new_connection() and discards the return value, so when
alloc_transport() returns NULL the socket is released and -ENOMEM
returned without decrementing the counter. Each such failure
permanently consumes one slot from the max_connections pool; once
cumulative failures reach the cap, atomic_inc_return() hits the
threshold on every subsequent accept and every new connection is
rejected. The counter is only reset by module reload.
An unauthenticated remote attacker can drive the server toward the
memory pressure that makes alloc_transport() fail by holding open
connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN
(0x00FFFFFF); natural transient allocation failures on a loaded
host produce the same drift more slowly.
Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the
alloc_transport() failure path, decrement active_num_conn gated on
server_conf.max_connections.
Repro details: with the patch reverted, forced alloc_transport()
NULL returns leaked counter slots and subsequent connection
attempts -- including legitimate connects issued after the
forced-fail window had closed -- were all rejected with "Limit the
maximum number of connections". With this patch applied, the same
connect sequence produces no rejections and the counter cycles
cleanly between zero and one on every accept.
Fixes: 0d0d4680db22 ("ksmbd: add max connections parameter")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/transport_tcp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ksmbd/transport_tcp.c
+++ b/fs/ksmbd/transport_tcp.c
@@ -191,6 +191,8 @@ static int ksmbd_tcp_new_connection(stru
t = alloc_transport(client_sk);
if (!t) {
sock_release(client_sk);
+ if (server_conf.max_connections)
+ atomic_dec(&active_num_conn);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 254/411] smb: server: fix max_connections off-by-one in tcp accept path
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 253/411] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 255/411] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
` (157 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DaeMyung Kang, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: DaeMyung Kang <charsyam@gmail.com>
[ Upstream commit ce23158bfe584bd90d1918f279fdf9de57802012 ]
The global max_connections check in ksmbd's TCP accept path counts
the newly accepted connection with atomic_inc_return(), but then
rejects the connection when the result is greater than or equal to
server_conf.max_connections.
That makes the effective limit one smaller than configured. For
example:
- max_connections=1 rejects the first connection
- max_connections=2 allows only one connection
The per-IP limit in the same function uses <= correctly because it
counts only pre-existing connections. The global limit instead checks
the post-increment total, so it should reject only when that total
exceeds the configured maximum.
Fix this by changing the comparison from >= to >, so exactly
max_connections simultaneous connections are allowed and the next one
is rejected. This matches the documented meaning of max_connections
in fs/smb/server/ksmbd_netlink.h as the "Number of maximum simultaneous
connections".
Fixes: 0d0d4680db22 ("ksmbd: add max connections parameter")
Cc: stable@vger.kernel.org
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/transport_tcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ksmbd/transport_tcp.c
+++ b/fs/ksmbd/transport_tcp.c
@@ -248,7 +248,7 @@ static int ksmbd_kthread_fn(void *p)
}
if (server_conf.max_connections &&
- atomic_inc_return(&active_num_conn) >= server_conf.max_connections) {
+ atomic_inc_return(&active_num_conn) > server_conf.max_connections) {
pr_info_ratelimited("Limit the maximum number of connections(%u)\n",
atomic_read(&active_num_conn));
atomic_dec(&active_num_conn);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 255/411] smb: client: require a full NFS mode SID before reading mode bits
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 254/411] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 256/411] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
` (156 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 2757ad3e4b6f9e0fed4c7739594e702abc5cab21 ]
parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS
mode SID and reads sid.sub_auth[2] to recover the mode bits.
That assumes the ACE carries three subauthorities, but compare_sids()
only compares min(a, b) subauthorities. A malicious server can return
an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still
matches sid_unix_NFS_mode and then drives the sub_auth[2] read four
bytes past the end of the ACE.
Require num_subauth >= 3 before treating the ACE as an NFS mode SID.
This keeps the fix local to the special-SID mode path without changing
compare_sids() semantics for the rest of cifsacl.
Fixes: e2f8fbfb8d09 ("cifs: get mode bits from special sid on stat")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsacl.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -807,6 +807,7 @@ static void parse_dacl(struct cifs_acl *
dump_ace(ppace[i], end_of_acl);
#endif
if (mode_from_special_sid &&
+ ppace[i]->sid.num_subauth >= 3 &&
(compare_sids(&(ppace[i]->sid),
&sid_unix_NFS_mode) == 0)) {
/*
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 256/411] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 255/411] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 257/411] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
` (155 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit a58c5af19ff0d6f44f6e9fe31e33a2c92223f77e ]
smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL
and the default QUERY_INFO path. The QUERY_INFO branch clamps
qi.input_buffer_length to the server-reported OutputBufferLength and then
copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but
it never verifies that the flexible-array payload actually fits within
rsp_iov[1].iov_len.
A malicious server can return OutputBufferLength larger than the actual
QUERY_INFO response, causing copy_to_user() to walk past the response
buffer and expose adjacent kernel heap to userspace.
Guard the QUERY_INFO copy with a bounds check on the actual Buffer
payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)
rather than an open-coded addition so the guard cannot overflow on
32-bit builds.
Fixes: f5778c398713 ("SMB3: Allow SMB3 FSCTL queries to be sent to server from tools")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2ops.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1826,6 +1826,12 @@ smb2_ioctl_query_info(const unsigned int
qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
if (le32_to_cpu(qi_rsp->OutputBufferLength) < qi.input_buffer_length)
qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
+ if (qi.input_buffer_length > 0 &&
+ struct_size(qi_rsp, Buffer, qi.input_buffer_length) >
+ rsp_iov[1].iov_len) {
+ rc = -EFAULT;
+ goto out;
+ }
if (copy_to_user(&pqi->input_buffer_length,
&qi.input_buffer_length,
sizeof(qi.input_buffer_length))) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 257/411] ksmbd: require minimum ACE size in smb_check_perm_dacl()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 256/411] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 258/411] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
` (154 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit d07b26f39246a82399661936dd0c853983cfade7 ]
Both ACE-walk loops in smb_check_perm_dacl() only guard against an
under-sized remaining buffer, not against an ACE whose declared
`ace->size` is smaller than the struct it claims to describe:
if (offsetof(struct smb_ace, access_req) > aces_size)
break;
ace_size = le16_to_cpu(ace->size);
if (ace_size > aces_size)
break;
The first check only requires the 4-byte ACE header to be in bounds;
it does not require access_req (4 bytes at offset 4) to be readable.
An attacker who has set a crafted DACL on a file they own can declare
ace->size == 4 with aces_size == 4, pass both checks, and then
granted |= le32_to_cpu(ace->access_req); /* upper loop */
compare_sids(&sid, &ace->sid); /* lower loop */
reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at
offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES
* 4 bytes).
Tighten both loops to require
ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE
which is the smallest valid on-wire ACE layout (4-byte header +
4-byte access_req + 8-byte sid base with zero sub-auths). Also
reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES
before letting compare_sids() dereference sub_auth[] entries.
parse_sec_desc() already enforces an equivalent check (lines 441-448);
smb_check_perm_dacl() simply grew weaker validation over time.
Reachability: authenticated SMB client with permission to set an ACL
on a file. On a subsequent CREATE against that file, the kernel
walks the stored DACL via smb_check_perm_dacl() and triggers the
OOB read. Not pre-auth, and the OOB read is not reflected to the
attacker, but KASAN reports and kernel state corruption are
possible.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ changed le16_to_cpu to le32_to_cpu for num_aces field which is __le32 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smbacl.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/fs/ksmbd/smbacl.c
+++ b/fs/ksmbd/smbacl.c
@@ -1265,10 +1265,13 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, access_req) > aces_size)
+ if (offsetof(struct smb_ace, sid) +
+ aces_size < CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
- if (ace_size > aces_size)
+ if (ace_size > aces_size ||
+ ace_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
aces_size -= ace_size;
granted |= le32_to_cpu(ace->access_req);
@@ -1286,13 +1289,19 @@ int smb_check_perm_dacl(struct ksmbd_con
ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl));
aces_size = acl_size - sizeof(struct smb_acl);
for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) {
- if (offsetof(struct smb_ace, access_req) > aces_size)
+ if (offsetof(struct smb_ace, sid) +
+ aces_size < CIFS_SID_BASE_SIZE)
break;
ace_size = le16_to_cpu(ace->size);
- if (ace_size > aces_size)
+ if (ace_size > aces_size ||
+ ace_size < offsetof(struct smb_ace, sid) +
+ CIFS_SID_BASE_SIZE)
break;
aces_size -= ace_size;
+ if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES)
+ break;
+
if (!compare_sids(&sid, &ace->sid) ||
!compare_sids(&sid_unix_NFS_mode, &ace->sid)) {
found = 1;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 258/411] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 257/411] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 259/411] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
` (153 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bingquan Chen, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingquan Chen <patzilla007@gmail.com>
[ Upstream commit 2c054e17d9d41f1020376806c7f750834ced4dc5 ]
In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points
directly into the mmap'd TX ring buffer shared with userspace. The
kernel validates the header via __packet_snd_vnet_parse() but then
re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent
userspace thread can modify the vnet_hdr fields between validation
and use, bypassing all safety checks.
The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr
to a stack-local variable. All other vnet_hdr consumers in the kernel
(tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX
path is the only caller of virtio_net_hdr_to_skb() that reads directly
from user-controlled shared memory.
Fix this by copying vnet_hdr from the mmap'd ring buffer to a
stack-local variable before validation and use, consistent with the
approach used in packet_snd() and all other callers.
Fixes: 1d036d25e560 ("packet: tpacket_snd gso and checksum offload")
Signed-off-by: Bingquan Chen <patzilla007@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260418112006.78823-1-patzilla007@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ replaced `vnet_hdr_sz` with `sizeof(vnet_hdr)` and `if (vnet_hdr_sz)` with `if (po->has_vnet_hdr)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2729,7 +2729,8 @@ static int tpacket_snd(struct packet_soc
{
struct sk_buff *skb = NULL;
struct net_device *dev;
- struct virtio_net_hdr *vnet_hdr = NULL;
+ struct virtio_net_hdr vnet_hdr;
+ bool has_vnet_hdr = false;
struct sockcm_cookie sockc;
__be16 proto;
int err, reserve = 0;
@@ -2829,16 +2830,20 @@ static int tpacket_snd(struct packet_soc
hlen = LL_RESERVED_SPACE(dev);
tlen = dev->needed_tailroom;
if (po->has_vnet_hdr) {
- vnet_hdr = data;
- data += sizeof(*vnet_hdr);
- tp_len -= sizeof(*vnet_hdr);
- if (tp_len < 0 ||
- __packet_snd_vnet_parse(vnet_hdr, tp_len)) {
+ data += sizeof(vnet_hdr);
+ tp_len -= sizeof(vnet_hdr);
+ if (tp_len < 0) {
+ tp_len = -EINVAL;
+ goto tpacket_error;
+ }
+ memcpy(&vnet_hdr, data - sizeof(vnet_hdr), sizeof(vnet_hdr));
+ if (__packet_snd_vnet_parse(&vnet_hdr, tp_len)) {
tp_len = -EINVAL;
goto tpacket_error;
}
copylen = __virtio16_to_cpu(vio_le(),
- vnet_hdr->hdr_len);
+ vnet_hdr.hdr_len);
+ has_vnet_hdr = true;
}
copylen = max_t(int, copylen, dev->hard_header_len);
skb = sock_alloc_send_skb(&po->sk,
@@ -2875,12 +2880,12 @@ tpacket_error:
}
}
- if (po->has_vnet_hdr) {
- if (virtio_net_hdr_to_skb(skb, vnet_hdr, vio_le())) {
+ if (has_vnet_hdr) {
+ if (virtio_net_hdr_to_skb(skb, &vnet_hdr, vio_le())) {
tp_len = -EINVAL;
goto tpacket_error;
}
- virtio_net_hdr_set_proto(skb, vnet_hdr);
+ virtio_net_hdr_set_proto(skb, &vnet_hdr);
}
skb->destructor = tpacket_destruct_skb;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 259/411] arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 258/411] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 260/411] rtw88: 8821ce: Disable PCIe ASPM L1 for 8821CE using chip ID Greg Kroah-Hartman
` (152 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, linux-arm-kernel,
linux-kernel, David Hildenbrand (Arm), Ryan Roberts,
Anshuman Khandual, Catalin Marinas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshuman Khandual <anshuman.khandual@arm.com>
[ Upstream commit 48478b9f791376b4b89018d7afdfd06865498f65 ]
During a memory hot remove operation, both linear and vmemmap mappings for
the memory range being removed, get unmapped via unmap_hotplug_range() but
mapped pages get freed only for vmemmap mapping. This is just a sequential
operation where each table entry gets cleared, followed by a leaf specific
TLB flush, and then followed by memory free operation when applicable.
This approach was simple and uniform both for vmemmap and linear mappings.
But linear mapping might contain CONT marked block memory where it becomes
necessary to first clear out all entire in the range before a TLB flush.
This is as per the architecture requirement. Hence batch all TLB flushes
during the table tear down walk and finally do it in unmap_hotplug_range().
Prior to this fix, it was hypothetically possible for a speculative access
to a higher address in the contiguous block to fill the TLB with shattered
entries for the entire contiguous range after a lower address had already
been cleared and invalidated. Due to the table entries being shattered, the
subsequent TLB invalidation for the higher address would not then clear the
TLB entries for the lower address, meaning stale TLB entries could persist.
Besides it also helps in improving the performance via TLBI range operation
along with reduced synchronization instructions. The time spent executing
unmap_hotplug_range() improved 97% measured over a 2GB memory hot removal
in KVM guest.
This scheme is not applicable during vmemmap mapping tear down where memory
needs to be freed and hence a TLB flush is required after clearing out page
table entry.
Cc: Will Deacon <will@kernel.org>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Closes: https://lore.kernel.org/all/aWZYXhrT6D2M-7-N@willie-the-truck/
Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
Cc: stable@vger.kernel.org
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ replaced `__pte_clear()` with `pte_clear()` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/mmu.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
--- a/arch/arm64/mm/mmu.c
+++ b/arch/arm64/mm/mmu.c
@@ -886,10 +886,14 @@ static void unmap_hotplug_pte_range(pmd_
WARN_ON(!pte_present(pte));
pte_clear(&init_mm, addr, ptep);
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ /* CONT blocks are not supported in the vmemmap */
+ WARN_ON(pte_cont(pte));
+ flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
free_hotplug_page_range(pte_page(pte),
PAGE_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
} while (addr += PAGE_SIZE, addr < end);
}
@@ -910,15 +914,14 @@ static void unmap_hotplug_pmd_range(pud_
WARN_ON(!pmd_present(pmd));
if (pmd_sect(pmd)) {
pmd_clear(pmdp);
-
- /*
- * One TLBI should be sufficient here as the PMD_SIZE
- * range is mapped with a single block entry.
- */
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ /* CONT blocks are not supported in the vmemmap */
+ WARN_ON(pmd_cont(pmd));
+ flush_tlb_kernel_range(addr, addr + PMD_SIZE);
free_hotplug_page_range(pmd_page(pmd),
PMD_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
continue;
}
WARN_ON(!pmd_table(pmd));
@@ -943,15 +946,12 @@ static void unmap_hotplug_pud_range(p4d_
WARN_ON(!pud_present(pud));
if (pud_sect(pud)) {
pud_clear(pudp);
-
- /*
- * One TLBI should be sufficient here as the PUD_SIZE
- * range is mapped with a single block entry.
- */
- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
- if (free_mapped)
+ if (free_mapped) {
+ flush_tlb_kernel_range(addr, addr + PUD_SIZE);
free_hotplug_page_range(pud_page(pud),
PUD_SIZE, altmap);
+ }
+ /* unmap_hotplug_range() flushes TLB for !free_mapped */
continue;
}
WARN_ON(!pud_table(pud));
@@ -981,6 +981,7 @@ static void unmap_hotplug_p4d_range(pgd_
static void unmap_hotplug_range(unsigned long addr, unsigned long end,
bool free_mapped, struct vmem_altmap *altmap)
{
+ unsigned long start = addr;
unsigned long next;
pgd_t *pgdp, pgd;
@@ -1002,6 +1003,9 @@ static void unmap_hotplug_range(unsigned
WARN_ON(!pgd_present(pgd));
unmap_hotplug_p4d_range(pgdp, addr, next, free_mapped, altmap);
} while (addr = next, addr < end);
+
+ if (!free_mapped)
+ flush_tlb_kernel_range(start, end);
}
static void free_empty_pte_table(pmd_t *pmdp, unsigned long addr,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 260/411] rtw88: 8821ce: Disable PCIe ASPM L1 for 8821CE using chip ID
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 259/411] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 261/411] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
` (151 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jimmy Hon, Ping-Ke Shih, Kalle Valo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jimmy Hon <honyuenkwun@gmail.com>
[ Upstream commit b9eb5f0742d107ca9c0f33da58f61ce83e3ce2fc ]
Make workaround work for other 8821CE devices with different PCI ID
Signed-off-by: Jimmy Hon <honyuenkwun@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220407075123.420696-3-honyuenkwun@gmail.com
Stable-dep-of: eb101d2abdcc ("wifi: rtw88: check for PCI upstream bridge existence")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw88/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1766,7 +1766,7 @@ int rtw_pci_probe(struct pci_dev *pdev,
}
/* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
- if (pdev->device == 0xc821 && bridge->vendor == PCI_VENDOR_ID_INTEL)
+ if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL)
rtwpci->rx_no_aspm = true;
rtw_pci_phy_cfg(rtwdev);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 261/411] wifi: rtw88: check for PCI upstream bridge existence
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 260/411] rtw88: 8821ce: Disable PCIe ASPM L1 for 8821CE using chip ID Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 262/411] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
` (150 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 ]
pci_upstream_bridge() returns NULL if the device is on a root bus. If
8821CE is installed in the system with such a PCI topology, the probing
routine will crash. This has probably been unnoticed as 8821CE is mostly
supplied in laptops where there is a PCI-to-PCI bridge located upstream
from the device. However the card might be installed on a system with
different configuration.
Check if the bridge does exist for the specific workaround to be applied.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw88/pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1766,7 +1766,8 @@ int rtw_pci_probe(struct pci_dev *pdev,
}
/* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
- if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL)
+ if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C &&
+ bridge && bridge->vendor == PCI_VENDOR_ID_INTEL)
rtwpci->rx_no_aspm = true;
rtw_pci_phy_cfg(rtwdev);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 262/411] thermal: core: Fix thermal zone governor cleanup issues
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 261/411] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 263/411] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
` (149 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
[ Upstream commit 41ff66baf81c6541f4f985dd7eac4494d03d9440 ]
If thermal_zone_device_register_with_trips() fails after adding
a thermal governor to the thermal zone being registered, the
governor is not removed from it as appropriate which may lead to
a memory leak.
In turn, thermal_zone_device_unregister() calls thermal_set_governor()
without acquiring the thermal zone lock beforehand which may race with
a governor update via sysfs and may lead to a use-after-free in that
case.
Address these issues by adding two thermal_set_governor() calls, one to
thermal_release() to remove the governor from the given thermal zone,
and one to the thermal zone registration error path to cover failures
preceding the thermal zone device registration.
Fixes: e33df1d2f3a0 ("thermal: let governors have private data for each thermal zone")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/5092923.31r3eYUQgx@rafael.j.wysocki
[ adapted context for missing mutex_destroy/complete ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thermal/thermal_core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -778,6 +778,7 @@ static void thermal_release(struct devic
sizeof("thermal_zone") - 1)) {
tz = to_thermal_zone(dev);
thermal_zone_destroy_device_groups(tz);
+ thermal_set_governor(tz, NULL);
kfree(tz);
} else if (!strncmp(dev_name(dev), "cooling_device",
sizeof("cooling_device") - 1)) {
@@ -1260,8 +1261,10 @@ thermal_zone_device_register(const char
/* sys I/F */
/* Add nodes that are always present via .groups */
result = thermal_zone_create_device_groups(tz, mask);
- if (result)
+ if (result) {
+ thermal_set_governor(tz, NULL);
goto remove_id;
+ }
/* A new thermal zone needs to be updated anyway. */
atomic_set(&tz->need_update, 1);
@@ -1385,8 +1388,6 @@ void thermal_zone_device_unregister(stru
cancel_delayed_work_sync(&tz->poll_queue);
- thermal_set_governor(tz, NULL);
-
thermal_remove_hwmon_sysfs(tz);
ida_simple_remove(&thermal_tz_ida, tz->id);
ida_destroy(&tz->ida);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 263/411] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 262/411] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 264/411] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
` (148 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Hodges, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Hodges <git@danielhodges.dev>
[ Upstream commit ae5e95d4157481693be2317e3ffcd84e36010cbb ]
The mwifiex_adapter_cleanup() function uses timer_delete()
(non-synchronous) for the wakeup_timer before the adapter structure is
freed. This is incorrect because timer_delete() does not wait for any
running timer callback to complete.
If the wakeup_timer callback (wakeup_timer_fn) is executing when
mwifiex_adapter_cleanup() is called, the callback will continue to
access adapter fields (adapter->hw_status, adapter->if_ops.card_reset,
etc.) which may be freed by mwifiex_free_adapter() called later in the
mwifiex_remove_card() path.
Use timer_delete_sync() instead to ensure any running timer callback has
completed before returning.
Fixes: 4636187da60b ("mwifiex: add wakeup timer based recovery mechanism")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Hodges <git@danielhodges.dev>
Link: https://patch.msgid.link/20260206194401.2346-1-git@danielhodges.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ changed `timer_delete_sync(&adapter->wakeup_timer)` to `del_timer_sync(&adapter->wakeup_timer)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/marvell/mwifiex/init.c
+++ b/drivers/net/wireless/marvell/mwifiex/init.c
@@ -399,7 +399,7 @@ static void mwifiex_invalidate_lists(str
static void
mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter)
{
- del_timer(&adapter->wakeup_timer);
+ del_timer_sync(&adapter->wakeup_timer);
del_timer_sync(&adapter->devdump_timer);
mwifiex_cancel_all_pending_cmd(adapter);
wake_up_interruptible(&adapter->cmd_wait_q.wait);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 264/411] ALSA: aoa: Use guard() for mutex locks
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 263/411] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 265/411] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
` (147 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1cb6ecbb372002ef9e531c5377e5f60122411e40 ]
Replace the manual mutex lock/unlock pairs with guard() for code
simplification.
Only code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250829151335.7342-14-tiwai@suse.de
Stable-dep-of: 5ed060d54915 ("ALSA: aoa: i2sbus: clear stale prepared state")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/codecs/onyx.c | 104 +++++++++++-------------------------
sound/aoa/codecs/tas.c | 113 +++++++++++++---------------------------
sound/aoa/core/gpio-feature.c | 20 ++-----
sound/aoa/core/gpio-pmf.c | 26 +++------
sound/aoa/soundbus/i2sbus/pcm.c | 76 ++++++++------------------
5 files changed, 112 insertions(+), 227 deletions(-)
--- a/sound/aoa/codecs/onyx.c
+++ b/sound/aoa/codecs/onyx.c
@@ -121,10 +121,9 @@ static int onyx_snd_vol_get(struct snd_k
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
s8 l, r;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_LEFT, &l);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT, &r);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = l + VOLUME_RANGE_SHIFT;
ucontrol->value.integer.value[1] = r + VOLUME_RANGE_SHIFT;
@@ -145,15 +144,13 @@ static int onyx_snd_vol_put(struct snd_k
ucontrol->value.integer.value[1] > -1 + VOLUME_RANGE_SHIFT)
return -EINVAL;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_LEFT, &l);
onyx_read_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT, &r);
if (l + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[0] &&
- r + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[1]) {
- mutex_unlock(&onyx->mutex);
+ r + VOLUME_RANGE_SHIFT == ucontrol->value.integer.value[1])
return 0;
- }
onyx_write_register(onyx, ONYX_REG_DAC_ATTEN_LEFT,
ucontrol->value.integer.value[0]
@@ -161,7 +158,6 @@ static int onyx_snd_vol_put(struct snd_k
onyx_write_register(onyx, ONYX_REG_DAC_ATTEN_RIGHT,
ucontrol->value.integer.value[1]
- VOLUME_RANGE_SHIFT);
- mutex_unlock(&onyx->mutex);
return 1;
}
@@ -197,9 +193,8 @@ static int onyx_snd_inputgain_get(struct
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 ig;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &ig);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] =
(ig & ONYX_ADC_PGA_GAIN_MASK) + INPUTGAIN_RANGE_SHIFT;
@@ -216,14 +211,13 @@ static int onyx_snd_inputgain_put(struct
if (ucontrol->value.integer.value[0] < 3 + INPUTGAIN_RANGE_SHIFT ||
ucontrol->value.integer.value[0] > 28 + INPUTGAIN_RANGE_SHIFT)
return -EINVAL;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
n = v;
n &= ~ONYX_ADC_PGA_GAIN_MASK;
n |= (ucontrol->value.integer.value[0] - INPUTGAIN_RANGE_SHIFT)
& ONYX_ADC_PGA_GAIN_MASK;
onyx_write_register(onyx, ONYX_REG_ADC_CONTROL, n);
- mutex_unlock(&onyx->mutex);
return n != v;
}
@@ -251,9 +245,8 @@ static int onyx_snd_capture_source_get(s
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
s8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
- mutex_unlock(&onyx->mutex);
ucontrol->value.enumerated.item[0] = !!(v&ONYX_ADC_INPUT_MIC);
@@ -264,13 +257,12 @@ static void onyx_set_capture_source(stru
{
s8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_ADC_CONTROL, &v);
v &= ~ONYX_ADC_INPUT_MIC;
if (mic)
v |= ONYX_ADC_INPUT_MIC;
onyx_write_register(onyx, ONYX_REG_ADC_CONTROL, v);
- mutex_unlock(&onyx->mutex);
}
static int onyx_snd_capture_source_put(struct snd_kcontrol *kcontrol,
@@ -311,9 +303,8 @@ static int onyx_snd_mute_get(struct snd_
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 c;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &c);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = !(c & ONYX_MUTE_LEFT);
ucontrol->value.integer.value[1] = !(c & ONYX_MUTE_RIGHT);
@@ -328,9 +319,9 @@ static int onyx_snd_mute_put(struct snd_
u8 v = 0, c = 0;
int err = -EBUSY;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (onyx->analog_locked)
- goto out_unlock;
+ return -EBUSY;
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &v);
c = v;
@@ -341,9 +332,6 @@ static int onyx_snd_mute_put(struct snd_
c |= ONYX_MUTE_RIGHT;
err = onyx_write_register(onyx, ONYX_REG_DAC_CONTROL, c);
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
return !err ? (v != c) : err;
}
@@ -372,9 +360,8 @@ static int onyx_snd_single_bit_get(struc
u8 address = (pv >> 8) & 0xff;
u8 mask = pv & 0xff;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, address, &c);
- mutex_unlock(&onyx->mutex);
ucontrol->value.integer.value[0] = !!(c & mask) ^ polarity;
@@ -393,11 +380,10 @@ static int onyx_snd_single_bit_put(struc
u8 address = (pv >> 8) & 0xff;
u8 mask = pv & 0xff;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (spdiflock && onyx->spdif_locked) {
/* even if alsamixer doesn't care.. */
- err = -EBUSY;
- goto out_unlock;
+ return -EBUSY;
}
onyx_read_register(onyx, address, &v);
c = v;
@@ -406,9 +392,6 @@ static int onyx_snd_single_bit_put(struc
c |= mask;
err = onyx_write_register(onyx, address, c);
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
return !err ? (v != c) : err;
}
@@ -489,7 +472,7 @@ static int onyx_spdif_get(struct snd_kco
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO1, &v);
ucontrol->value.iec958.status[0] = v & 0x3e;
@@ -501,7 +484,6 @@ static int onyx_spdif_get(struct snd_kco
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
ucontrol->value.iec958.status[4] = v & 0x0f;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -512,7 +494,7 @@ static int onyx_spdif_put(struct snd_kco
struct onyx *onyx = snd_kcontrol_chip(kcontrol);
u8 v;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO1, &v);
v = (v & ~0x3e) | (ucontrol->value.iec958.status[0] & 0x3e);
onyx_write_register(onyx, ONYX_REG_DIG_INFO1, v);
@@ -527,7 +509,6 @@ static int onyx_spdif_put(struct snd_kco
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
v = (v & ~0x0f) | (ucontrol->value.iec958.status[4] & 0x0f);
onyx_write_register(onyx, ONYX_REG_DIG_INFO4, v);
- mutex_unlock(&onyx->mutex);
return 1;
}
@@ -672,14 +653,13 @@ static int onyx_usable(struct codec_info
struct onyx *onyx = cii->codec_data;
int spdif_enabled, analog_enabled;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx_read_register(onyx, ONYX_REG_DIG_INFO4, &v);
spdif_enabled = !!(v & ONYX_SPDIF_ENABLE);
onyx_read_register(onyx, ONYX_REG_DAC_CONTROL, &v);
analog_enabled =
(v & (ONYX_MUTE_RIGHT|ONYX_MUTE_LEFT))
!= (ONYX_MUTE_RIGHT|ONYX_MUTE_LEFT);
- mutex_unlock(&onyx->mutex);
switch (ti->tag) {
case 0: return 1;
@@ -695,9 +675,8 @@ static int onyx_prepare(struct codec_inf
{
u8 v;
struct onyx *onyx = cii->codec_data;
- int err = -EBUSY;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
#ifdef SNDRV_PCM_FMTBIT_COMPRESSED_16BE
if (substream->runtime->format == SNDRV_PCM_FMTBIT_COMPRESSED_16BE) {
@@ -706,10 +685,9 @@ static int onyx_prepare(struct codec_inf
if (onyx_write_register(onyx,
ONYX_REG_DAC_CONTROL,
v | ONYX_MUTE_RIGHT | ONYX_MUTE_LEFT))
- goto out_unlock;
+ return -EBUSY;
onyx->analog_locked = 1;
- err = 0;
- goto out_unlock;
+ return 0;
}
#endif
switch (substream->runtime->rate) {
@@ -719,8 +697,7 @@ static int onyx_prepare(struct codec_inf
/* these rates are ok for all outputs */
/* FIXME: program spdif channel control bits here so that
* userspace doesn't have to if it only plays pcm! */
- err = 0;
- goto out_unlock;
+ return 0;
default:
/* got some rate that the digital output can't do,
* so disable and lock it */
@@ -728,16 +705,12 @@ static int onyx_prepare(struct codec_inf
if (onyx_write_register(onyx,
ONYX_REG_DIG_INFO4,
v & ~ONYX_SPDIF_ENABLE))
- goto out_unlock;
+ return -EBUSY;
onyx->spdif_locked = 1;
- err = 0;
- goto out_unlock;
+ return 0;
}
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return -EBUSY;
}
static int onyx_open(struct codec_info_item *cii,
@@ -745,9 +718,8 @@ static int onyx_open(struct codec_info_i
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx->open_count++;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -757,11 +729,10 @@ static int onyx_close(struct codec_info_
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
onyx->open_count--;
if (!onyx->open_count)
onyx->spdif_locked = onyx->analog_locked = 0;
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -771,7 +742,7 @@ static int onyx_switch_clock(struct code
{
struct onyx *onyx = cii->codec_data;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
/* this *MUST* be more elaborate later... */
switch (what) {
case CLOCK_SWITCH_PREPARE_SLAVE:
@@ -783,7 +754,6 @@ static int onyx_switch_clock(struct code
default: /* silence warning */
break;
}
- mutex_unlock(&onyx->mutex);
return 0;
}
@@ -794,27 +764,21 @@ static int onyx_suspend(struct codec_inf
{
struct onyx *onyx = cii->codec_data;
u8 v;
- int err = -ENXIO;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
if (onyx_read_register(onyx, ONYX_REG_CONTROL, &v))
- goto out_unlock;
+ return -ENXIO;
onyx_write_register(onyx, ONYX_REG_CONTROL, v | ONYX_ADPSV | ONYX_DAPSV);
/* Apple does a sleep here but the datasheet says to do it on resume */
- err = 0;
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return 0;
}
static int onyx_resume(struct codec_info_item *cii)
{
struct onyx *onyx = cii->codec_data;
u8 v;
- int err = -ENXIO;
- mutex_lock(&onyx->mutex);
+ guard(mutex)(&onyx->mutex);
/* reset codec */
onyx->codec.gpio->methods->set_hw_reset(onyx->codec.gpio, 0);
@@ -826,17 +790,13 @@ static int onyx_resume(struct codec_info
/* take codec out of suspend (if it still is after reset) */
if (onyx_read_register(onyx, ONYX_REG_CONTROL, &v))
- goto out_unlock;
+ return -ENXIO;
onyx_write_register(onyx, ONYX_REG_CONTROL, v & ~(ONYX_ADPSV | ONYX_DAPSV));
/* FIXME: should divide by sample rate, but 8k is the lowest we go */
msleep(2205000/8000);
/* reset all values */
onyx_register_init(onyx);
- err = 0;
- out_unlock:
- mutex_unlock(&onyx->mutex);
-
- return err;
+ return 0;
}
#endif /* CONFIG_PM */
--- a/sound/aoa/codecs/tas.c
+++ b/sound/aoa/codecs/tas.c
@@ -235,10 +235,9 @@ static int tas_snd_vol_get(struct snd_kc
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->cached_volume_l;
ucontrol->value.integer.value[1] = tas->cached_volume_r;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -254,18 +253,15 @@ static int tas_snd_vol_put(struct snd_kc
ucontrol->value.integer.value[1] > 177)
return -EINVAL;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->cached_volume_l == ucontrol->value.integer.value[0]
- && tas->cached_volume_r == ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->cached_volume_r == ucontrol->value.integer.value[1])
return 0;
- }
tas->cached_volume_l = ucontrol->value.integer.value[0];
tas->cached_volume_r = ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_volume(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -285,10 +281,9 @@ static int tas_snd_mute_get(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = !tas->mute_l;
ucontrol->value.integer.value[1] = !tas->mute_r;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -297,18 +292,15 @@ static int tas_snd_mute_put(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->mute_l == !ucontrol->value.integer.value[0]
- && tas->mute_r == !ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->mute_r == !ucontrol->value.integer.value[1])
return 0;
- }
tas->mute_l = !ucontrol->value.integer.value[0];
tas->mute_r = !ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_volume(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -337,10 +329,9 @@ static int tas_snd_mixer_get(struct snd_
struct tas *tas = snd_kcontrol_chip(kcontrol);
int idx = kcontrol->private_value;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->mixer_l[idx];
ucontrol->value.integer.value[1] = tas->mixer_r[idx];
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -351,19 +342,16 @@ static int tas_snd_mixer_put(struct snd_
struct tas *tas = snd_kcontrol_chip(kcontrol);
int idx = kcontrol->private_value;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
if (tas->mixer_l[idx] == ucontrol->value.integer.value[0]
- && tas->mixer_r[idx] == ucontrol->value.integer.value[1]) {
- mutex_unlock(&tas->mtx);
+ && tas->mixer_r[idx] == ucontrol->value.integer.value[1])
return 0;
- }
tas->mixer_l[idx] = ucontrol->value.integer.value[0];
tas->mixer_r[idx] = ucontrol->value.integer.value[1];
if (tas->hw_enabled)
tas_set_mixer(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -396,9 +384,8 @@ static int tas_snd_drc_range_get(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->drc_range;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -411,16 +398,13 @@ static int tas_snd_drc_range_put(struct
ucontrol->value.integer.value[0] > TAS3004_DRC_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->drc_range == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->drc_range == ucontrol->value.integer.value[0])
return 0;
- }
tas->drc_range = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas3004_set_drc(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -440,9 +424,8 @@ static int tas_snd_drc_switch_get(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->drc_enabled;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -451,16 +434,13 @@ static int tas_snd_drc_switch_put(struct
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
- if (tas->drc_enabled == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->drc_enabled == ucontrol->value.integer.value[0])
return 0;
- }
tas->drc_enabled = !!ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas3004_set_drc(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -486,9 +466,8 @@ static int tas_snd_capture_source_get(st
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.enumerated.item[0] = !!(tas->acr & TAS_ACR_INPUT_B);
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -500,7 +479,7 @@ static int tas_snd_capture_source_put(st
if (ucontrol->value.enumerated.item[0] > 1)
return -EINVAL;
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
oldacr = tas->acr;
/*
@@ -512,13 +491,10 @@ static int tas_snd_capture_source_put(st
if (ucontrol->value.enumerated.item[0])
tas->acr |= TAS_ACR_INPUT_B | TAS_ACR_B_MONAUREAL |
TAS_ACR_B_MON_SEL_RIGHT;
- if (oldacr == tas->acr) {
- mutex_unlock(&tas->mtx);
+ if (oldacr == tas->acr)
return 0;
- }
if (tas->hw_enabled)
tas_write_reg(tas, TAS_REG_ACR, 1, &tas->acr);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -557,9 +533,8 @@ static int tas_snd_treble_get(struct snd
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->treble;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -571,16 +546,13 @@ static int tas_snd_treble_put(struct snd
if (ucontrol->value.integer.value[0] < TAS3004_TREBLE_MIN ||
ucontrol->value.integer.value[0] > TAS3004_TREBLE_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->treble == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->treble == ucontrol->value.integer.value[0])
return 0;
- }
tas->treble = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas_set_treble(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -608,9 +580,8 @@ static int tas_snd_bass_get(struct snd_k
{
struct tas *tas = snd_kcontrol_chip(kcontrol);
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
ucontrol->value.integer.value[0] = tas->bass;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -622,16 +593,13 @@ static int tas_snd_bass_put(struct snd_k
if (ucontrol->value.integer.value[0] < TAS3004_BASS_MIN ||
ucontrol->value.integer.value[0] > TAS3004_BASS_MAX)
return -EINVAL;
- mutex_lock(&tas->mtx);
- if (tas->bass == ucontrol->value.integer.value[0]) {
- mutex_unlock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
+ if (tas->bass == ucontrol->value.integer.value[0])
return 0;
- }
tas->bass = ucontrol->value.integer.value[0];
if (tas->hw_enabled)
tas_set_bass(tas);
- mutex_unlock(&tas->mtx);
return 1;
}
@@ -722,13 +690,13 @@ static int tas_switch_clock(struct codec
break;
case CLOCK_SWITCH_SLAVE:
/* Clocks are back, re-init the codec */
- mutex_lock(&tas->mtx);
- tas_reset_init(tas);
- tas_set_volume(tas);
- tas_set_mixer(tas);
- tas->hw_enabled = 1;
- tas->codec.gpio->methods->all_amps_restore(tas->codec.gpio);
- mutex_unlock(&tas->mtx);
+ scoped_guard(mutex, &tas->mtx) {
+ tas_reset_init(tas);
+ tas_set_volume(tas);
+ tas_set_mixer(tas);
+ tas->hw_enabled = 1;
+ tas->codec.gpio->methods->all_amps_restore(tas->codec.gpio);
+ }
break;
default:
/* doesn't happen as of now */
@@ -743,23 +711,21 @@ static int tas_switch_clock(struct codec
* our i2c device is suspended, and then take note of that! */
static int tas_suspend(struct tas *tas)
{
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
tas->hw_enabled = 0;
tas->acr |= TAS_ACR_ANALOG_PDOWN;
tas_write_reg(tas, TAS_REG_ACR, 1, &tas->acr);
- mutex_unlock(&tas->mtx);
return 0;
}
static int tas_resume(struct tas *tas)
{
/* reset codec */
- mutex_lock(&tas->mtx);
+ guard(mutex)(&tas->mtx);
tas_reset_init(tas);
tas_set_volume(tas);
tas_set_mixer(tas);
tas->hw_enabled = 1;
- mutex_unlock(&tas->mtx);
return 0;
}
@@ -802,14 +768,13 @@ static int tas_init_codec(struct aoa_cod
return -EINVAL;
}
- mutex_lock(&tas->mtx);
- if (tas_reset_init(tas)) {
- printk(KERN_ERR PFX "tas failed to initialise\n");
- mutex_unlock(&tas->mtx);
- return -ENXIO;
+ scoped_guard(mutex, &tas->mtx) {
+ if (tas_reset_init(tas)) {
+ printk(KERN_ERR PFX "tas failed to initialise\n");
+ return -ENXIO;
+ }
+ tas->hw_enabled = 1;
}
- tas->hw_enabled = 1;
- mutex_unlock(&tas->mtx);
if (tas->codec.soundbus_dev->attach_codec(tas->codec.soundbus_dev,
aoa_get_card(),
--- a/sound/aoa/core/gpio-feature.c
+++ b/sound/aoa/core/gpio-feature.c
@@ -212,10 +212,9 @@ static void ftr_handle_notify(struct wor
struct gpio_notification *notif =
container_of(work, struct gpio_notification, work.work);
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
if (notif->notify)
notif->notify(notif->data);
- mutex_unlock(¬if->mutex);
}
static void gpio_enable_dual_edge(int gpio)
@@ -341,19 +340,17 @@ static int ftr_set_notify(struct gpio_ru
if (!irq)
return -ENODEV;
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
old = notif->notify;
- if (!old && !notify) {
- err = 0;
- goto out_unlock;
- }
+ if (!old && !notify)
+ return 0;
if (old && notify) {
if (old == notify && notif->data == data)
err = 0;
- goto out_unlock;
+ return err;
}
if (old && !notify)
@@ -362,16 +359,13 @@ static int ftr_set_notify(struct gpio_ru
if (!old && notify) {
err = request_irq(irq, ftr_handle_notify_irq, 0, name, notif);
if (err)
- goto out_unlock;
+ return err;
}
notif->notify = notify;
notif->data = data;
- err = 0;
- out_unlock:
- mutex_unlock(¬if->mutex);
- return err;
+ return 0;
}
static int ftr_get_detect(struct gpio_runtime *rt,
--- a/sound/aoa/core/gpio-pmf.c
+++ b/sound/aoa/core/gpio-pmf.c
@@ -74,10 +74,9 @@ static void pmf_handle_notify(struct wor
struct gpio_notification *notif =
container_of(work, struct gpio_notification, work.work);
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
if (notif->notify)
notif->notify(notif->data);
- mutex_unlock(¬if->mutex);
}
static void pmf_gpio_init(struct gpio_runtime *rt)
@@ -154,19 +153,17 @@ static int pmf_set_notify(struct gpio_ru
return -EINVAL;
}
- mutex_lock(¬if->mutex);
+ guard(mutex)(¬if->mutex);
old = notif->notify;
- if (!old && !notify) {
- err = 0;
- goto out_unlock;
- }
+ if (!old && !notify)
+ return 0;
if (old && notify) {
if (old == notify && notif->data == data)
err = 0;
- goto out_unlock;
+ return err;
}
if (old && !notify) {
@@ -178,10 +175,8 @@ static int pmf_set_notify(struct gpio_ru
if (!old && notify) {
irq_client = kzalloc(sizeof(struct pmf_irq_client),
GFP_KERNEL);
- if (!irq_client) {
- err = -ENOMEM;
- goto out_unlock;
- }
+ if (!irq_client)
+ return -ENOMEM;
irq_client->data = notif;
irq_client->handler = pmf_handle_notify_irq;
irq_client->owner = THIS_MODULE;
@@ -192,17 +187,14 @@ static int pmf_set_notify(struct gpio_ru
printk(KERN_ERR "snd-aoa: gpio layer failed to"
" register %s irq (%d)\n", name, err);
kfree(irq_client);
- goto out_unlock;
+ return err;
}
notif->gpio_private = irq_client;
}
notif->notify = notify;
notif->data = data;
- err = 0;
- out_unlock:
- mutex_unlock(¬if->mutex);
- return err;
+ return 0;
}
static int pmf_get_detect(struct gpio_runtime *rt,
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -79,11 +79,10 @@ static int i2sbus_pcm_open(struct i2sbus
u64 formats = 0;
unsigned int rates = 0;
struct transfer_info v;
- int result = 0;
int bus_factor = 0, sysclock_factor = 0;
int found_this;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, &other);
@@ -92,8 +91,7 @@ static int i2sbus_pcm_open(struct i2sbus
if (pi->active) {
/* alsa messed up */
- result = -EBUSY;
- goto out_unlock;
+ return -EBUSY;
}
/* we now need to assign the hw */
@@ -117,10 +115,8 @@ static int i2sbus_pcm_open(struct i2sbus
ti++;
}
}
- if (!masks_inited || !bus_factor || !sysclock_factor) {
- result = -ENODEV;
- goto out_unlock;
- }
+ if (!masks_inited || !bus_factor || !sysclock_factor)
+ return -ENODEV;
/* bus dependent stuff */
hw->info = SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_MMAP_VALID |
SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_RESUME |
@@ -194,15 +190,12 @@ static int i2sbus_pcm_open(struct i2sbus
hw->periods_max = MAX_DBDMA_COMMANDS;
err = snd_pcm_hw_constraint_integer(pi->substream->runtime,
SNDRV_PCM_HW_PARAM_PERIODS);
- if (err < 0) {
- result = err;
- goto out_unlock;
- }
+ if (err < 0)
+ return err;
list_for_each_entry(cii, &sdev->codec_list, list) {
if (cii->codec->open) {
err = cii->codec->open(cii, pi->substream);
if (err) {
- result = err;
/* unwind */
found_this = 0;
list_for_each_entry_reverse(rev,
@@ -214,14 +207,12 @@ static int i2sbus_pcm_open(struct i2sbus
if (rev == cii)
found_this = 1;
}
- goto out_unlock;
+ return err;
}
}
}
- out_unlock:
- mutex_unlock(&i2sdev->lock);
- return result;
+ return 0;
}
#undef CHECK_RATE
@@ -232,7 +223,7 @@ static int i2sbus_pcm_close(struct i2sbu
struct pcm_info *pi;
int err = 0, tmp;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, NULL);
@@ -246,7 +237,6 @@ static int i2sbus_pcm_close(struct i2sbu
pi->substream = NULL;
pi->active = 0;
- mutex_unlock(&i2sdev->lock);
return err;
}
@@ -330,33 +320,26 @@ static int i2sbus_pcm_prepare(struct i2s
int input_16bit;
struct pcm_info *pi, *other;
int cnt;
- int result = 0;
unsigned int cmd, stopaddr;
- mutex_lock(&i2sdev->lock);
+ guard(mutex)(&i2sdev->lock);
get_pcm_info(i2sdev, in, &pi, &other);
- if (pi->dbdma_ring.running) {
- result = -EBUSY;
- goto out_unlock;
- }
+ if (pi->dbdma_ring.running)
+ return -EBUSY;
if (pi->dbdma_ring.stopping)
i2sbus_wait_for_stop(i2sdev, pi);
- if (!pi->substream || !pi->substream->runtime) {
- result = -EINVAL;
- goto out_unlock;
- }
+ if (!pi->substream || !pi->substream->runtime)
+ return -EINVAL;
runtime = pi->substream->runtime;
pi->active = 1;
if (other->active &&
((i2sdev->format != runtime->format)
- || (i2sdev->rate != runtime->rate))) {
- result = -EINVAL;
- goto out_unlock;
- }
+ || (i2sdev->rate != runtime->rate)))
+ return -EINVAL;
i2sdev->format = runtime->format;
i2sdev->rate = runtime->rate;
@@ -412,10 +395,8 @@ static int i2sbus_pcm_prepare(struct i2s
bi.bus_factor = cii->codec->bus_factor;
break;
}
- if (!bi.bus_factor) {
- result = -ENODEV;
- goto out_unlock;
- }
+ if (!bi.bus_factor)
+ return -ENODEV;
input_16bit = 1;
break;
case SNDRV_PCM_FORMAT_S32_BE:
@@ -426,8 +407,7 @@ static int i2sbus_pcm_prepare(struct i2s
input_16bit = 0;
break;
default:
- result = -EINVAL;
- goto out_unlock;
+ return -EINVAL;
}
/* we assume all sysclocks are the same! */
list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
@@ -438,10 +418,8 @@ static int i2sbus_pcm_prepare(struct i2s
if (clock_and_divisors(bi.sysclock_factor,
bi.bus_factor,
runtime->rate,
- &sfr) < 0) {
- result = -EINVAL;
- goto out_unlock;
- }
+ &sfr) < 0)
+ return -EINVAL;
switch (bi.bus_factor) {
case 32:
sfr |= I2S_SF_SERIAL_FORMAT_I2S_32X;
@@ -457,10 +435,8 @@ static int i2sbus_pcm_prepare(struct i2s
int err = 0;
if (cii->codec->prepare)
err = cii->codec->prepare(cii, &bi, pi->substream);
- if (err) {
- result = err;
- goto out_unlock;
- }
+ if (err)
+ return err;
}
/* codecs are fine with it, so set our clocks */
if (input_16bit)
@@ -476,7 +452,7 @@ static int i2sbus_pcm_prepare(struct i2s
/* not locking these is fine since we touch them only in this function */
if (in_le32(&i2sdev->intfregs->serial_format) == sfr
&& in_le32(&i2sdev->intfregs->data_word_sizes) == dws)
- goto out_unlock;
+ return 0;
/* let's notify the codecs about clocks going away.
* For now we only do mastering on the i2s cell... */
@@ -514,9 +490,7 @@ static int i2sbus_pcm_prepare(struct i2s
if (cii->codec->switch_clock)
cii->codec->switch_clock(cii, CLOCK_SWITCH_SLAVE);
- out_unlock:
- mutex_unlock(&i2sdev->lock);
- return result;
+ return 0;
}
#ifdef CONFIG_PM
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 265/411] ALSA: aoa: i2sbus: clear stale prepared state
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 264/411] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 266/411] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
` (146 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Cássio Gabriel, Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit 5ed060d5491597490fb53ec69da3edc4b1e8c165 ]
The i2sbus PCM code uses pi->active to constrain the sibling stream to
an already prepared duplex format and rate in i2sbus_pcm_open().
That state is set from i2sbus_pcm_prepare(), but the current code only
clears it on close. As a result, the sibling stream can inherit stale
constraints after the prepared state has been torn down.
Clear pi->active when hw_params() or hw_free() tears down the prepared
state, and set it again only after prepare succeeds.
Replace the stale FIXME in the duplex constraint comment with a description
of the current driver behavior: i2sbus still programs a single shared
transport configuration for both directions, so mixed formats are not
supported in duplex mode.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202604010125.AvkWBYKI-lkp@intel.com/
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260331-aoa-i2sbus-clear-stale-active-v2-1-3764ae2889a1@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/pcm.c | 55 ++++++++++++++++++++++++++++++++--------
1 file changed, 44 insertions(+), 11 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -165,17 +165,16 @@ static int i2sbus_pcm_open(struct i2sbus
* currently in use (if any). */
hw->rate_min = 5512;
hw->rate_max = 192000;
- /* if the other stream is active, then we can only
- * support what it is currently using.
- * FIXME: I lied. This comment is wrong. We can support
- * anything that works with the same serial format, ie.
- * when recording 24 bit sound we can well play 16 bit
- * sound at the same time iff using the same transfer mode.
+ /* If the other stream is already prepared, keep this stream
+ * on the same duplex format and rate.
+ *
+ * i2sbus_pcm_prepare() still programs one shared transport
+ * configuration for both directions, so mixed duplex formats
+ * are not supported here.
*/
if (other->active) {
- /* FIXME: is this guaranteed by the alsa api? */
hw->formats &= pcm_format_to_bits(i2sdev->format);
- /* see above, restrict rates to the one we already have */
+ /* Restrict rates to the one already in use. */
hw->rate_min = i2sdev->rate;
hw->rate_max = i2sdev->rate;
}
@@ -283,6 +282,23 @@ void i2sbus_wait_for_stop_both(struct i2
}
#endif
+static void i2sbus_pcm_clear_active(struct i2sbus_dev *i2sdev, int in)
+{
+ struct pcm_info *pi;
+
+ guard(mutex)(&i2sdev->lock);
+
+ get_pcm_info(i2sdev, in, &pi, NULL);
+ pi->active = 0;
+}
+
+static inline int i2sbus_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params, int in)
+{
+ i2sbus_pcm_clear_active(snd_pcm_substream_chip(substream), in);
+ return 0;
+}
+
static inline int i2sbus_hw_free(struct snd_pcm_substream *substream, int in)
{
struct i2sbus_dev *i2sdev = snd_pcm_substream_chip(substream);
@@ -291,14 +307,27 @@ static inline int i2sbus_hw_free(struct
get_pcm_info(i2sdev, in, &pi, NULL);
if (pi->dbdma_ring.stopping)
i2sbus_wait_for_stop(i2sdev, pi);
+ i2sbus_pcm_clear_active(i2sdev, in);
return 0;
}
+static int i2sbus_playback_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params)
+{
+ return i2sbus_hw_params(substream, params, 0);
+}
+
static int i2sbus_playback_hw_free(struct snd_pcm_substream *substream)
{
return i2sbus_hw_free(substream, 0);
}
+static int i2sbus_record_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params)
+{
+ return i2sbus_hw_params(substream, params, 1);
+}
+
static int i2sbus_record_hw_free(struct snd_pcm_substream *substream)
{
return i2sbus_hw_free(substream, 1);
@@ -335,7 +364,6 @@ static int i2sbus_pcm_prepare(struct i2s
return -EINVAL;
runtime = pi->substream->runtime;
- pi->active = 1;
if (other->active &&
((i2sdev->format != runtime->format)
|| (i2sdev->rate != runtime->rate)))
@@ -450,9 +478,11 @@ static int i2sbus_pcm_prepare(struct i2s
/* early exit if already programmed correctly */
/* not locking these is fine since we touch them only in this function */
- if (in_le32(&i2sdev->intfregs->serial_format) == sfr
- && in_le32(&i2sdev->intfregs->data_word_sizes) == dws)
+ if (in_le32(&i2sdev->intfregs->serial_format) == sfr &&
+ in_le32(&i2sdev->intfregs->data_word_sizes) == dws) {
+ pi->active = 1;
return 0;
+ }
/* let's notify the codecs about clocks going away.
* For now we only do mastering on the i2s cell... */
@@ -490,6 +520,7 @@ static int i2sbus_pcm_prepare(struct i2s
if (cii->codec->switch_clock)
cii->codec->switch_clock(cii, CLOCK_SWITCH_SLAVE);
+ pi->active = 1;
return 0;
}
@@ -746,6 +777,7 @@ static snd_pcm_uframes_t i2sbus_playback
static const struct snd_pcm_ops i2sbus_playback_ops = {
.open = i2sbus_playback_open,
.close = i2sbus_playback_close,
+ .hw_params = i2sbus_playback_hw_params,
.hw_free = i2sbus_playback_hw_free,
.prepare = i2sbus_playback_prepare,
.trigger = i2sbus_playback_trigger,
@@ -814,6 +846,7 @@ static snd_pcm_uframes_t i2sbus_record_p
static const struct snd_pcm_ops i2sbus_record_ops = {
.open = i2sbus_record_open,
.close = i2sbus_record_close,
+ .hw_params = i2sbus_record_hw_params,
.hw_free = i2sbus_record_hw_free,
.prepare = i2sbus_record_prepare,
.trigger = i2sbus_record_trigger,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 266/411] media: rc: ttusbir: respect DMA coherency rules
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 265/411] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 267/411] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
` (145 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 50acaad3d202c064779db8dc3d010007347f59c7 ]
Buffers must not share a cache line with other data structures.
Allocate separately.
Fixes: 0938069fa0897 ("[media] rc: Add support for the TechnoTrend USB IR Receiver")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ kept kzalloc(sizeof(*tt), GFP_KERNEL) instead of kzalloc_obj() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/ttusbir.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -32,7 +32,7 @@ struct ttusbir {
struct led_classdev led;
struct urb *bulk_urb;
- uint8_t bulk_buffer[5];
+ u8 *bulk_buffer;
int bulk_out_endp, iso_in_endp;
bool led_on, is_led_on;
atomic_t led_complete;
@@ -188,13 +188,16 @@ static int ttusbir_probe(struct usb_inte
struct rc_dev *rc;
int i, j, ret;
int altsetting = -1;
+ u8 *buffer;
tt = kzalloc(sizeof(*tt), GFP_KERNEL);
+ buffer = kzalloc(5, GFP_KERNEL);
rc = rc_allocate_device(RC_DRIVER_IR_RAW);
- if (!tt || !rc) {
+ if (!tt || !rc || buffer) {
ret = -ENOMEM;
goto out;
}
+ tt->bulk_buffer = buffer;
/* find the correct alt setting */
for (i = 0; i < intf->num_altsetting && altsetting == -1; i++) {
@@ -283,8 +286,8 @@ static int ttusbir_probe(struct usb_inte
tt->bulk_buffer[3] = 0x01;
usb_fill_bulk_urb(tt->bulk_urb, tt->udev, usb_sndbulkpipe(tt->udev,
- tt->bulk_out_endp), tt->bulk_buffer, sizeof(tt->bulk_buffer),
- ttusbir_bulk_complete, tt);
+ tt->bulk_out_endp), tt->bulk_buffer, 5,
+ ttusbir_bulk_complete, tt);
tt->led.name = "ttusbir:green:power";
tt->led.default_trigger = "rc-feedback";
@@ -353,6 +356,7 @@ out:
kfree(tt);
}
rc_free_device(rc);
+ kfree(buffer);
return ret;
}
@@ -375,6 +379,7 @@ static void ttusbir_disconnect(struct us
}
usb_kill_urb(tt->bulk_urb);
usb_free_urb(tt->bulk_urb);
+ kfree(tt->bulk_buffer);
usb_set_intfdata(intf, NULL);
kfree(tt);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 267/411] ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 266/411] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 268/411] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
` (144 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit fd7df93013c5118812e63a52635dc6c3a805a1de ]
In i2sbus_resume(), skip devices with an empty codec list, which avoids
using an uninitialized 'sysclock_factor' in the 32-bit format path in
i2sbus_pcm_prepare().
In i2sbus_pcm_prepare(), replace two list_for_each_entry() loops with a
single list_first_entry() now that the codec list is guaranteed to be
non-empty by all callers.
Fixes: f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20260310102921.210109-3-thorsten.blum@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/aoa/soundbus/i2sbus/core.c | 3 +++
sound/aoa/soundbus/i2sbus/pcm.c | 16 +++++-----------
2 files changed, 8 insertions(+), 11 deletions(-)
--- a/sound/aoa/soundbus/i2sbus/core.c
+++ b/sound/aoa/soundbus/i2sbus/core.c
@@ -411,6 +411,9 @@ static int i2sbus_resume(struct macio_de
int err, ret = 0;
list_for_each_entry(i2sdev, &control->list, item) {
+ if (list_empty(&i2sdev->sound.codec_list))
+ continue;
+
/* reset i2s bus format etc. */
i2sbus_pcm_prepare_both(i2sdev);
--- a/sound/aoa/soundbus/i2sbus/pcm.c
+++ b/sound/aoa/soundbus/i2sbus/pcm.c
@@ -411,6 +411,9 @@ static int i2sbus_pcm_prepare(struct i2s
/* set stop command */
command->command = cpu_to_le16(DBDMA_STOP);
+ cii = list_first_entry(&i2sdev->sound.codec_list,
+ struct codec_info_item, list);
+
/* ok, let's set the serial format and stuff */
switch (runtime->format) {
/* 16 bit formats */
@@ -418,13 +421,7 @@ static int i2sbus_pcm_prepare(struct i2s
case SNDRV_PCM_FORMAT_U16_BE:
/* FIXME: if we add different bus factors we need to
* do more here!! */
- bi.bus_factor = 0;
- list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
- bi.bus_factor = cii->codec->bus_factor;
- break;
- }
- if (!bi.bus_factor)
- return -ENODEV;
+ bi.bus_factor = cii->codec->bus_factor;
input_16bit = 1;
break;
case SNDRV_PCM_FORMAT_S32_BE:
@@ -438,10 +435,7 @@ static int i2sbus_pcm_prepare(struct i2s
return -EINVAL;
}
/* we assume all sysclocks are the same! */
- list_for_each_entry(cii, &i2sdev->sound.codec_list, list) {
- bi.sysclock_factor = cii->codec->sysclock_factor;
- break;
- }
+ bi.sysclock_factor = cii->codec->sysclock_factor;
if (clock_and_divisors(bi.sysclock_factor,
bi.bus_factor,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 268/411] erofs: fix the out-of-bounds nameoff handling for trailing dirents
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 267/411] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 269/411] nvme: fix interpretation of DMRSL Greg Kroah-Hartman
` (143 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Gao Xiang,
Chao Yu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit d18a3b5d337fa412a38e776e6b4b857a58836575 ]
Currently we already have boundary-checks for nameoffs, but the trailing
dirents are special since the namelens are calculated with strnlen()
with unchecked nameoffs.
If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
maxsize - nameoff can underflow, causing strnlen() to read past the
directory block.
nameoff0 should also be verified to be a multiple of
`sizeof(struct erofs_dirent)` as well [1].
[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations")
Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com
Cc: stable@vger.kernel.org
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
[ replaced upstream `bsz` with `PAGE_SIZE` and `sizeof(*de)` with `sizeof(struct erofs_dirent)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/dir.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
--- a/fs/erofs/dir.c
+++ b/fs/erofs/dir.c
@@ -37,20 +37,18 @@ static int erofs_fill_dentries(struct in
nameoff = le16_to_cpu(de->nameoff);
de_name = (char *)dentry_blk + nameoff;
- /* the last dirent in the block? */
- if (de + 1 >= end)
- de_namelen = strnlen(de_name, maxsize - nameoff);
- else
+ /* non-trailing dirent in the directory block? */
+ if (de + 1 < end)
de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
+ else if (maxsize <= nameoff)
+ goto err_bogus;
+ else
+ de_namelen = strnlen(de_name, maxsize - nameoff);
- /* a corrupted entry is found */
- if (nameoff + de_namelen > maxsize ||
- de_namelen > EROFS_NAME_LEN) {
- erofs_err(dir->i_sb, "bogus dirent @ nid %llu",
- EROFS_I(dir)->nid);
- DBG_BUGON(1);
- return -EFSCORRUPTED;
- }
+ /* a corrupted entry is found (including negative namelen) */
+ if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) ||
+ nameoff + de_namelen > maxsize)
+ goto err_bogus;
debug_one_dentry(d_type, de_name, de_namelen);
if (!dir_emit(ctx, de_name, de_namelen,
@@ -62,6 +60,10 @@ static int erofs_fill_dentries(struct in
}
*ofs = maxsize;
return 0;
+err_bogus:
+ erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid);
+ DBG_BUGON(1);
+ return -EFSCORRUPTED;
}
static int erofs_readdir(struct file *f, struct dir_context *ctx)
@@ -95,8 +97,8 @@ static int erofs_readdir(struct file *f,
nameoff = le16_to_cpu(de->nameoff);
- if (nameoff < sizeof(struct erofs_dirent) ||
- nameoff >= PAGE_SIZE) {
+ if (!nameoff || nameoff >= PAGE_SIZE ||
+ (nameoff % sizeof(struct erofs_dirent))) {
erofs_err(dir->i_sb,
"invalid de[0].nameoff %u @ nid %llu",
nameoff, EROFS_I(dir)->nid);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 269/411] nvme: fix interpretation of DMRSL
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 268/411] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 270/411] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
` (142 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tom Yan, Christoph Hellwig,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Yan <tom.ty89@gmail.com>
[ Upstream commit 1a86924e4f464757546d7f7bdc469be237918395 ]
DMRSLl is in the unit of logical blocks, while max_discard_sectors is
in the unit of "linux sector".
Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Stable-dep-of: 40f0496b617b ("nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/core.c | 6 ++++--
drivers/nvme/host/nvme.h | 1 +
2 files changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1736,6 +1736,9 @@ static void nvme_config_discard(struct g
if (blk_queue_flag_test_and_set(QUEUE_FLAG_DISCARD, queue))
return;
+ if (ctrl->dmrsl && ctrl->dmrsl <= nvme_sect_to_lba(ns, UINT_MAX))
+ ctrl->max_discard_sectors = nvme_lba_to_sect(ns, ctrl->dmrsl);
+
blk_queue_max_discard_sectors(queue, ctrl->max_discard_sectors);
blk_queue_max_discard_segments(queue, ctrl->max_discard_segments);
@@ -2948,8 +2951,7 @@ static int nvme_init_non_mdts_limits(str
if (id->dmrl)
ctrl->max_discard_segments = id->dmrl;
- if (id->dmrsl)
- ctrl->max_discard_sectors = le32_to_cpu(id->dmrsl);
+ ctrl->dmrsl = le32_to_cpu(id->dmrsl);
if (id->wzsl)
ctrl->max_zeroes_sectors = nvme_mps_to_sectors(ctrl, id->wzsl);
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -299,6 +299,7 @@ struct nvme_ctrl {
#endif
u16 crdt[3];
u16 oncs;
+ u32 dmrsl;
u16 oacs;
u16 nssa;
u16 nr_streams;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 270/411] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 269/411] nvme: fix interpretation of DMRSL Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 271/411] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
` (141 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Beckett, Keith Busch,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Beckett <bob.beckett@collabora.com>
[ Upstream commit 40f0496b617b431f8d2dd94d7f785c1121f8a68a ]
The NVM Command Set Identify Controller data may report a non-zero
Write Zeroes Size Limit (wzsl). When present, nvme_init_non_mdts_limits()
unconditionally overrides max_zeroes_sectors from wzsl, even if
NVME_QUIRK_DISABLE_WRITE_ZEROES previously set it to zero.
This effectively re-enables write zeroes for devices that need it
disabled, defeating the quirk. Several Kingston OM* drives rely on
this quirk to avoid firmware issues with write zeroes commands.
Check for the quirk before applying the wzsl override.
Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits")
Cc: stable@vger.kernel.org
Signed-off-by: Robert Beckett <bob.beckett@collabora.com>
Assisted-by: claude-opus-4-6-v1
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2952,7 +2952,7 @@ static int nvme_init_non_mdts_limits(str
if (id->dmrl)
ctrl->max_discard_segments = id->dmrl;
ctrl->dmrsl = le32_to_cpu(id->dmrsl);
- if (id->wzsl)
+ if (id->wzsl && !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES))
ctrl->max_zeroes_sectors = nvme_mps_to_sectors(ctrl, id->wzsl);
free_data:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 271/411] media: rc: igorplugusb: heed coherency rules
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 270/411] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 272/411] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
` (140 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sean Young,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit eac69475b01fe1e861dfe3960b57fa95671c132e ]
In a control request, the USB request structure
can be subject to DMA on some HCs. Hence it must obey
the rules for DMA coherency. Allocate it separately.
Fixes: b1c97193c6437 ("[media] rc: port IgorPlug-USB to rc-core")
Cc: stable@vger.kernel.org
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ replaced kzalloc_obj() with kzalloc(sizeof(*ir->request), GFP_KERNEL) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/igorplugusb.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -14,6 +14,7 @@
#include <linux/device.h>
#include <linux/kernel.h>
#include <linux/module.h>
+#include <linux/slab.h>
#include <linux/usb.h>
#include <linux/usb/input.h>
#include <media/rc-core.h>
@@ -34,7 +35,7 @@ struct igorplugusb {
struct device *dev;
struct urb *urb;
- struct usb_ctrlrequest request;
+ struct usb_ctrlrequest *request;
struct timer_list timer;
@@ -123,7 +124,7 @@ static void igorplugusb_cmd(struct igorp
{
int ret;
- ir->request.bRequest = cmd;
+ ir->request->bRequest = cmd;
ir->urb->transfer_flags = 0;
ret = usb_submit_urb(ir->urb, GFP_ATOMIC);
if (ret)
@@ -165,13 +166,17 @@ static int igorplugusb_probe(struct usb_
if (!ir)
return -ENOMEM;
+ ir->request = kzalloc(sizeof(*ir->request), GFP_KERNEL);
+ if (!ir->request)
+ goto fail;
+
ir->dev = &intf->dev;
timer_setup(&ir->timer, igorplugusb_timer, 0);
- ir->request.bRequest = GET_INFRACODE;
- ir->request.bRequestType = USB_TYPE_VENDOR | USB_DIR_IN;
- ir->request.wLength = cpu_to_le16(sizeof(ir->buf_in));
+ ir->request->bRequest = GET_INFRACODE;
+ ir->request->bRequestType = USB_TYPE_VENDOR | USB_DIR_IN;
+ ir->request->wLength = cpu_to_le16(sizeof(ir->buf_in));
ir->urb = usb_alloc_urb(0, GFP_KERNEL);
if (!ir->urb)
@@ -223,6 +228,7 @@ fail:
rc_free_device(ir->rc);
usb_free_urb(ir->urb);
del_timer(&ir->timer);
+ kfree(ir->request);
return ret;
}
@@ -236,6 +242,7 @@ static void igorplugusb_disconnect(struc
usb_set_intfdata(intf, NULL);
usb_kill_urb(ir->urb);
usb_free_urb(ir->urb);
+ kfree(ir->request);
}
static const struct usb_device_id igorplugusb_table[] = {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 272/411] sched: Use u64 for bandwidth ratio calculations
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 271/411] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 273/411] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
` (139 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Salisbury,
Peter Zijlstra (Intel), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@oracle.com>
[ Upstream commit c6e80201e057dfb7253385e60bf541121bf5dc33 ]
to_ratio() computes BW_SHIFT-scaled bandwidth ratios from u64 period and
runtime values, but it returns unsigned long. tg_rt_schedulable() also
stores the current group limit and the accumulated child sum in unsigned
long.
On 32-bit builds, large bandwidth ratios can be truncated and the RT
group sum can wrap when enough siblings are present. That can let an
overcommitted RT hierarchy pass the schedulability check, and it also
narrows the helper result for other callers.
Return u64 from to_ratio() and use u64 for the RT group totals so
bandwidth ratios are preserved and compared at full width on both 32-bit
and 64-bit builds.
Fixes: b40b2e8eb521 ("sched: rt: multi level group constraints")
Assisted-by: Codex:GPT-5
Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260403210014.2713404-1-joseph.salisbury@oracle.com
[ dropped `extern` keyword from `to_ratio()` declaration ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/core.c | 2 +-
kernel/sched/rt.c | 2 +-
kernel/sched/sched.h | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4491,7 +4491,7 @@ void sched_post_fork(struct task_struct
uclamp_post_fork(p);
}
-unsigned long to_ratio(u64 period, u64 runtime)
+u64 to_ratio(u64 period, u64 runtime)
{
if (runtime == RUNTIME_INF)
return BW_UNIT;
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -2606,7 +2606,7 @@ static int tg_rt_schedulable(struct task
{
struct rt_schedulable_data *d = data;
struct task_group *child;
- unsigned long total, sum = 0;
+ u64 total, sum = 0;
u64 period, runtime;
period = ktime_to_ns(tg->rt_bandwidth.rt_period);
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -2340,7 +2340,7 @@ extern void init_dl_inactive_task_timer(
#define RATIO_SHIFT 8
#define MAX_BW_BITS (64 - BW_SHIFT)
#define MAX_BW ((1ULL << MAX_BW_BITS) - 1)
-unsigned long to_ratio(u64 period, u64 runtime);
+u64 to_ratio(u64 period, u64 runtime);
extern void init_entity_runnable_average(struct sched_entity *se);
extern void post_init_entity_util_avg(struct task_struct *p);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 273/411] ALSA: core: Fix potential data race at fasync handling
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 272/411] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 274/411] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
` (138 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jake Lamberson, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 8146cd333d235ed32d48bb803fdf743472d7c783 ]
In snd_fasync_work_fn(), which is the offload work for traversing and
processing the pending fasync list, the call of kill_fasync() is done
outside the snd_fasync_lock for avoiding deadlocks. The problem is
that its the references of fasync->on, fasync->signal and fasync->poll
are done there also outside the lock. Since these may be modified by
snd_kill_fasync() call concurrently from other process, inconsistent
values might be passed to kill_fasync(). Although there shouldn't be
critical UAF, it's still better to be addressed.
This patch moves the kill_fasync() argument evaluations inside the
snd_fasync_lock for avoiding the data races above. The handling in
fasync->on flag is optimized in the loop to skip directly.
Also, for more clarity, snd_fasync_free() takes the lock and unlink
the pending entry more directly instead of clearing fasync->on flag.
Reported-by: Jake Lamberson <lamberson.jake@gmail.com>
Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260420061721.3253644-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ replaced scoped_guard(spinlock_irq, &snd_fasync_lock) with explicit spin_lock_irq()/spin_unlock_irq() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/misc.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -171,14 +171,18 @@ static LIST_HEAD(snd_fasync_list);
static void snd_fasync_work_fn(struct work_struct *work)
{
struct snd_fasync *fasync;
+ int signal, poll;
spin_lock_irq(&snd_fasync_lock);
while (!list_empty(&snd_fasync_list)) {
fasync = list_first_entry(&snd_fasync_list, struct snd_fasync, list);
list_del_init(&fasync->list);
+ if (!fasync->on)
+ continue;
+ signal = fasync->signal;
+ poll = fasync->poll;
spin_unlock_irq(&snd_fasync_lock);
- if (fasync->on)
- kill_fasync(&fasync->fasync, fasync->signal, fasync->poll);
+ kill_fasync(&fasync->fasync, signal, poll);
spin_lock_irq(&snd_fasync_lock);
}
spin_unlock_irq(&snd_fasync_lock);
@@ -234,7 +238,11 @@ void snd_fasync_free(struct snd_fasync *
{
if (!fasync)
return;
- fasync->on = 0;
+
+ spin_lock_irq(&snd_fasync_lock);
+ list_del_init(&fasync->list);
+ spin_unlock_irq(&snd_fasync_lock);
+
flush_work(&snd_fasync_work);
kfree(fasync);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 274/411] net: qrtr: ns: Limit the maximum number of lookups
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 273/411] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 275/411] net: qrtr: ns: Change servers radix tree to xarray Greg Kroah-Hartman
` (137 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 5640227d9a21c6a8be249a10677b832e7f40dc55 ]
Current code does no bound checking on the number of lookups a client can
perform. Though the code restricts the lookups to local clients, there is
still a possibility of a malicious local client sending a flood of
NEW_LOOKUP messages over the same socket.
Fix this issue by limiting the maximum number of lookups to 64 globally.
Since the nameserver allows only atmost one local observer, this global
lookup count will ensure that the lookups stay within the limit.
Note that, limit of 64 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-2-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted comment block to only mention QRTR_NS_MAX_LOOKUPS and kept kzalloc() instead of kzalloc_obj() due to missing prerequisite commits ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -21,6 +21,7 @@ static struct {
struct socket *sock;
struct sockaddr_qrtr bcast_sq;
struct list_head lookups;
+ u32 lookup_count;
struct workqueue_struct *workqueue;
struct work_struct work;
void (*saved_data_ready)(struct sock *sk);
@@ -69,6 +70,11 @@ struct qrtr_node {
struct radix_tree_root servers;
};
+/* Max lookup limit is chosen based on the current platform requirements. If the
+ * requirement changes in the future, this value can be increased.
+ */
+#define QRTR_NS_MAX_LOOKUPS 64
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -457,6 +463,7 @@ static int ctrl_cmd_del_client(struct so
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
/* Remove the server belonging to this port but don't broadcast
@@ -590,6 +597,11 @@ static int ctrl_cmd_new_lookup(struct so
if (from->sq_node != qrtr_ns.local_node)
return -EINVAL;
+ if (qrtr_ns.lookup_count >= QRTR_NS_MAX_LOOKUPS) {
+ pr_err_ratelimited("QRTR client node exceeds max lookup limit!\n");
+ return -ENOSPC;
+ }
+
lookup = kzalloc(sizeof(*lookup), GFP_KERNEL);
if (!lookup)
return -ENOMEM;
@@ -598,6 +610,7 @@ static int ctrl_cmd_new_lookup(struct so
lookup->service = service;
lookup->instance = instance;
list_add_tail(&lookup->li, &qrtr_ns.lookups);
+ qrtr_ns.lookup_count++;
memset(&filter, 0, sizeof(filter));
filter.service = service;
@@ -664,6 +677,7 @@ static void ctrl_cmd_del_lookup(struct s
list_del(&lookup->li);
kfree(lookup);
+ qrtr_ns.lookup_count--;
}
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 275/411] net: qrtr: ns: Change servers radix tree to xarray
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 274/411] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 276/411] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
` (136 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Lew, Vignesh Viswanathan,
Simon Horman, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vignesh Viswanathan <quic_viswanat@quicinc.com>
[ Upstream commit 608a147a88728f84bbd2efdde3d4984339f1d872 ]
There is a use after free scenario while iterating through the servers
radix tree despite the ns being a single threaded process. This can
happen when the radix tree APIs are not synchronized with the
rcu_read_lock() APIs.
Convert the radix tree for servers to xarray to take advantage of the
built in rcu lock usage provided by xarray.
Signed-off-by: Chris Lew <quic_clew@quicinc.com>
Signed-off-by: Vignesh Viswanathan <quic_viswanat@quicinc.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 68efba36446a ("net: qrtr: ns: Free the node during ctrl_cmd_bye()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 133 ++++++++++------------------------------------------------
1 file changed, 24 insertions(+), 109 deletions(-)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -67,7 +67,7 @@ struct qrtr_server {
struct qrtr_node {
unsigned int id;
- struct radix_tree_root servers;
+ struct xarray servers;
};
/* Max lookup limit is chosen based on the current platform requirements. If the
@@ -89,6 +89,7 @@ static struct qrtr_node *node_get(unsign
return NULL;
node->id = node_id;
+ xa_init(&node->servers);
if (radix_tree_insert(&nodes, node_id, node)) {
kfree(node);
@@ -199,40 +200,23 @@ static void lookup_notify(struct sockadd
static int announce_servers(struct sockaddr_qrtr *sq)
{
- struct radix_tree_iter iter;
struct qrtr_server *srv;
struct qrtr_node *node;
- void __rcu **slot;
+ unsigned long index;
int ret;
node = node_get(qrtr_ns.local_node);
if (!node)
return 0;
- rcu_read_lock();
/* Announce the list of servers registered in this node */
- radix_tree_for_each_slot(slot, &node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
-
+ xa_for_each(&node->servers, index, srv) {
ret = service_announce_new(sq, srv);
if (ret < 0) {
pr_err("failed to announce new service\n");
return ret;
}
-
- rcu_read_lock();
}
-
- rcu_read_unlock();
-
return 0;
}
@@ -262,14 +246,17 @@ static struct qrtr_server *server_add(un
goto err;
/* Delete the old server on the same port */
- old = radix_tree_lookup(&node->servers, port);
+ old = xa_store(&node->servers, port, srv, GFP_KERNEL);
if (old) {
- radix_tree_delete(&node->servers, port);
- kfree(old);
+ if (xa_is_err(old)) {
+ pr_err("failed to add server [0x%x:0x%x] ret:%d\n",
+ srv->service, srv->instance, xa_err(old));
+ goto err;
+ } else {
+ kfree(old);
+ }
}
- radix_tree_insert(&node->servers, port, srv);
-
trace_qrtr_ns_server_add(srv->service, srv->instance,
srv->node, srv->port);
@@ -286,11 +273,11 @@ static int server_del(struct qrtr_node *
struct qrtr_server *srv;
struct list_head *li;
- srv = radix_tree_lookup(&node->servers, port);
+ srv = xa_load(&node->servers, port);
if (!srv)
return -ENOENT;
- radix_tree_delete(&node->servers, port);
+ xa_erase(&node->servers, port);
/* Broadcast the removal of local servers */
if (srv->node == qrtr_ns.local_node && bcast)
@@ -350,13 +337,12 @@ static int ctrl_cmd_hello(struct sockadd
static int ctrl_cmd_bye(struct sockaddr_qrtr *from)
{
struct qrtr_node *local_node;
- struct radix_tree_iter iter;
struct qrtr_ctrl_pkt pkt;
struct qrtr_server *srv;
struct sockaddr_qrtr sq;
struct msghdr msg = { };
struct qrtr_node *node;
- void __rcu **slot;
+ unsigned long index;
struct kvec iv;
int ret;
@@ -367,22 +353,9 @@ static int ctrl_cmd_bye(struct sockaddr_
if (!node)
return 0;
- rcu_read_lock();
/* Advertise removal of this client to all servers of remote node */
- radix_tree_for_each_slot(slot, &node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
+ xa_for_each(&node->servers, index, srv)
server_del(node, srv->port, true);
- rcu_read_lock();
- }
- rcu_read_unlock();
/* Advertise the removal of this client to all local servers */
local_node = node_get(qrtr_ns.local_node);
@@ -393,18 +366,7 @@ static int ctrl_cmd_bye(struct sockaddr_
pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE);
pkt.client.node = cpu_to_le32(from->sq_node);
- rcu_read_lock();
- radix_tree_for_each_slot(slot, &local_node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
-
+ xa_for_each(&local_node->servers, index, srv) {
sq.sq_family = AF_QIPCRTR;
sq.sq_node = srv->node;
sq.sq_port = srv->port;
@@ -417,11 +379,7 @@ static int ctrl_cmd_bye(struct sockaddr_
pr_err("failed to send bye cmd\n");
return ret;
}
- rcu_read_lock();
}
-
- rcu_read_unlock();
-
return 0;
}
@@ -429,7 +387,6 @@ static int ctrl_cmd_del_client(struct so
unsigned int node_id, unsigned int port)
{
struct qrtr_node *local_node;
- struct radix_tree_iter iter;
struct qrtr_lookup *lookup;
struct qrtr_ctrl_pkt pkt;
struct msghdr msg = { };
@@ -438,7 +395,7 @@ static int ctrl_cmd_del_client(struct so
struct qrtr_node *node;
struct list_head *tmp;
struct list_head *li;
- void __rcu **slot;
+ unsigned long index;
struct kvec iv;
int ret;
@@ -484,18 +441,7 @@ static int ctrl_cmd_del_client(struct so
pkt.client.node = cpu_to_le32(node_id);
pkt.client.port = cpu_to_le32(port);
- rcu_read_lock();
- radix_tree_for_each_slot(slot, &local_node->servers, &iter, 0) {
- srv = radix_tree_deref_slot(slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- slot = radix_tree_iter_retry(&iter);
- continue;
- }
- slot = radix_tree_iter_resume(slot, &iter);
- rcu_read_unlock();
-
+ xa_for_each(&local_node->servers, index, srv) {
sq.sq_family = AF_QIPCRTR;
sq.sq_node = srv->node;
sq.sq_port = srv->port;
@@ -508,11 +454,7 @@ static int ctrl_cmd_del_client(struct so
pr_err("failed to send del client cmd\n");
return ret;
}
- rcu_read_lock();
}
-
- rcu_read_unlock();
-
return 0;
}
@@ -585,13 +527,12 @@ static int ctrl_cmd_del_server(struct so
static int ctrl_cmd_new_lookup(struct sockaddr_qrtr *from,
unsigned int service, unsigned int instance)
{
- struct radix_tree_iter node_iter;
struct qrtr_server_filter filter;
- struct radix_tree_iter srv_iter;
struct qrtr_lookup *lookup;
+ struct qrtr_server *srv;
struct qrtr_node *node;
- void __rcu **node_slot;
- void __rcu **srv_slot;
+ unsigned long node_idx;
+ unsigned long srv_idx;
/* Accept only local observers */
if (from->sq_node != qrtr_ns.local_node)
@@ -616,40 +557,14 @@ static int ctrl_cmd_new_lookup(struct so
filter.service = service;
filter.instance = instance;
- rcu_read_lock();
- radix_tree_for_each_slot(node_slot, &nodes, &node_iter, 0) {
- node = radix_tree_deref_slot(node_slot);
- if (!node)
- continue;
- if (radix_tree_deref_retry(node)) {
- node_slot = radix_tree_iter_retry(&node_iter);
- continue;
- }
- node_slot = radix_tree_iter_resume(node_slot, &node_iter);
-
- radix_tree_for_each_slot(srv_slot, &node->servers,
- &srv_iter, 0) {
- struct qrtr_server *srv;
-
- srv = radix_tree_deref_slot(srv_slot);
- if (!srv)
- continue;
- if (radix_tree_deref_retry(srv)) {
- srv_slot = radix_tree_iter_retry(&srv_iter);
- continue;
- }
-
+ xa_for_each(&nodes, node_idx, node) {
+ xa_for_each(&node->servers, srv_idx, srv) {
if (!server_match(srv, &filter))
continue;
- srv_slot = radix_tree_iter_resume(srv_slot, &srv_iter);
-
- rcu_read_unlock();
lookup_notify(from, srv, true);
- rcu_read_lock();
}
}
- rcu_read_unlock();
/* Empty notification, to indicate end of listing */
lookup_notify(from, NULL, true);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 276/411] net: qrtr: ns: Free the node during ctrl_cmd_bye()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 275/411] net: qrtr: ns: Change servers radix tree to xarray Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 277/411] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
` (135 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 68efba36446a7774ea5b971257ade049272a07ac ]
A node sends the BYE packet when it is about to go down. So the nameserver
should advertise the removal of the node to all remote and local observers
and free the node finally. But currently, the nameserver doesn't free the
node memory even after processing the BYE packet. This causes the node
memory to leak.
Hence, remove the node from Xarray list and free the node memory during
both success and failure case of ctrl_cmd_bye().
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-3-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -344,7 +344,7 @@ static int ctrl_cmd_bye(struct sockaddr_
struct qrtr_node *node;
unsigned long index;
struct kvec iv;
- int ret;
+ int ret = 0;
iv.iov_base = &pkt;
iv.iov_len = sizeof(pkt);
@@ -359,8 +359,10 @@ static int ctrl_cmd_bye(struct sockaddr_
/* Advertise the removal of this client to all local servers */
local_node = node_get(qrtr_ns.local_node);
- if (!local_node)
- return 0;
+ if (!local_node) {
+ ret = 0;
+ goto delete_node;
+ }
memset(&pkt, 0, sizeof(pkt));
pkt.cmd = cpu_to_le32(QRTR_TYPE_BYE);
@@ -377,10 +379,18 @@ static int ctrl_cmd_bye(struct sockaddr_
ret = kernel_sendmsg(qrtr_ns.sock, &msg, &iv, 1, sizeof(pkt));
if (ret < 0) {
pr_err("failed to send bye cmd\n");
- return ret;
+ goto delete_node;
}
}
- return 0;
+
+ /* Ignore -ENODEV */
+ ret = 0;
+
+delete_node:
+ xa_erase(&nodes, from->sq_node);
+ kfree(node);
+
+ return ret;
}
static int ctrl_cmd_del_client(struct sockaddr_qrtr *from,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 277/411] net: mctp: fix dont require received header reserved bits to be zero
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 276/411] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 278/411] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
` (134 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Zhaoming, Jeremy Kerr,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Zhaoming <yuanzm2@lenovo.com>
[ Upstream commit a663bac71a2f0b3ac6c373168ca57b2a6e6381aa ]
>From the MCTP Base specification (DSP0236 v1.2.1), the first byte of
the MCTP header contains a 4 bit reserved field, and 4 bit version.
On our current receive path, we require those 4 reserved bits to be
zero, but the 9500-8i card is non-conformant, and may set these
reserved bits.
DSP0236 states that the reserved bits must be written as zero, and
ignored when read. While the device might not conform to the former,
we should accept these message to conform to the latter.
Relax our check on the MCTP version byte to allow non-zero bits in the
reserved field.
Fixes: 889b7da23abf ("mctp: Add initial routing framework")
Signed-off-by: Yuan Zhaoming <yuanzm2@lenovo.com>
Cc: stable@vger.kernel.org
Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://patch.msgid.link/20260417141340.5306-1-yuanzhaoming901030@126.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/mctp.h | 3 +++
net/mctp/route.c | 8 ++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
--- a/include/net/mctp.h
+++ b/include/net/mctp.h
@@ -25,6 +25,9 @@ struct mctp_hdr {
#define MCTP_VER_MIN 1
#define MCTP_VER_MAX 1
+/* Definitions for ver field */
+#define MCTP_HDR_VER_MASK GENMASK(3, 0)
+
/* Definitions for flags_seq_tag field */
#define MCTP_HDR_FLAG_SOM BIT(7)
#define MCTP_HDR_FLAG_EOM BIT(6)
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -229,6 +229,7 @@ static int mctp_route_input(struct mctp_
unsigned long f;
u8 tag, flags;
int rc;
+ u8 ver;
msk = NULL;
rc = -EINVAL;
@@ -246,7 +247,8 @@ static int mctp_route_input(struct mctp_
mh = mctp_hdr(skb);
skb_pull(skb, sizeof(struct mctp_hdr));
- if (mh->ver != 1)
+ ver = mh->ver & MCTP_HDR_VER_MASK;
+ if (ver < MCTP_VER_MIN || ver > MCTP_VER_MAX)
goto out;
flags = mh->flags_seq_tag & (MCTP_HDR_FLAG_SOM | MCTP_HDR_FLAG_EOM);
@@ -859,6 +861,7 @@ static int mctp_pkttype_receive(struct s
struct mctp_skb_cb *cb;
struct mctp_route *rt;
struct mctp_hdr *mh;
+ u8 ver;
/* basic non-data sanity checks */
if (dev->type != ARPHRD_MCTP)
@@ -872,7 +875,8 @@ static int mctp_pkttype_receive(struct s
/* We have enough for a header; decode and route */
mh = mctp_hdr(skb);
- if (mh->ver < MCTP_VER_MIN || mh->ver > MCTP_VER_MAX)
+ ver = mh->ver & MCTP_HDR_VER_MASK;
+ if (ver < MCTP_VER_MIN || ver > MCTP_VER_MAX)
goto err_drop;
cb = __mctp_cb(skb);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 278/411] net: qrtr: ns: Limit the total number of nodes
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 277/411] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 279/411] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
` (133 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 27d5e84e810b0849d08b9aec68e48570461ce313 ]
Currently, the nameserver doesn't limit the number of nodes it handles.
This can be an attack vector if a malicious client starts registering
random nodes, leading to memory exhaustion.
Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is
chosen based on the current platform requirements. If requirement changes
in the future, this limit can be increased.
Cc: stable@vger.kernel.org
Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260409-qrtr-fix-v3-4-00a8a5ff2b51@oss.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ dropped node_count-- hunk since ctrl_cmd_bye() has no delete_node ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/qrtr/ns.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -75,6 +75,16 @@ struct qrtr_node {
*/
#define QRTR_NS_MAX_LOOKUPS 64
+/* Max nodes, server, lookup limits are chosen based on the current platform
+ * requirements. If the requirement changes in the future, these values can be
+ * increased.
+ */
+#define QRTR_NS_MAX_NODES 64
+#define QRTR_NS_MAX_SERVERS 256
+#define QRTR_NS_MAX_LOOKUPS 64
+
+static u8 node_count;
+
static struct qrtr_node *node_get(unsigned int node_id)
{
struct qrtr_node *node;
@@ -83,6 +93,11 @@ static struct qrtr_node *node_get(unsign
if (node)
return node;
+ if (node_count >= QRTR_NS_MAX_NODES) {
+ pr_err_ratelimited("QRTR clients exceed max node limit!\n");
+ return NULL;
+ }
+
/* If node didn't exist, allocate and insert it to the tree */
node = kzalloc(sizeof(*node), GFP_KERNEL);
if (!node)
@@ -96,6 +111,8 @@ static struct qrtr_node *node_get(unsign
return NULL;
}
+ node_count++;
+
return node;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 279/411] net: bridge: use a stable FDB dst snapshot in RCU readers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 278/411] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 280/411] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
` (132 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yifan Wu, Juefei Pu,
Yuan Tan, Xin Liu, Ren Wei, Zhengchuan Liang, Ren Wei,
Ido Schimmel, Nikolay Aleksandrov, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhengchuan Liang <zcliangcn@gmail.com>
[ Upstream commit df4601653201de21b487c3e7fffd464790cab808 ]
Local FDB entries can be rewritten in place by `fdb_delete_local()`, which
updates `f->dst` to another port or to `NULL` while keeping the entry
alive. Several bridge RCU readers inspect `f->dst`, including
`br_fdb_fillbuf()` through the `brforward_read()` sysfs path.
These readers currently load `f->dst` multiple times and can therefore
observe inconsistent values across the check and later dereference.
In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change
`f->dst` after the NULL check and before the `port_no` dereference,
leading to a NULL-ptr-deref.
Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each
affected RCU reader and using that snapshot for the rest of the access
sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()`
with `WRITE_ONCE()` so the readers and writer use matching access patterns.
Fixes: 960b589f86c7 ("bridge: Properly check if local fdb entry can be deleted in br_fdb_change_mac_address")
Cc: stable@kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/6570fabb85ecadb8baaf019efe856f407711c7b9.1776043229.git.zcliangcn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ kept combined-flag check `(dst->flags & (BR_PROXYARP_WIFI | BR_NEIGH_SUPPRESS))` and `cb->args[2]` indexing instead of `br_is_neigh_suppress_enabled()` helper and `ctx->fdb_idx` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_arp_nd_proxy.c | 8 +++++---
net/bridge/br_fdb.c | 28 ++++++++++++++++++----------
2 files changed, 23 insertions(+), 13 deletions(-)
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -199,11 +199,12 @@ void br_do_proxy_suppress_arp(struct sk_
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
if ((p && (p->flags & BR_PROXYARP)) ||
- (f->dst && (f->dst->flags & (BR_PROXYARP_WIFI |
- BR_NEIGH_SUPPRESS)))) {
+ (dst && (dst->flags & (BR_PROXYARP_WIFI |
+ BR_NEIGH_SUPPRESS)))) {
if (!vid)
br_arp_send(br, p, skb->dev, sip, tip,
sha, n->ha, sha, 0, 0);
@@ -463,9 +464,10 @@ void br_do_suppress_nd(struct sk_buff *s
f = br_fdb_find_rcu(br, n->ha, vid);
if (f) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
bool replied = false;
- if (f->dst && (f->dst->flags & BR_NEIGH_SUPPRESS)) {
+ if (dst && (dst->flags & BR_NEIGH_SUPPRESS)) {
if (vid != 0)
br_nd_send(br, p, skb, n,
skb->vlan_proto,
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -121,6 +121,7 @@ struct net_device *br_fdb_find_port(cons
const unsigned char *addr,
__u16 vid)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct net_device *dev = NULL;
struct net_bridge *br;
@@ -133,8 +134,11 @@ struct net_device *br_fdb_find_port(cons
br = netdev_priv(br_dev);
rcu_read_lock();
f = br_fdb_find_rcu(br, addr, vid);
- if (f && f->dst)
- dev = f->dst->dev;
+ if (f) {
+ dst = READ_ONCE(f->dst);
+ if (dst)
+ dev = dst->dev;
+ }
rcu_read_unlock();
return dev;
@@ -224,7 +228,7 @@ static void fdb_delete_local(struct net_
vg = nbp_vlan_group(op);
if (op != p && ether_addr_equal(op->dev->dev_addr, addr) &&
(!vid || br_vlan_find(vg, vid))) {
- f->dst = op;
+ WRITE_ONCE(f->dst, op);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -235,7 +239,7 @@ static void fdb_delete_local(struct net_
/* Maybe bridge device has same hw addr? */
if (p && ether_addr_equal(br->dev->dev_addr, addr) &&
(!vid || (v && br_vlan_should_use(v)))) {
- f->dst = NULL;
+ WRITE_ONCE(f->dst, NULL);
clear_bit(BR_FDB_ADDED_BY_USER, &f->flags);
return;
}
@@ -462,6 +466,7 @@ int br_fdb_test_addr(struct net_device *
int br_fdb_fillbuf(struct net_bridge *br, void *buf,
unsigned long maxnum, unsigned long skip)
{
+ const struct net_bridge_port *dst;
struct net_bridge_fdb_entry *f;
struct __fdb_entry *fe = buf;
int num = 0;
@@ -477,7 +482,8 @@ int br_fdb_fillbuf(struct net_bridge *br
continue;
/* ignore pseudo entry for local MAC address */
- if (!f->dst)
+ dst = READ_ONCE(f->dst);
+ if (!dst)
continue;
if (skip) {
@@ -489,8 +495,8 @@ int br_fdb_fillbuf(struct net_bridge *br
memcpy(fe->mac_addr, f->key.addr.addr, ETH_ALEN);
/* due to ABI compat need to split into hi/lo */
- fe->port_no = f->dst->port_no;
- fe->port_hi = f->dst->port_no >> 8;
+ fe->port_no = dst->port_no;
+ fe->port_hi = dst->port_no >> 8;
fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
if (!test_bit(BR_FDB_STATIC, &f->flags))
@@ -836,9 +842,11 @@ int br_fdb_dump(struct sk_buff *skb,
rcu_read_lock();
hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
+ const struct net_bridge_port *dst = READ_ONCE(f->dst);
+
if (*idx < cb->args[2])
goto skip;
- if (filter_dev && (!f->dst || f->dst->dev != filter_dev)) {
+ if (filter_dev && (!dst || dst->dev != filter_dev)) {
if (filter_dev != dev)
goto skip;
/* !f->dst is a special case for bridge
@@ -846,10 +854,10 @@ int br_fdb_dump(struct sk_buff *skb,
* Therefore need a little more filtering
* we only want to dump the !f->dst case
*/
- if (f->dst)
+ if (dst)
goto skip;
}
- if (!filter_dev && f->dst)
+ if (!filter_dev && dst)
goto skip;
err = fdb_fill_info(skb, br, f,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 280/411] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 279/411] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 281/411] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
` (131 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Helge Deller,
linux-fbdev, dri-devel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit 9ded47ad003f09a94b6a710b5c47f4aa5ceb7429 ]
Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an
instance as part of initializing deferred I/O and remove it only after
the final mapping has been closed. If the fb_info and the contained
deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info
to invalidate the mapping. Any access will then result in a SIGBUS
signal.
Fixes a long-standing problem, where a device hot-unplug happens while
user space still has an active mapping of the graphics memory. The hot-
unplug frees the instance of struct fb_info. Accessing the memory will
operate on undefined state.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 60b59beafba8 ("fbdev: mm: Deferred IO support")
Cc: Helge Deller <deller@gmx.de>
Cc: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: stable@vger.kernel.org # v2.6.22+
Signed-off-by: Helge Deller <deller@gmx.de>
[ replaced `kzalloc_obj()` with `kzalloc(sizeof(*fbdefio_state), GFP_KERNEL)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fb_defio.c | 152 +++++++++++++++++++++++++++++++-----
include/linux/fb.h | 4
2 files changed, 138 insertions(+), 18 deletions(-)
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -23,6 +23,75 @@
#include <linux/rmap.h>
#include <linux/pagemap.h>
+/*
+ * struct fb_deferred_io_state
+ */
+
+struct fb_deferred_io_state {
+ struct kref ref;
+
+ struct mutex lock; /* mutex that protects the pageref list */
+ /* fields protected by lock */
+ struct fb_info *info;
+};
+
+static struct fb_deferred_io_state *fb_deferred_io_state_alloc(void)
+{
+ struct fb_deferred_io_state *fbdefio_state;
+
+ fbdefio_state = kzalloc(sizeof(*fbdefio_state), GFP_KERNEL);
+ if (!fbdefio_state)
+ return NULL;
+
+ kref_init(&fbdefio_state->ref);
+ mutex_init(&fbdefio_state->lock);
+
+ return fbdefio_state;
+}
+
+static void fb_deferred_io_state_release(struct fb_deferred_io_state *fbdefio_state)
+{
+ mutex_destroy(&fbdefio_state->lock);
+
+ kfree(fbdefio_state);
+}
+
+static void fb_deferred_io_state_get(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_get(&fbdefio_state->ref);
+}
+
+static void __fb_deferred_io_state_release(struct kref *ref)
+{
+ struct fb_deferred_io_state *fbdefio_state =
+ container_of(ref, struct fb_deferred_io_state, ref);
+
+ fb_deferred_io_state_release(fbdefio_state);
+}
+
+static void fb_deferred_io_state_put(struct fb_deferred_io_state *fbdefio_state)
+{
+ kref_put(&fbdefio_state->ref, __fb_deferred_io_state_release);
+}
+
+/*
+ * struct vm_operations_struct
+ */
+
+static void fb_deferred_io_vm_open(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_get(fbdefio_state);
+}
+
+static void fb_deferred_io_vm_close(struct vm_area_struct *vma)
+{
+ struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data;
+
+ fb_deferred_io_state_put(fbdefio_state);
+}
+
static struct page *fb_deferred_io_page(struct fb_info *info, unsigned long offs)
{
void *screen_base = (void __force *) info->screen_base;
@@ -93,17 +162,31 @@ static void fb_deferred_io_pageref_put(s
/* this is to find and return the vmalloc-ed fb pages */
static vm_fault_t fb_deferred_io_fault(struct vm_fault *vmf)
{
+ struct fb_info *info;
unsigned long offset;
struct page *page;
- struct fb_info *info = vmf->vma->vm_private_data;
+ vm_fault_t ret;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
+
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
offset = vmf->pgoff << PAGE_SHIFT;
- if (offset >= info->fix.smem_len)
- return VM_FAULT_SIGBUS;
+ if (offset >= info->fix.smem_len) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
page = fb_deferred_io_page(info, offset);
- if (!page)
- return VM_FAULT_SIGBUS;
+ if (!page) {
+ ret = VM_FAULT_SIGBUS;
+ goto err_mutex_unlock;
+ }
get_page(page);
@@ -115,8 +198,14 @@ static vm_fault_t fb_deferred_io_fault(s
BUG_ON(!page->mapping);
page->index = vmf->pgoff; /* for page_mkclean() */
+ mutex_unlock(&fbdefio_state->lock);
+
vmf->page = page;
return 0;
+
+err_mutex_unlock:
+ mutex_unlock(&fbdefio_state->lock);
+ return ret;
}
int fb_deferred_io_fsync(struct file *file, loff_t start, loff_t end, int datasync)
@@ -143,8 +232,9 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_fsync);
static vm_fault_t fb_deferred_io_mkwrite(struct vm_fault *vmf)
{
struct page *page = vmf->page;
- struct fb_info *info = vmf->vma->vm_private_data;
- struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = vmf->vma->vm_private_data;
+ struct fb_info *info;
+ struct fb_deferred_io *fbdefio;
struct fb_deferred_io_pageref *pageref;
unsigned long offset;
vm_fault_t ret;
@@ -160,7 +250,15 @@ static vm_fault_t fb_deferred_io_mkwrite
file_update_time(vmf->vma->vm_file);
/* protect against the workqueue changing the page list */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
+
+ info = fbdefio_state->info;
+ if (!info) {
+ ret = VM_FAULT_SIGBUS; /* our device is gone */
+ goto err_mutex_unlock;
+ }
+
+ fbdefio = info->fbdefio;
/* first write in this cycle, notify the driver */
if (fbdefio->first_io && list_empty(&fbdefio->pagereflist))
@@ -182,18 +280,20 @@ static vm_fault_t fb_deferred_io_mkwrite
*/
lock_page(pageref->page);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
/* come back after delay to process the deferred IO */
schedule_delayed_work(&info->deferred_work, fbdefio->delay);
return VM_FAULT_LOCKED;
err_mutex_unlock:
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
return ret;
}
static const struct vm_operations_struct fb_deferred_io_vm_ops = {
+ .open = fb_deferred_io_vm_open,
+ .close = fb_deferred_io_vm_close,
.fault = fb_deferred_io_fault,
.page_mkwrite = fb_deferred_io_mkwrite,
};
@@ -215,7 +315,10 @@ int fb_deferred_io_mmap(struct fb_info *
vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP;
if (!(info->flags & FBINFO_VIRTFB))
vma->vm_flags |= VM_IO;
- vma->vm_private_data = info;
+ vma->vm_private_data = info->fbdefio_state;
+
+ fb_deferred_io_state_get(info->fbdefio_state); /* released in vma->vm_ops->close() */
+
return 0;
}
@@ -225,9 +328,10 @@ static void fb_deferred_io_work(struct w
struct fb_info *info = container_of(work, struct fb_info, deferred_work.work);
struct fb_deferred_io_pageref *pageref, *next;
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
/* here we mkclean the pages, then do all deferred IO */
- mutex_lock(&fbdefio->lock);
+ mutex_lock(&fbdefio_state->lock);
list_for_each_entry(pageref, &fbdefio->pagereflist, list) {
struct page *cur = pageref->page;
lock_page(cur);
@@ -242,12 +346,13 @@ static void fb_deferred_io_work(struct w
list_for_each_entry_safe(pageref, next, &fbdefio->pagereflist, list)
fb_deferred_io_pageref_put(pageref, info);
- mutex_unlock(&fbdefio->lock);
+ mutex_unlock(&fbdefio_state->lock);
}
int fb_deferred_io_init(struct fb_info *info)
{
struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
struct fb_deferred_io_pageref *pagerefs;
unsigned long npagerefs, i;
int ret;
@@ -257,7 +362,11 @@ int fb_deferred_io_init(struct fb_info *
if (WARN_ON(!info->fix.smem_len))
return -EINVAL;
- mutex_init(&fbdefio->lock);
+ fbdefio_state = fb_deferred_io_state_alloc();
+ if (!fbdefio_state)
+ return -ENOMEM;
+ fbdefio_state->info = info;
+
INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
INIT_LIST_HEAD(&fbdefio->pagereflist);
if (fbdefio->delay == 0) /* set a default of 1 s */
@@ -276,10 +385,12 @@ int fb_deferred_io_init(struct fb_info *
info->npagerefs = npagerefs;
info->pagerefs = pagerefs;
+ info->fbdefio_state = fbdefio_state;
+
return 0;
err:
- mutex_destroy(&fbdefio->lock);
+ fb_deferred_io_state_release(fbdefio_state);
return ret;
}
EXPORT_SYMBOL_GPL(fb_deferred_io_init);
@@ -320,11 +431,18 @@ EXPORT_SYMBOL_GPL(fb_deferred_io_release
void fb_deferred_io_cleanup(struct fb_info *info)
{
- struct fb_deferred_io *fbdefio = info->fbdefio;
+ struct fb_deferred_io_state *fbdefio_state = info->fbdefio_state;
fb_deferred_io_lastclose(info);
+ info->fbdefio_state = NULL;
+
+ mutex_lock(&fbdefio_state->lock);
+ fbdefio_state->info = NULL;
+ mutex_unlock(&fbdefio_state->lock);
+
+ fb_deferred_io_state_put(fbdefio_state);
+
kvfree(info->pagerefs);
- mutex_destroy(&fbdefio->lock);
}
EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -213,12 +213,13 @@ struct fb_deferred_io {
unsigned long delay;
bool sort_pagereflist; /* sort pagelist by offset */
int open_count; /* number of opened files; protected by fb_info lock */
- struct mutex lock; /* mutex that protects the pageref list */
struct list_head pagereflist; /* list of pagerefs for touched pages */
/* callback */
void (*first_io)(struct fb_info *info);
void (*deferred_io)(struct fb_info *info, struct list_head *pagelist);
};
+
+struct fb_deferred_io_state;
#endif
/*
@@ -480,6 +481,7 @@ struct fb_info {
unsigned long npagerefs;
struct fb_deferred_io_pageref *pagerefs;
struct fb_deferred_io *fbdefio;
+ struct fb_deferred_io_state *fbdefio_state;
#endif
const struct fb_ops *fbops;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 281/411] randomize_kstack: Maintain kstack_offset per task
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 280/411] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 282/411] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
` (130 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Ryan Roberts,
Kees Cook, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
[ Upstream commit 37beb42560165869838e7d91724f3e629db64129 ]
kstack_offset was previously maintained per-cpu, but this caused a
couple of issues. So let's instead make it per-task.
Issue 1: add_random_kstack_offset() and choose_random_kstack_offset()
expected and required to be called with interrupts and preemption
disabled so that it could manipulate per-cpu state. But arm64, loongarch
and risc-v are calling them with interrupts and preemption enabled. I
don't _think_ this causes any functional issues, but it's certainly
unexpected and could lead to manipulating the wrong cpu's state, which
could cause a minor performance degradation due to bouncing the cache
lines. By maintaining the state per-task those functions can safely be
called in preemptible context.
Issue 2: add_random_kstack_offset() is called before executing the
syscall and expands the stack using a previously chosen random offset.
choose_random_kstack_offset() is called after executing the syscall and
chooses and stores a new random offset for the next syscall. With
per-cpu storage for this offset, an attacker could force cpu migration
during the execution of the syscall and prevent the offset from being
updated for the original cpu such that it is predictable for the next
syscall on that cpu. By maintaining the state per-task, this problem
goes away because the per-task random offset is updated after the
syscall regardless of which cpu it is executing on.
Fixes: 39218ff4c625 ("stack: Optionally randomize kernel stack offset each syscall")
Closes: https://lore.kernel.org/all/dd8c37bc-795f-4c7a-9086-69e584d8ab24@arm.com/
Cc: stable@vger.kernel.org
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Link: https://patch.msgid.link/20260303150840.3789438-2-ryan.roberts@arm.com
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/randomize_kstack.h | 44 +++++++++++++++++++++++++++++++--------
include/linux/sched.h | 4 +++
init/main.c | 1
kernel/fork.c | 2 +
4 files changed, 42 insertions(+), 9 deletions(-)
--- a/include/linux/randomize_kstack.h
+++ b/include/linux/randomize_kstack.h
@@ -8,7 +8,6 @@
DECLARE_STATIC_KEY_MAYBE(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
randomize_kstack_offset);
-DECLARE_PER_CPU(u32, kstack_offset);
/*
* Do not use this anywhere else in the kernel. This is used here because
@@ -39,28 +38,57 @@ DECLARE_PER_CPU(u32, kstack_offset);
*/
#define KSTACK_OFFSET_MAX(x) ((x) & 0x3FF)
-/*
- * These macros must be used during syscall entry when interrupts and
- * preempt are disabled, and after user registers have been stored to
- * the stack.
+/**
+ * add_random_kstack_offset - Increase stack utilization by previously
+ * chosen random offset
+ *
+ * This should be used in the syscall entry path after user registers have been
+ * stored to the stack. Preemption may be enabled. For testing the resulting
+ * entropy, please see: tools/testing/selftests/lkdtm/stack-entropy.sh
*/
#define add_random_kstack_offset() do { \
if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
&randomize_kstack_offset)) { \
- u32 offset = raw_cpu_read(kstack_offset); \
+ u32 offset = current->kstack_offset; \
u8 *ptr = __kstack_alloca(KSTACK_OFFSET_MAX(offset)); \
/* Keep allocation even after "ptr" loses scope. */ \
asm volatile("" :: "r"(ptr) : "memory"); \
} \
} while (0)
+/**
+ * choose_random_kstack_offset - Choose the random offset for the next
+ * add_random_kstack_offset()
+ *
+ * This should only be used during syscall exit. Preemption may be enabled. This
+ * position in the syscall flow is done to frustrate attacks from userspace
+ * attempting to learn the next offset:
+ * - Maximize the timing uncertainty visible from userspace: if the
+ * offset is chosen at syscall entry, userspace has much more control
+ * over the timing between choosing offsets. "How long will we be in
+ * kernel mode?" tends to be more difficult to predict than "how long
+ * will we be in user mode?"
+ * - Reduce the lifetime of the new offset sitting in memory during
+ * kernel mode execution. Exposure of "thread-local" memory content
+ * (e.g. current, percpu, etc) tends to be easier than arbitrary
+ * location memory exposure.
+ */
#define choose_random_kstack_offset(rand) do { \
if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \
&randomize_kstack_offset)) { \
- u32 offset = raw_cpu_read(kstack_offset); \
+ u32 offset = current->kstack_offset; \
offset = ror32(offset, 5) ^ (rand); \
- raw_cpu_write(kstack_offset, offset); \
+ current->kstack_offset = offset; \
} \
} while (0)
+#ifdef CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
+static inline void random_kstack_task_init(struct task_struct *tsk)
+{
+ tsk->kstack_offset = 0;
+}
+#else
+#define random_kstack_task_init(tsk) do { } while (0)
+#endif
+
#endif
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1461,6 +1461,10 @@ struct task_struct {
unsigned long prev_lowest_stack;
#endif
+#ifdef CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
+ u32 kstack_offset;
+#endif
+
#ifdef CONFIG_X86_MCE
void __user *mce_vaddr;
__u64 mce_kflags;
--- a/init/main.c
+++ b/init/main.c
@@ -882,7 +882,6 @@ static void __init mm_init(void)
#ifdef CONFIG_HAVE_ARCH_RANDOMIZE_KSTACK_OFFSET
DEFINE_STATIC_KEY_MAYBE_RO(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT,
randomize_kstack_offset);
-DEFINE_PER_CPU(u32, kstack_offset);
static int __init early_randomize_kstack_offset(char *buf)
{
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -94,6 +94,7 @@
#include <linux/thread_info.h>
#include <linux/stackleak.h>
#include <linux/kasan.h>
+#include <linux/randomize_kstack.h>
#include <linux/scs.h>
#include <linux/io_uring.h>
#include <linux/bpf.h>
@@ -2300,6 +2301,7 @@ static __latent_entropy struct task_stru
if (retval)
goto bad_fork_cleanup_io;
+ random_kstack_task_init(p);
stackleak_task_init(p);
if (pid != &init_struct_pid) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 282/411] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 281/411] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 283/411] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
` (129 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Adrian Hunter,
Ulf Hansson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit 6546a49bbe656981d99a389195560999058c89c4 ]
According to the ASIC design recommendations, the clock must be
disabled before operating the DLL to prevent glitches that could
affect the internal digital logic. In extreme cases, failing to
do so may cause the controller to malfunction completely.
Adds a step to disable the clock before DLL configuration and
re-enables it at the end.
Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support")
Cc: stable@vger.kernel.org
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[ dropped HS200/HS400 block and BIT(4) line, converted the single `return` in `if (clock <= 400000)` to `goto enable_clk` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-of-dwcmshc.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
+++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
@@ -213,10 +213,13 @@ static void dwcmshc_rk3568_set_clock(str
extra &= ~BIT(0);
sdhci_writel(host, extra, reg);
+ /* Disable clock while config DLL */
+ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
+
if (clock <= 400000) {
/* Disable DLL to reset sample clock */
sdhci_writel(host, 0, DWCMSHC_EMMC_DLL_CTRL);
- return;
+ goto enable_clk;
}
/* Reset DLL */
@@ -234,7 +237,7 @@ static void dwcmshc_rk3568_set_clock(str
500 * USEC_PER_MSEC);
if (err) {
dev_err(mmc_dev(host->mmc), "DLL lock timeout!\n");
- return;
+ goto enable_clk;
}
extra = 0x1 << 16 | /* tune clock stop en */
@@ -255,6 +258,16 @@ static void dwcmshc_rk3568_set_clock(str
DLL_STRBIN_TAPNUM_DEFAULT |
DLL_STRBIN_TAPNUM_FROM_SW;
sdhci_writel(host, extra, DWCMSHC_EMMC_DLL_STRBIN);
+
+enable_clk:
+ /*
+ * The sdclk frequency select bits in SDHCI_CLOCK_CONTROL are not functional
+ * on Rockchip's SDHCI implementation. Instead, the clock frequency is fully
+ * controlled via external clk provider by calling clk_set_rate(). Consequently,
+ * passing 0 to sdhci_enable_clk() only re-enables the already-configured clock,
+ * which matches the hardware's actual behavior.
+ */
+ sdhci_enable_clk(host, 0);
}
static void rk35xx_sdhci_reset(struct sdhci_host *host, u8 mask)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 283/411] mtd: spi-nor: sst: Fix write enable before AAI sequence
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 282/411] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 284/411] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
` (128 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjaikumar V S, Hendrik Donner,
Pratyush Yadav (Google), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
[ Upstream commit a0f64241d3566a49c0a9b33ba7ae458ae22003a9 ]
When writing to SST flash starting at an odd address, a single byte is
first programmed using the byte program (BP) command. After this
operation completes, the flash hardware automatically clears the Write
Enable Latch (WEL) bit.
If an AAI (Auto Address Increment) word program sequence follows, it
requires WEL to be set. Without re-enabling writes, the AAI sequence
fails.
Add spi_nor_write_enable() after the odd-address byte program when more
data needs to be written. Use a local boolean for clarity.
Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR")
Cc: stable@vger.kernel.org
Signed-off-by: Sanjaikumar V S <sanjaikumar.vs@dicortech.com>
Tested-by: Hendrik Donner <hd@os-cillation.de>
Reviewed-by: Hendrik Donner <hd@os-cillation.de>
Signed-off-by: Pratyush Yadav (Google) <pratyush@kernel.org>
[ kept inline `nor->program_opcode = SPINOR_OP_BP;` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/sst.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/mtd/spi-nor/sst.c
+++ b/drivers/mtd/spi-nor/sst.c
@@ -112,6 +112,8 @@ static int sst_write(struct mtd_info *mt
/* Start write from odd address. */
if (to % 2) {
+ bool needs_write_enable = (len > 1);
+
nor->program_opcode = SPINOR_OP_BP;
/* write one byte. */
@@ -125,6 +127,17 @@ static int sst_write(struct mtd_info *mt
to++;
actual++;
+
+ /*
+ * Byte program clears the write enable latch. If more
+ * data needs to be written using the AAI sequence,
+ * re-enable writes.
+ */
+ if (needs_write_enable) {
+ ret = spi_nor_write_enable(nor);
+ if (ret)
+ goto out;
+ }
}
/* Write out most of the data here. */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 284/411] udf: fix partition descriptor append bookkeeping
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 283/411] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 285/411] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
` (127 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seohyeon Maeng, Jan Kara,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seohyeon Maeng <bioloidgp@gmail.com>
[ Upstream commit 08841b06fa64d8edbd1a21ca6e613420c90cc4b8 ]
Mounting a crafted UDF image with repeated partition descriptors can
trigger a heap out-of-bounds write in part_descs_loc[].
handle_partition_descriptor() deduplicates entries by partition number,
but appended slots never record partnum. As a result duplicate
Partition Descriptors are appended repeatedly and num_part_descs keeps
growing.
Once the table is full, the growth path still sizes the allocation from
partnum even though inserts are indexed by num_part_descs. If partnum is
already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep
the old capacity and the next append writes past the end of the table.
Store partnum in the appended slot and size growth from the next append
count so deduplication and capacity tracking follow the same model.
Fixes: ee4af50ca94f ("udf: Fix mounting of Win7 created UDF filesystems")
Cc: stable@vger.kernel.org
Signed-off-by: Seohyeon Maeng <bioloidgp@gmail.com>
Link: https://patch.msgid.link/20260310081652.21220-1-bioloidgp@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
[ replaced kzalloc_objs() helper with equivalent kcalloc() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1658,8 +1658,9 @@ static struct udf_vds_record *handle_par
return &(data->part_descs_loc[i].rec);
if (data->num_part_descs >= data->size_part_descs) {
struct part_desc_seq_scan_data *new_loc;
- unsigned int new_size = ALIGN(partnum, PART_DESC_ALLOC_STEP);
+ unsigned int new_size;
+ new_size = data->num_part_descs + PART_DESC_ALLOC_STEP;
new_loc = kcalloc(new_size, sizeof(*new_loc), GFP_KERNEL);
if (!new_loc)
return ERR_PTR(-ENOMEM);
@@ -1669,6 +1670,7 @@ static struct udf_vds_record *handle_par
data->part_descs_loc = new_loc;
data->size_part_descs = new_size;
}
+ data->part_descs_loc[data->num_part_descs].partnum = partnum;
return &(data->part_descs_loc[data->num_part_descs++].rec);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 285/411] hfsplus: fix uninit-value by validating catalog record size
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 284/411] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 286/411] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
` (126 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d80abb5b890d39261e72,
Viacheslav Dubeyko, Charalampos Mitrodimas, Deepanshu Kartikey,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit b6b592275aeff184aa82fcf6abccd833fb71b393 ]
Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The
root cause is that hfs_brec_read() doesn't validate that the on-disk
record size matches the expected size for the record type being read.
When mounting a corrupted filesystem, hfs_brec_read() may read less data
than expected. For example, when reading a catalog thread record, the
debug output showed:
HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26
HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!
hfs_brec_read() only validates that entrylength is not greater than the
buffer size, but doesn't check if it's less than expected. It successfully
reads 26 bytes into a 520-byte structure and returns success, leaving 494
bytes uninitialized.
This uninitialized data in tmp.thread.nodeName then gets copied by
hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering
the KMSAN warning when the uninitialized bytes are used as array indices
in case_fold().
Fix by introducing hfsplus_brec_read_cat() wrapper that:
1. Calls hfs_brec_read() to read the data
2. Validates the record size based on the type field:
- Fixed size for folder and file records
- Variable size for thread records (depends on string length)
3. Returns -EIO if size doesn't match expected
For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading
nodeName.length to avoid reading uninitialized data at call sites that
don't zero-initialize the entry structure.
Also initialize the tmp variable in hfsplus_find_cat() as defensive
programming to ensure no uninitialized data even if validation is
bypassed.
Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net>
Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/ [v1]
Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmail.com/ [v2]
Link: https://lore.kernel.org/all/20260212014233.2422046-1-kartikey406@gmail.com/ [v3]
Link: https://lore.kernel.org/all/20260214002100.436125-1-kartikey406@gmail.com/T/ [v4]
Link: https://lore.kernel.org/all/20260221061626.15853-1-kartikey406@gmail.com/T/ [v5]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20260307010302.41547-1-kartikey406@gmail.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Stable-dep-of: 90c500e4fd83 ("hfsplus: fix held lock freed on hfsplus_fill_super()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/bfind.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++
fs/hfsplus/catalog.c | 4 +--
fs/hfsplus/dir.c | 2 -
fs/hfsplus/hfsplus_fs.h | 9 ++++++++
fs/hfsplus/super.c | 2 -
5 files changed, 64 insertions(+), 4 deletions(-)
--- a/fs/hfsplus/bfind.c
+++ b/fs/hfsplus/bfind.c
@@ -287,3 +287,54 @@ out:
fd->bnode = bnode;
return res;
}
+
+/**
+ * hfsplus_brec_read_cat - read and validate a catalog record
+ * @fd: find data structure
+ * @entry: pointer to catalog entry to read into
+ *
+ * Reads a catalog record and validates its size matches the expected
+ * size based on the record type.
+ *
+ * Returns 0 on success, or negative error code on failure.
+ */
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry)
+{
+ int res;
+ u32 expected_size;
+
+ res = hfs_brec_read(fd, entry, sizeof(hfsplus_cat_entry));
+ if (res)
+ return res;
+
+ /* Validate catalog record size based on type */
+ switch (be16_to_cpu(entry->type)) {
+ case HFSPLUS_FOLDER:
+ expected_size = sizeof(struct hfsplus_cat_folder);
+ break;
+ case HFSPLUS_FILE:
+ expected_size = sizeof(struct hfsplus_cat_file);
+ break;
+ case HFSPLUS_FOLDER_THREAD:
+ case HFSPLUS_FILE_THREAD:
+ /* Ensure we have at least the fixed fields before reading nodeName.length */
+ if (fd->entrylength < HFSPLUS_MIN_THREAD_SZ) {
+ pr_err("thread record too short (got %u)\n", fd->entrylength);
+ return -EIO;
+ }
+ expected_size = hfsplus_cat_thread_size(&entry->thread);
+ break;
+ default:
+ pr_err("unknown catalog record type %d\n",
+ be16_to_cpu(entry->type));
+ return -EIO;
+ }
+
+ if (fd->entrylength != expected_size) {
+ pr_err("catalog record size mismatch (type %d, got %u, expected %u)\n",
+ be16_to_cpu(entry->type), fd->entrylength, expected_size);
+ return -EIO;
+ }
+
+ return 0;
+}
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -194,12 +194,12 @@ static int hfsplus_fill_cat_thread(struc
int hfsplus_find_cat(struct super_block *sb, u32 cnid,
struct hfs_find_data *fd)
{
- hfsplus_cat_entry tmp;
+ hfsplus_cat_entry tmp = {0};
int err;
u16 type;
hfsplus_cat_build_key_with_cnid(sb, fd->search_key, cnid);
- err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
+ err = hfsplus_brec_read_cat(fd, &tmp);
if (err)
return err;
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -49,7 +49,7 @@ static struct dentry *hfsplus_lookup(str
if (unlikely(err < 0))
goto fail;
again:
- err = hfs_brec_read(&fd, &entry, sizeof(entry));
+ err = hfsplus_brec_read_cat(&fd, &entry);
if (err) {
if (err == -ENOENT) {
hfs_find_exit(&fd);
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -533,6 +533,15 @@ int hfsplus_submit_bio(struct super_bloc
void **data, int op, int op_flags);
int hfsplus_read_wrapper(struct super_block *sb);
+static inline u32 hfsplus_cat_thread_size(const struct hfsplus_cat_thread *thread)
+{
+ return offsetof(struct hfsplus_cat_thread, nodeName) +
+ offsetof(struct hfsplus_unistr, unicode) +
+ be16_to_cpu(thread->nodeName.length) * sizeof(hfsplus_unichr);
+}
+
+int hfsplus_brec_read_cat(struct hfs_find_data *fd, hfsplus_cat_entry *entry);
+
/*
* time helpers: convert between 1904-base and 1970-base timestamps
*
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -541,7 +541,7 @@ static int hfsplus_fill_super(struct sup
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
if (unlikely(err < 0))
goto out_put_root;
- if (!hfs_brec_read(&fd, &entry, sizeof(entry))) {
+ if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
err = -EIO;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 286/411] hfsplus: fix held lock freed on hfsplus_fill_super()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 285/411] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 287/411] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
` (125 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Viacheslav Dubeyko,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733 ]
hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the function jumps to the out_put_root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.
Fix this by adding the missing hfs_find_exit(&fd) call before jumping
to the out_put_root error label. This ensures that tree->tree_lock is
properly released on the error path.
The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we
used GDB to dynamically shrink the max_unistr_len parameter to 1 before
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and
exercises the faulty error path. The following warning was observed
during mount:
=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
debug_check_no_locks_freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus_fill_super+0xcb4/0x18a0
hfsplus_fill_super+0xcb4/0x18a0
? __pfx_hfsplus_fill_super+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x65f/0xc30
? srso_return_thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace_contention_end+0x11c/0x150
? __pfx_pointer+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x79b/0xc30
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso_return_thunk+0x5/0x5f
? __mutex_unlock_slowpath+0x157/0x740
? __pfx_vsnprintf+0x10/0x10
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? mark_held_locks+0x49/0x80
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? irqentry_exit+0x17b/0x5e0
? trace_irq_disable.constprop.0+0x116/0x150
? __pfx_hfsplus_fill_super+0x10/0x10
? __pfx_hfsplus_fill_super+0x10/0x10
get_tree_bdev_flags+0x302/0x580
? __pfx_get_tree_bdev_flags+0x10/0x10
? vfs_parse_fs_qstr+0x129/0x1a0
? __pfx_vfs_parse_fs_qstr+0x3/0x10
vfs_get_tree+0x89/0x320
fc_mount+0x10/0x1d0
path_mount+0x5c5/0x21c0
? __pfx_path_mount+0x10/0x10
? trace_irq_enable.constprop.0+0x116/0x150
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? kmem_cache_free+0x307/0x540
? user_path_at+0x51/0x60
? __x64_sys_mount+0x212/0x280
? srso_return_thunk+0x5/0x5f
__x64_sys_mount+0x212/0x280
? __pfx___x64_sys_mount+0x10/0x10
? srso_return_thunk+0x5/0x5f
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
do_syscall_64+0x111/0x680
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b:00007fff1ab55718 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffacad55eae
RDX: 000055740c64e5b0 RSI: 000055740c64e630 RDI: 000055740c651ab0
RBP: 000055740c64e380 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000055740c64e5b0 R14: 000055740c651ab0 R15: 000055740c64e380
</TASK>
After applying this patch, the warning no longer appears.
Fixes: 89ac9b4d3d1a ("hfsplus: fix longname handling")
CC: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Tested-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/hfsplus/super.c
+++ b/fs/hfsplus/super.c
@@ -539,8 +539,10 @@ static int hfsplus_fill_super(struct sup
if (err)
goto out_put_root;
err = hfsplus_cat_build_key(sb, fd.search_key, HFSPLUS_ROOT_CNID, &str);
- if (unlikely(err < 0))
+ if (unlikely(err < 0)) {
+ hfs_find_exit(&fd);
goto out_put_root;
+ }
if (!hfsplus_brec_read_cat(&fd, &entry)) {
hfs_find_exit(&fd);
if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 287/411] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 286/411] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 288/411] can: ucan: fix typos in comments Greg Kroah-Hartman
` (124 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuvam Pandey,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuvam Pandey <shuvampandey1@gmail.com>
[ Upstream commit 85fa3512048793076eef658f66489112dcc91993 ]
hci_conn lookup and field access must be covered by hdev lock in
hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise
the connection can be freed concurrently.
Extend the hci_dev_lock critical section to cover all conn usage in both
handlers.
Keep the existing keypress notification behavior unchanged by routing
the early exits through a common unlock path.
Fixes: 92a25256f142 ("Bluetooth: mgmt: Implement support for passkey notification")
Cc: stable@vger.kernel.org
Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4953,9 +4953,11 @@ static void hci_user_passkey_notify_evt(
BT_DBG("%s", hdev->name);
+ hci_dev_lock(hdev);
+
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
if (!conn)
- return;
+ goto unlock;
conn->passkey_notify = __le32_to_cpu(ev->passkey);
conn->passkey_entered = 0;
@@ -4964,6 +4966,9 @@ static void hci_user_passkey_notify_evt(
mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
conn->dst_type, conn->passkey_notify,
conn->passkey_entered);
+
+unlock:
+ hci_dev_unlock(hdev);
}
static void hci_keypress_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
@@ -4973,14 +4978,16 @@ static void hci_keypress_notify_evt(stru
BT_DBG("%s", hdev->name);
+ hci_dev_lock(hdev);
+
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
if (!conn)
- return;
+ goto unlock;
switch (ev->type) {
case HCI_KEYPRESS_STARTED:
conn->passkey_entered = 0;
- return;
+ goto unlock;
case HCI_KEYPRESS_ENTERED:
conn->passkey_entered++;
@@ -4995,13 +5002,16 @@ static void hci_keypress_notify_evt(stru
break;
case HCI_KEYPRESS_COMPLETED:
- return;
+ goto unlock;
}
if (hci_dev_test_flag(hdev, HCI_MGMT))
mgmt_user_passkey_notify(hdev, &conn->dst, conn->type,
conn->dst_type, conn->passkey_notify,
conn->passkey_entered);
+
+unlock:
+ hci_dev_unlock(hdev);
}
static void hci_simple_pair_complete_evt(struct hci_dev *hdev,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 288/411] can: ucan: fix typos in comments
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 287/411] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 289/411] can: ucan: fix devres lifetime Greg Kroah-Hartman
` (123 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julia Lawall, Marc Kleine-Budde,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julia Lawall <Julia.Lawall@inria.fr>
[ Upstream commit c34983c94166689358372d4af8d5def57752860c ]
Various spelling mistakes in comments.
Detected with the help of Coccinelle.
Link: https://lore.kernel.org/all/20220314115354.144023-28-Julia.Lawall@inria.fr
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Stable-dep-of: fed4626501c8 ("can: ucan: fix devres lifetime")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ucan.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -1395,7 +1395,7 @@ static int ucan_probe(struct usb_interfa
* Stage 3 for the final driver initialisation.
*/
- /* Prepare Memory for control transferes */
+ /* Prepare Memory for control transfers */
ctl_msg_buffer = devm_kzalloc(&udev->dev,
sizeof(union ucan_ctl_payload),
GFP_KERNEL);
@@ -1529,7 +1529,7 @@ static int ucan_probe(struct usb_interfa
ret = ucan_device_request_in(up, UCAN_DEVICE_GET_FW_STRING, 0,
sizeof(union ucan_ctl_payload));
if (ret > 0) {
- /* copy string while ensuring zero terminiation */
+ /* copy string while ensuring zero termination */
strncpy(firmware_str, up->ctl_msg_buffer->raw,
sizeof(union ucan_ctl_payload));
firmware_str[sizeof(union ucan_ctl_payload)] = '\0';
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 289/411] can: ucan: fix devres lifetime
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 288/411] can: ucan: fix typos in comments Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 290/411] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
` (122 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakob Unterwurzacher, Johan Hovold,
Marc Kleine-Budde, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit fed4626501c871890da287bec62a96e52da1af89 ]
USB drivers bind to USB interfaces and any device managed resources
should have their lifetime tied to the interface rather than parent USB
device. This avoids issues like memory leaks when drivers are unbound
without their devices being physically disconnected (e.g. on probe
deferral or configuration changes).
Fix the control message buffer lifetime so that it is released on driver
unbind.
Fixes: 9f2d3eae88d2 ("can: ucan: add driver for Theobroma Systems UCAN devices")
Cc: stable@vger.kernel.org # 4.19
Cc: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260327104520.1310158-1-johan@kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/ucan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/ucan.c
+++ b/drivers/net/can/usb/ucan.c
@@ -1396,7 +1396,7 @@ static int ucan_probe(struct usb_interfa
*/
/* Prepare Memory for control transfers */
- ctl_msg_buffer = devm_kzalloc(&udev->dev,
+ ctl_msg_buffer = devm_kzalloc(&intf->dev,
sizeof(union ucan_ctl_payload),
GFP_KERNEL);
if (!ctl_msg_buffer) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 290/411] crypto: nx - Avoid -Wflex-array-member-not-at-end warning
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 289/411] can: ucan: fix devres lifetime Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 291/411] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
` (121 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
[ Upstream commit 1e6b251ce1759392666856908113dd5d7cea044d ]
-Wflex-array-member-not-at-end is coming in GCC-14, and we are getting
ready to enable it globally. So, we are deprecating flexible-array
members in the middle of another structure.
There is currently an object (`header`) in `struct nx842_crypto_ctx`
that contains a flexible structure (`struct nx842_crypto_header`):
struct nx842_crypto_ctx {
...
struct nx842_crypto_header header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
...
};
So, in order to avoid ending up with a flexible-array member in the
middle of another struct, we use the `struct_group_tagged()` helper to
separate the flexible array from the rest of the members in the flexible
structure:
struct nx842_crypto_header {
struct_group_tagged(nx842_crypto_header_hdr, hdr,
... the rest of the members
);
struct nx842_crypto_header_group group[];
} __packed;
With the change described above, we can now declare an object of the
type of the tagged struct, without embedding the flexible array in the
middle of another struct:
struct nx842_crypto_ctx {
...
struct nx842_crypto_header_hdr header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
...
} __packed;
We also use `container_of()` whenever we need to retrieve a pointer to
the flexible structure, through which we can access the flexible
array if needed.
So, with these changes, fix the following warning:
In file included from drivers/crypto/nx/nx-842.c:55:
drivers/crypto/nx/nx-842.h:174:36: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
174 | struct nx842_crypto_header header;
| ^~~~~~
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: adb3faf2db1a ("crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 6 ++++--
drivers/crypto/nx/nx-842.h | 10 ++++++----
2 files changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -251,7 +251,9 @@ int nx842_crypto_compress(struct crypto_
u8 *dst, unsigned int *dlen)
{
struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
- struct nx842_crypto_header *hdr = &ctx->header;
+ struct nx842_crypto_header *hdr =
+ container_of(&ctx->header,
+ struct nx842_crypto_header, hdr);
struct nx842_crypto_param p;
struct nx842_constraints c = *ctx->driver->constraints;
unsigned int groups, hdrsize, h;
@@ -490,7 +492,7 @@ int nx842_crypto_decompress(struct crypt
}
memcpy(&ctx->header, src, hdr_len);
- hdr = &ctx->header;
+ hdr = container_of(&ctx->header, struct nx842_crypto_header, hdr);
for (n = 0; n < hdr->groups; n++) {
/* ignore applies to last group */
--- a/drivers/crypto/nx/nx-842.h
+++ b/drivers/crypto/nx/nx-842.h
@@ -157,9 +157,11 @@ struct nx842_crypto_header_group {
} __packed;
struct nx842_crypto_header {
- __be16 magic; /* NX842_CRYPTO_MAGIC */
- __be16 ignore; /* decompressed end bytes to ignore */
- u8 groups; /* total groups in this header */
+ struct_group_tagged(nx842_crypto_header_hdr, hdr,
+ __be16 magic; /* NX842_CRYPTO_MAGIC */
+ __be16 ignore; /* decompressed end bytes to ignore */
+ u8 groups; /* total groups in this header */
+ );
struct nx842_crypto_header_group group[];
} __packed;
@@ -171,7 +173,7 @@ struct nx842_crypto_ctx {
u8 *wmem;
u8 *sbounce, *dbounce;
- struct nx842_crypto_header header;
+ struct nx842_crypto_header_hdr header;
struct nx842_crypto_header_group group[NX842_CRYPTO_GROUP_MAX];
struct nx842_driver *driver;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 291/411] crypto: nx - Migrate to scomp API
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 290/411] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 292/411] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
` (120 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
[ Upstream commit 980b5705f4e73f567e405cd18337cc32fd51cf79 ]
The only remaining user of 842 compression has been migrated to the
acomp compression API, and so the NX hardware driver has to follow suit,
given that no users of the obsolete 'comp' API remain, and it is going
to be removed.
So migrate the NX driver code to scomp. These will be wrapped and
exposed as acomp implementation via the crypto subsystem's
acomp-to-scomp adaptation layer.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: adb3faf2db1a ("crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 33 +++++++++++++++++++--------------
drivers/crypto/nx/nx-842.h | 14 ++++++++------
drivers/crypto/nx/nx-common-powernv.c | 31 +++++++++++++++----------------
drivers/crypto/nx/nx-common-pseries.c | 33 ++++++++++++++++-----------------
4 files changed, 58 insertions(+), 53 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -101,9 +101,13 @@ static int update_param(struct nx842_cry
return 0;
}
-int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver)
+void *nx842_crypto_alloc_ctx(struct nx842_driver *driver)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+ return ERR_PTR(-ENOMEM);
spin_lock_init(&ctx->lock);
ctx->driver = driver;
@@ -114,22 +118,23 @@ int nx842_crypto_init(struct crypto_tfm
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
- return -ENOMEM;
+ kfree(ctx);
+ return ERR_PTR(-ENOMEM);
}
- return 0;
+ return ctx;
}
-EXPORT_SYMBOL_GPL(nx842_crypto_init);
+EXPORT_SYMBOL_GPL(nx842_crypto_alloc_ctx);
-void nx842_crypto_exit(struct crypto_tfm *tfm)
+void nx842_crypto_free_ctx(void *p)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = p;
kfree(ctx->wmem);
free_page((unsigned long)ctx->sbounce);
free_page((unsigned long)ctx->dbounce);
}
-EXPORT_SYMBOL_GPL(nx842_crypto_exit);
+EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
static void check_constraints(struct nx842_constraints *c)
{
@@ -246,11 +251,11 @@ nospc:
return update_param(p, slen, dskip + dlen);
}
-int nx842_crypto_compress(struct crypto_tfm *tfm,
+int nx842_crypto_compress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen)
+ u8 *dst, unsigned int *dlen, void *pctx)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = pctx;
struct nx842_crypto_header *hdr =
container_of(&ctx->header,
struct nx842_crypto_header, hdr);
@@ -431,11 +436,11 @@ usesw:
return update_param(p, slen + padding, dlen);
}
-int nx842_crypto_decompress(struct crypto_tfm *tfm,
+int nx842_crypto_decompress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen)
+ u8 *dst, unsigned int *dlen, void *pctx)
{
- struct nx842_crypto_ctx *ctx = crypto_tfm_ctx(tfm);
+ struct nx842_crypto_ctx *ctx = pctx;
struct nx842_crypto_header *hdr;
struct nx842_crypto_param p;
struct nx842_constraints c = *ctx->driver->constraints;
--- a/drivers/crypto/nx/nx-842.h
+++ b/drivers/crypto/nx/nx-842.h
@@ -101,6 +101,8 @@
#define LEN_ON_SIZE(pa, size) ((size) - ((pa) & ((size) - 1)))
#define LEN_ON_PAGE(pa) LEN_ON_SIZE(pa, PAGE_SIZE)
+struct crypto_scomp;
+
static inline unsigned long nx842_get_pa(void *addr)
{
if (!is_vmalloc_addr(addr))
@@ -179,13 +181,13 @@ struct nx842_crypto_ctx {
struct nx842_driver *driver;
};
-int nx842_crypto_init(struct crypto_tfm *tfm, struct nx842_driver *driver);
-void nx842_crypto_exit(struct crypto_tfm *tfm);
-int nx842_crypto_compress(struct crypto_tfm *tfm,
+void *nx842_crypto_alloc_ctx(struct nx842_driver *driver);
+void nx842_crypto_free_ctx(void *ctx);
+int nx842_crypto_compress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen);
-int nx842_crypto_decompress(struct crypto_tfm *tfm,
+ u8 *dst, unsigned int *dlen, void *ctx);
+int nx842_crypto_decompress(struct crypto_scomp *tfm,
const u8 *src, unsigned int slen,
- u8 *dst, unsigned int *dlen);
+ u8 *dst, unsigned int *dlen, void *ctx);
#endif /* __NX_842_H__ */
--- a/drivers/crypto/nx/nx-common-powernv.c
+++ b/drivers/crypto/nx/nx-common-powernv.c
@@ -9,6 +9,7 @@
#include "nx-842.h"
+#include <crypto/internal/scompress.h>
#include <linux/timer.h>
#include <asm/prom.h>
@@ -1034,23 +1035,21 @@ static struct nx842_driver nx842_powernv
.decompress = nx842_powernv_decompress,
};
-static int nx842_powernv_crypto_init(struct crypto_tfm *tfm)
+static void *nx842_powernv_crypto_alloc_ctx(void)
{
- return nx842_crypto_init(tfm, &nx842_powernv_driver);
+ return nx842_crypto_alloc_ctx(&nx842_powernv_driver);
}
-static struct crypto_alg nx842_powernv_alg = {
- .cra_name = "842",
- .cra_driver_name = "842-nx",
- .cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
- .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = nx842_powernv_crypto_init,
- .cra_exit = nx842_crypto_exit,
- .cra_u = { .compress = {
- .coa_compress = nx842_crypto_compress,
- .coa_decompress = nx842_crypto_decompress } }
+static struct scomp_alg nx842_powernv_alg = {
+ .base.cra_name = "842",
+ .base.cra_driver_name = "842-nx",
+ .base.cra_priority = 300,
+ .base.cra_module = THIS_MODULE,
+
+ .alloc_ctx = nx842_powernv_crypto_alloc_ctx,
+ .free_ctx = nx842_crypto_free_ctx,
+ .compress = nx842_crypto_compress,
+ .decompress = nx842_crypto_decompress,
};
static __init int nx_compress_powernv_init(void)
@@ -1110,7 +1109,7 @@ static __init int nx_compress_powernv_in
nx842_powernv_exec = nx842_exec_vas;
}
- ret = crypto_register_alg(&nx842_powernv_alg);
+ ret = crypto_register_scomp(&nx842_powernv_alg);
if (ret) {
nx_delete_coprocs();
return ret;
@@ -1131,7 +1130,7 @@ static void __exit nx_compress_powernv_e
if (!nx842_ct)
vas_unregister_api_powernv();
- crypto_unregister_alg(&nx842_powernv_alg);
+ crypto_unregister_scomp(&nx842_powernv_alg);
nx_delete_coprocs();
}
--- a/drivers/crypto/nx/nx-common-pseries.c
+++ b/drivers/crypto/nx/nx-common-pseries.c
@@ -11,6 +11,7 @@
#include <asm/vio.h>
#include <asm/hvcall.h>
#include <asm/vas.h>
+#include <crypto/internal/scompress.h>
#include "nx-842.h"
#include "nx_csbcpb.h" /* struct nx_csbcpb */
@@ -1006,23 +1007,21 @@ static struct nx842_driver nx842_pseries
.decompress = nx842_pseries_decompress,
};
-static int nx842_pseries_crypto_init(struct crypto_tfm *tfm)
+static void *nx842_pseries_crypto_alloc_ctx(void)
{
- return nx842_crypto_init(tfm, &nx842_pseries_driver);
+ return nx842_crypto_alloc_ctx(&nx842_pseries_driver);
}
-static struct crypto_alg nx842_pseries_alg = {
- .cra_name = "842",
- .cra_driver_name = "842-nx",
- .cra_priority = 300,
- .cra_flags = CRYPTO_ALG_TYPE_COMPRESS,
- .cra_ctxsize = sizeof(struct nx842_crypto_ctx),
- .cra_module = THIS_MODULE,
- .cra_init = nx842_pseries_crypto_init,
- .cra_exit = nx842_crypto_exit,
- .cra_u = { .compress = {
- .coa_compress = nx842_crypto_compress,
- .coa_decompress = nx842_crypto_decompress } }
+static struct scomp_alg nx842_pseries_alg = {
+ .base.cra_name = "842",
+ .base.cra_driver_name = "842-nx",
+ .base.cra_priority = 300,
+ .base.cra_module = THIS_MODULE,
+
+ .alloc_ctx = nx842_pseries_crypto_alloc_ctx,
+ .free_ctx = nx842_crypto_free_ctx,
+ .compress = nx842_crypto_compress,
+ .decompress = nx842_crypto_decompress,
};
static int nx842_probe(struct vio_dev *viodev,
@@ -1070,7 +1069,7 @@ static int nx842_probe(struct vio_dev *v
if (ret)
goto error;
- ret = crypto_register_alg(&nx842_pseries_alg);
+ ret = crypto_register_scomp(&nx842_pseries_alg);
if (ret) {
dev_err(&viodev->dev, "could not register comp alg: %d\n", ret);
goto error;
@@ -1118,7 +1117,7 @@ static void nx842_remove(struct vio_dev
if (caps_feat)
sysfs_remove_group(&viodev->dev.kobj, &nxcop_caps_attr_group);
- crypto_unregister_alg(&nx842_pseries_alg);
+ crypto_unregister_scomp(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
@@ -1247,7 +1246,7 @@ static void __exit nx842_pseries_exit(vo
vas_unregister_api_pseries();
- crypto_unregister_alg(&nx842_pseries_alg);
+ crypto_unregister_scomp(&nx842_pseries_alg);
spin_lock_irqsave(&devdata_mutex, flags);
old_devdata = rcu_dereference_check(devdata,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 292/411] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 291/411] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 293/411] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
` (119 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c ]
The bounce buffers are allocated with __get_free_pages() using
BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error
path and nx842_crypto_free_ctx() release the buffers with free_page().
Use free_pages() with the matching order instead.
Fixes: ed70b479c2c0 ("crypto: nx - add hardware 842 crypto comp alg")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx-842.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/nx/nx-842.c
+++ b/drivers/crypto/nx/nx-842.c
@@ -116,8 +116,8 @@ void *nx842_crypto_alloc_ctx(struct nx84
ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER);
if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) {
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
kfree(ctx);
return ERR_PTR(-ENOMEM);
}
@@ -131,8 +131,8 @@ void nx842_crypto_free_ctx(void *p)
struct nx842_crypto_ctx *ctx = p;
kfree(ctx->wmem);
- free_page((unsigned long)ctx->sbounce);
- free_page((unsigned long)ctx->dbounce);
+ free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER);
+ free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER);
}
EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 293/411] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 292/411] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 294/411] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
` (118 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo, Gao Xiang,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab ]
Some crafted images can have illegal (!partial_decoding &&
m_llen < m_plen) extents, and the LZ4 inplace decompression path
can be wrongly hit, but it cannot handle (outpages < inpages)
properly: "outpages - inpages" wraps to a large value and
the subsequent rq->out[] access reads past the decompressed_pages
array.
However, such crafted cases can correctly result in a corruption
report in the normal LZ4 non-inplace path.
Let's add an additional check to fix this for backporting.
Reproducible image (base64-encoded gzipped blob):
H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g
dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i
PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz
2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w
ywAAAAAAAADwu14ATsEYtgBQAAA=
$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt
$ dd if=/mnt/data of=/dev/null bs=4096 count=1
Fixes: 598162d05080 ("erofs: support decompress big pcluster for lz4 backend")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
[ renamed `rq->outpages`/`rq->inpages` to `nrpages_out`/`nrpages_in` and inverted the check to `nrpages_out < nrpages_in` on the existing `goto docopy` chain ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/decompressor.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/erofs/decompressor.c
+++ b/fs/erofs/decompressor.c
@@ -140,6 +140,7 @@ static void *z_erofs_handle_inplace_io(s
if (rq->inplace_io) {
if (rq->partial_decoding || !support_0padding ||
+ nrpages_out < nrpages_in ||
ofull - oend < LZ4_DECOMPRESS_INPLACE_MARGIN(inputsize))
goto docopy;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 294/411] ceph: only d_add() negative dentries when they are unhashed
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 293/411] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 295/411] scsi: core: pm: Rely on the device driver core for async power management Greg Kroah-Hartman
` (117 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Kellermann, Viacheslav Dubeyko,
Ilya Dryomov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Kellermann <max.kellermann@ionos.com>
[ Upstream commit 803447f93d75ab6e40c85e6d12b5630d281d70d6 ]
Ceph can call d_add(dentry, NULL) on a negative dentry that is already
present in the primary dcache hash.
In the current VFS that is not safe. d_add() goes through __d_add()
to __d_rehash(), which unconditionally reinserts dentry->d_hash into
the hlist_bl bucket. If the dentry is already hashed, reinserting the
same node can corrupt the bucket, including creating a self-loop.
Once that happens, __d_lookup() can spin forever in the hlist_bl walk,
typically looping only on the d_name.hash mismatch check and
eventually triggering RCU stall reports like this one:
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829
rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192)
CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE
Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023
RIP: 0010:__d_lookup+0x46/0xb0
Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f
RSP: 0018:ff745a70c8253898 EFLAGS: 00000282
RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966
RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0
RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89
R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0
R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f
FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0
PKRU: 55555554
Call Trace:
<TASK>
lookup_fast+0x9f/0x100
walk_component+0x1f/0x150
link_path_walk+0x20e/0x3d0
path_lookupat+0x68/0x180
filename_lookup+0xdc/0x1e0
vfs_statx+0x6c/0x140
vfs_fstatat+0x67/0xa0
__do_sys_newfstatat+0x24/0x60
do_syscall_64+0x6a/0x230
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This is reachable with reused cached negative dentries. A Ceph lookup
or atomic_open can be handed a negative dentry that is already hashed,
and fs/ceph/dir.c then hits one of two paths that incorrectly assume
"negative" also means "unhashed":
- ceph_finish_lookup():
MDS reply is -ENOENT with no trace
-> d_add(dentry, NULL)
- ceph_lookup():
local ENOENT fast path for a complete directory with shared caps
-> d_add(dentry, NULL)
Both paths can therefore re-add an already-hashed negative dentry.
Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only
calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn)
is true.
Fix both fs/ceph/dir.c sites the same way: only call d_add() for a
negative dentry when it is actually unhashed. If the negative dentry
is already hashed, leave it in place and reuse it as-is.
This preserves the existing behavior for unhashed dentries while
avoiding d_hash list corruption for reused hashed negatives.
Cc: stable@vger.kernel.org
Fixes: 2817b000b02c ("ceph: directory operations")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
[ kept existing dout() debug call instead of upstream's doutc() form when adding the d_unhashed() guard around d_add() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/dir.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/ceph/dir.c
+++ b/fs/ceph/dir.c
@@ -721,7 +721,8 @@ struct dentry *ceph_finish_lookup(struct
d_drop(dentry);
err = -ENOENT;
} else {
- d_add(dentry, NULL);
+ if (d_unhashed(dentry))
+ d_add(dentry, NULL);
}
}
}
@@ -777,7 +778,8 @@ static struct dentry *ceph_lookup(struct
__ceph_touch_fmode(ci, mdsc, CEPH_FILE_MODE_RD);
spin_unlock(&ci->i_ceph_lock);
dout(" dir %p complete, -ENOENT\n", dir);
- d_add(dentry, NULL);
+ if (d_unhashed(dentry))
+ d_add(dentry, NULL);
di->lease_shared_gen = atomic_read(&ci->i_shared_gen);
return NULL;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 295/411] scsi: core: pm: Rely on the device driver core for async power management
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 294/411] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 296/411] scsi: sd: Add error handling support for add_disk() Greg Kroah-Hartman
` (116 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, Dan Williams,
Hannes Reinecke, Adrian Hunter, Martin Kepplinger,
Bart Van Assche, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit a19a93e4c6a98c9c0f2f5a6db76846f10d7d1f85 ]
Instead of implementing asynchronous resume support in the SCSI core, rely
on the device driver core for resuming SCSI devices asynchronously.
Instead of only supporting asynchronous resumes, also support asynchronous
suspends.
Link: https://lore.kernel.org/r/20211006215453.3318929-2-bvanassche@acm.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Hannes Reinecke <hare@suse.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Martin Kepplinger <martin.kepplinger@puri.sm>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 1e111c4b3a72 ("scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/hosts.c | 1 +
drivers/scsi/scsi.c | 8 --------
drivers/scsi/scsi_pm.c | 44 ++------------------------------------------
drivers/scsi/scsi_priv.h | 4 +---
drivers/scsi/scsi_scan.c | 17 +++++++++++++++++
drivers/scsi/scsi_sysfs.c | 1 +
drivers/scsi/sd.c | 1 -
7 files changed, 22 insertions(+), 54 deletions(-)
--- a/drivers/scsi/hosts.c
+++ b/drivers/scsi/hosts.c
@@ -487,6 +487,7 @@ struct Scsi_Host *scsi_host_alloc(struct
dev_set_name(&shost->shost_gendev, "host%d", shost->host_no);
shost->shost_gendev.bus = &scsi_bus_type;
shost->shost_gendev.type = &scsi_host_type;
+ scsi_enable_async_suspend(&shost->shost_gendev);
device_initialize(&shost->shost_dev);
shost->shost_dev.parent = &shost->shost_gendev;
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -86,14 +86,6 @@ unsigned int scsi_logging_level;
EXPORT_SYMBOL(scsi_logging_level);
#endif
-/*
- * Domain for asynchronous system resume operations. It is marked 'exclusive'
- * to avoid being included in the async_synchronize_full() that is invoked by
- * dpm_resume().
- */
-ASYNC_DOMAIN_EXCLUSIVE(scsi_sd_pm_domain);
-EXPORT_SYMBOL(scsi_sd_pm_domain);
-
#ifdef CONFIG_SCSI_LOGGING
void scsi_log_send(struct scsi_cmnd *cmd)
{
--- a/drivers/scsi/scsi_pm.c
+++ b/drivers/scsi/scsi_pm.c
@@ -56,9 +56,6 @@ static int scsi_dev_type_suspend(struct
const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
int err;
- /* flush pending in-flight resume operations, suspend is synchronous */
- async_synchronize_full_domain(&scsi_sd_pm_domain);
-
err = scsi_device_quiesce(to_scsi_device(dev));
if (err == 0) {
err = cb(dev, pm);
@@ -123,48 +120,11 @@ scsi_bus_suspend_common(struct device *d
return err;
}
-static void async_sdev_resume(void *dev, async_cookie_t cookie)
-{
- scsi_dev_type_resume(dev, do_scsi_resume);
-}
-
-static void async_sdev_thaw(void *dev, async_cookie_t cookie)
-{
- scsi_dev_type_resume(dev, do_scsi_thaw);
-}
-
-static void async_sdev_restore(void *dev, async_cookie_t cookie)
-{
- scsi_dev_type_resume(dev, do_scsi_restore);
-}
-
static int scsi_bus_resume_common(struct device *dev,
int (*cb)(struct device *, const struct dev_pm_ops *))
{
- async_func_t fn;
-
- if (!scsi_is_sdev_device(dev))
- fn = NULL;
- else if (cb == do_scsi_resume)
- fn = async_sdev_resume;
- else if (cb == do_scsi_thaw)
- fn = async_sdev_thaw;
- else if (cb == do_scsi_restore)
- fn = async_sdev_restore;
- else
- fn = NULL;
-
- if (fn) {
- async_schedule_domain(fn, dev, &scsi_sd_pm_domain);
-
- /*
- * If a user has disabled async probing a likely reason
- * is due to a storage enclosure that does not inject
- * staggered spin-ups. For safety, make resume
- * synchronous as well in that case.
- */
- if (strncmp(scsi_scan_type, "async", 5) != 0)
- async_synchronize_full_domain(&scsi_sd_pm_domain);
+ if (scsi_is_sdev_device(dev)) {
+ scsi_dev_type_resume(dev, cb);
} else {
pm_runtime_disable(dev);
pm_runtime_set_active(dev);
--- a/drivers/scsi/scsi_priv.h
+++ b/drivers/scsi/scsi_priv.h
@@ -117,7 +117,7 @@ extern void scsi_exit_procfs(void);
#endif /* CONFIG_PROC_FS */
/* scsi_scan.c */
-extern char scsi_scan_type[];
+void scsi_enable_async_suspend(struct device *dev);
extern int scsi_complete_async_scans(void);
extern int scsi_scan_host_selected(struct Scsi_Host *, unsigned int,
unsigned int, u64, enum scsi_scan_mode);
@@ -171,8 +171,6 @@ static inline int scsi_autopm_get_host(s
static inline void scsi_autopm_put_host(struct Scsi_Host *h) {}
#endif /* CONFIG_PM */
-extern struct async_domain scsi_sd_pm_domain;
-
/* scsi_dh.c */
#ifdef CONFIG_SCSI_DH
void scsi_dh_add_device(struct scsi_device *sdev);
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -123,6 +123,22 @@ struct async_scan_data {
};
/**
+ * scsi_enable_async_suspend - Enable async suspend and resume
+ */
+void scsi_enable_async_suspend(struct device *dev)
+{
+ /*
+ * If a user has disabled async probing a likely reason is due to a
+ * storage enclosure that does not inject staggered spin-ups. For
+ * safety, make resume synchronous as well in that case.
+ */
+ if (strncmp(scsi_scan_type, "async", 5) != 0)
+ return;
+ /* Enable asynchronous suspend and resume. */
+ device_enable_async_suspend(dev);
+}
+
+/**
* scsi_complete_async_scans - Wait for asynchronous scans to complete
*
* When this function returns, any host which started scanning before
@@ -499,6 +515,7 @@ static struct scsi_target *scsi_alloc_ta
dev_set_name(dev, "target%d:%d:%d", shost->host_no, channel, id);
dev->bus = &scsi_bus_type;
dev->type = &scsi_target_type;
+ scsi_enable_async_suspend(dev);
starget->id = id;
starget->channel = channel;
starget->can_queue = 0;
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1643,6 +1643,7 @@ void scsi_sysfs_device_initialize(struct
device_initialize(&sdev->sdev_gendev);
sdev->sdev_gendev.bus = &scsi_bus_type;
sdev->sdev_gendev.type = &scsi_dev_type;
+ scsi_enable_async_suspend(&sdev->sdev_gendev);
dev_set_name(&sdev->sdev_gendev, "%d:%d:%d:%llu",
sdev->host->host_no, sdev->channel, sdev->id, sdev->lun);
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3505,7 +3505,6 @@ static int sd_remove(struct device *dev)
sdkp = dev_get_drvdata(dev);
scsi_autopm_get_device(sdkp->device);
- async_synchronize_full_domain(&scsi_sd_pm_domain);
device_del(&sdkp->dev);
del_gendisk(sdkp->disk);
sd_shutdown(dev);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 296/411] scsi: sd: Add error handling support for add_disk()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 295/411] scsi: core: pm: Rely on the device driver core for async power management Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 297/411] sd: rename the scsi_disk.dev field Greg Kroah-Hartman
` (115 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig,
Martin K. Petersen, Luis Chamberlain, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Chamberlain <mcgrof@kernel.org>
[ Upstream commit 2a7a891f4c406822801ecd676b076c64de072c9e ]
We never checked for errors on add_disk() as this function returned
void. Now that this is fixed, use the shiny new error handling.
As with the error handling for device_add() we follow the same logic and
just put the device so that cleanup is done via the scsi_disk_release().
Link: https://lore.kernel.org/r/20211015233028.2167651-2-mcgrof@kernel.org
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: 1e111c4b3a72 ("scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3458,7 +3458,13 @@ static int sd_probe(struct device *dev)
pm_runtime_set_autosuspend_delay(dev,
sdp->host->hostt->rpm_autosuspend_delay);
}
- device_add_disk(dev, gd, NULL);
+
+ error = device_add_disk(dev, gd, NULL);
+ if (error) {
+ put_device(&sdkp->dev);
+ goto out;
+ }
+
if (sdkp->capacity)
sd_dif_config_host(sdkp);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 297/411] sd: rename the scsi_disk.dev field
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 296/411] scsi: sd: Add error handling support for add_disk() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 298/411] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
` (114 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Bart Van Assche,
Chaitanya Kulkarni, Ming Lei, Martin K. Petersen, Jens Axboe,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit fad45c3007a18064da759b4dba35eb722bc64e97 ]
dev is very hard to grep for. Give the field a more descriptive name and
documents its purpose.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Link: https://lore.kernel.org/r/20220308055200.735835-5-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 1e111c4b3a72 ("scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 22 +++++++++++-----------
drivers/scsi/sd.h | 9 +++++++--
2 files changed, 18 insertions(+), 13 deletions(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -674,7 +674,7 @@ static struct scsi_disk *scsi_disk_get(s
if (disk->private_data) {
sdkp = scsi_disk(disk);
if (scsi_device_get(sdkp->device) == 0)
- get_device(&sdkp->dev);
+ get_device(&sdkp->disk_dev);
else
sdkp = NULL;
}
@@ -687,7 +687,7 @@ static void scsi_disk_put(struct scsi_di
struct scsi_device *sdev = sdkp->device;
mutex_lock(&sd_ref_mutex);
- put_device(&sdkp->dev);
+ put_device(&sdkp->disk_dev);
scsi_device_put(sdev);
mutex_unlock(&sd_ref_mutex);
}
@@ -3412,14 +3412,14 @@ static int sd_probe(struct device *dev)
SD_MOD_TIMEOUT);
}
- device_initialize(&sdkp->dev);
- sdkp->dev.parent = get_device(dev);
- sdkp->dev.class = &sd_disk_class;
- dev_set_name(&sdkp->dev, "%s", dev_name(dev));
+ device_initialize(&sdkp->disk_dev);
+ sdkp->disk_dev.parent = get_device(dev);
+ sdkp->disk_dev.class = &sd_disk_class;
+ dev_set_name(&sdkp->disk_dev, "%s", dev_name(dev));
- error = device_add(&sdkp->dev);
+ error = device_add(&sdkp->disk_dev);
if (error) {
- put_device(&sdkp->dev);
+ put_device(&sdkp->disk_dev);
goto out;
}
@@ -3461,7 +3461,7 @@ static int sd_probe(struct device *dev)
error = device_add_disk(dev, gd, NULL);
if (error) {
- put_device(&sdkp->dev);
+ put_device(&sdkp->disk_dev);
goto out;
}
@@ -3511,7 +3511,7 @@ static int sd_remove(struct device *dev)
sdkp = dev_get_drvdata(dev);
scsi_autopm_get_device(sdkp->device);
- device_del(&sdkp->dev);
+ device_del(&sdkp->disk_dev);
del_gendisk(sdkp->disk);
sd_shutdown(dev);
@@ -3519,7 +3519,7 @@ static int sd_remove(struct device *dev)
mutex_lock(&sd_ref_mutex);
dev_set_drvdata(dev, NULL);
- put_device(&sdkp->dev);
+ put_device(&sdkp->disk_dev);
mutex_unlock(&sd_ref_mutex);
return 0;
--- a/drivers/scsi/sd.h
+++ b/drivers/scsi/sd.h
@@ -70,7 +70,12 @@ enum {
struct scsi_disk {
struct scsi_driver *driver; /* always &sd_template */
struct scsi_device *device;
- struct device dev;
+
+ /*
+ * disk_dev is used to show attributes in /sys/class/scsi_disk/,
+ * but otherwise not really needed. Do not use for refcounting.
+ */
+ struct device disk_dev;
struct gendisk *disk;
struct opal_dev *opal_dev;
#ifdef CONFIG_BLK_DEV_ZONED
@@ -126,7 +131,7 @@ struct scsi_disk {
unsigned security : 1;
unsigned ignore_medium_access_errors : 1;
};
-#define to_scsi_disk(obj) container_of(obj,struct scsi_disk,dev)
+#define to_scsi_disk(obj) container_of(obj, struct scsi_disk, disk_dev)
static inline struct scsi_disk *scsi_disk(struct gendisk *disk)
{
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 298/411] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 297/411] sd: rename the scsi_disk.dev field Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 299/411] ALSA: aloop: Fix peer runtime UAF during format-change stop Greg Kroah-Hartman
` (113 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, Yang Xiuwei,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Xiuwei <yangxiuwei@kylinos.cn>
[ Upstream commit 1e111c4b3a726df1254670a5cc4868cedb946d37 ]
If device_add(&sdkp->disk_dev) fails, put_device() runs
scsi_disk_release(), which frees the scsi_disk but leaves the gendisk
referenced. The device_add_disk() error path in sd_probe() calls
put_disk(gd); call put_disk(gd) here to mirror that cleanup.
Fixes: 265dfe8ebbab ("scsi: sd: Free scsi_disk device via put_device()")
Cc: stable@vger.kernel.org
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Yang Xiuwei <yangxiuwei@kylinos.cn>
Link: https://patch.msgid.link/20260330014952.152776-1-yangxiuwei@kylinos.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -3420,6 +3420,7 @@ static int sd_probe(struct device *dev)
error = device_add(&sdkp->disk_dev);
if (error) {
put_device(&sdkp->disk_dev);
+ put_disk(gd);
goto out;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 299/411] ALSA: aloop: Fix peer runtime UAF during format-change stop
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 298/411] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 300/411] printk: add print_hex_dump_devel() Greg Kroah-Hartman
` (112 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8fa95c41eafbc9d2ff6f,
Takashi Iwai, Cássio Gabriel, Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cássio Gabriel <cassiogabrielcontato@gmail.com>
[ Upstream commit e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff ]
loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.
A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.
Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.
Reported-by: syzbot+8fa95c41eafbc9d2ff6f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8fa95c41eafbc9d2ff6f
Fixes: 597603d615d2 ("ALSA: introduce the snd-aloop module for the PCM loopback")
Cc: stable@vger.kernel.org
Suggested-by: Takashi Iwai <tiwai@suse.com>
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-aloop-peer-stop-uaf-v2-1-94e68101db8a@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ collapsed inc/snd_pcm_stop/dec into the existing inline call site and used spin_lock_irq/unlock_irq instead of scoped_guard ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/drivers/aloop.c | 40 +++++++++++++++++++++++++++-------------
1 file changed, 27 insertions(+), 13 deletions(-)
--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -98,6 +98,9 @@ struct loopback_ops {
struct loopback_cable {
spinlock_t lock;
struct loopback_pcm *streams[2];
+ /* in-flight peer stops running outside cable->lock */
+ atomic_t stop_count;
+ wait_queue_head_t stop_wait;
struct snd_pcm_hardware hw;
/* flags */
unsigned int valid;
@@ -341,8 +344,12 @@ static int loopback_check_format(struct
if (stream == SNDRV_PCM_STREAM_CAPTURE) {
return -EIO;
} else {
+ /* close must not free the peer runtime below */
+ atomic_inc(&cable->stop_count);
snd_pcm_stop(cable->streams[SNDRV_PCM_STREAM_CAPTURE]->
substream, SNDRV_PCM_STATE_DRAINING);
+ if (atomic_dec_and_test(&cable->stop_count))
+ wake_up(&cable->stop_wait);
__notify:
runtime = cable->streams[SNDRV_PCM_STREAM_PLAYBACK]->
substream->runtime;
@@ -994,24 +1001,29 @@ static void free_cable(struct snd_pcm_su
struct loopback *loopback = substream->private_data;
int dev = get_cable_index(substream);
struct loopback_cable *cable;
+ struct loopback_pcm *dpcm;
+ bool other_alive;
cable = loopback->cables[substream->number][dev];
if (!cable)
return;
- if (cable->streams[!substream->stream]) {
- /* other stream is still alive */
- spin_lock_irq(&cable->lock);
- cable->streams[substream->stream] = NULL;
- spin_unlock_irq(&cable->lock);
- } else {
- struct loopback_pcm *dpcm = substream->runtime->private_data;
- if (cable->ops && cable->ops->close_cable && dpcm)
- cable->ops->close_cable(dpcm);
- /* free the cable */
- loopback->cables[substream->number][dev] = NULL;
- kfree(cable);
- }
+ spin_lock_irq(&cable->lock);
+ cable->streams[substream->stream] = NULL;
+ other_alive = cable->streams[!substream->stream] != NULL;
+ spin_unlock_irq(&cable->lock);
+
+ /* Pair with the stop_count increment in loopback_check_format(). */
+ wait_event(cable->stop_wait, !atomic_read(&cable->stop_count));
+ if (other_alive)
+ return;
+
+ dpcm = substream->runtime->private_data;
+ if (cable->ops && cable->ops->close_cable && dpcm)
+ cable->ops->close_cable(dpcm);
+ /* free the cable */
+ loopback->cables[substream->number][dev] = NULL;
+ kfree(cable);
}
static int loopback_jiffies_timer_open(struct loopback_pcm *dpcm)
@@ -1206,6 +1218,8 @@ static int loopback_open(struct snd_pcm_
goto unlock;
}
spin_lock_init(&cable->lock);
+ atomic_set(&cable->stop_count, 0);
+ init_waitqueue_head(&cable->stop_wait);
cable->hw = loopback_pcm_hardware;
if (loopback->timer_source)
cable->ops = &loopback_snd_timer_ops;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 300/411] printk: add print_hex_dump_devel()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 299/411] ALSA: aloop: Fix peer runtime UAF during format-change stop Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 301/411] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
` (111 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herbert Xu, Thorsten Blum,
John Ogness, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit d134feeb5df33fbf77f482f52a366a44642dba09 ]
Add print_hex_dump_devel() as the hex dump equivalent of pr_devel(),
which emits output only when DEBUG is enabled, but keeps call sites
compiled otherwise.
Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 177730a273b1 ("crypto: caam - guard HMAC key hex dumps in hash_digest_key")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/printk.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/include/linux/printk.h
+++ b/include/linux/printk.h
@@ -740,6 +740,19 @@ static inline void print_hex_dump_debug(
}
#endif
+#if defined(DEBUG)
+#define print_hex_dump_devel(prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii) \
+ print_hex_dump(KERN_DEBUG, prefix_str, prefix_type, rowsize, \
+ groupsize, buf, len, ascii)
+#else
+static inline void print_hex_dump_devel(const char *prefix_str, int prefix_type,
+ int rowsize, int groupsize,
+ const void *buf, size_t len, bool ascii)
+{
+}
+#endif
+
/**
* print_hex_dump_bytes - shorthand form of print_hex_dump_debug() with default
* params
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 301/411] crypto: caam - guard HMAC key hex dumps in hash_digest_key
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 300/411] printk: add print_hex_dump_devel() Greg Kroah-Hartman
@ 2026-06-16 14:58 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 302/411] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
` (110 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 177730a273b18e195263ed953853273e901b5064 ]
Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in
hash_digest_key() to avoid leaking secrets at runtime when
CONFIG_DYNAMIC_DEBUG is enabled.
Fixes: 045e36780f11 ("crypto: caam - ahash hmac support")
Fixes: 3f16f6c9d632 ("crypto: caam/qi2 - add support for ahash algorithms")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamalg_qi2.c | 4 ++--
drivers/crypto/caam/caamhash.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/crypto/caam/caamalg_qi2.c
+++ b/drivers/crypto/caam/caamalg_qi2.c
@@ -3264,7 +3264,7 @@ static int hash_digest_key(struct caam_h
dpaa2_fl_set_addr(out_fle, key_dma);
dpaa2_fl_set_len(out_fle, digestsize);
- print_hex_dump_debug("key_in@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("shdesc@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -3284,7 +3284,7 @@ static int hash_digest_key(struct caam_h
/* in progress */
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@" __stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@" __stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -390,7 +390,7 @@ static int hash_digest_key(struct caam_h
append_seq_store(desc, digestsize, LDST_CLASS_2_CCB |
LDST_SRCDST_BYTE_CONTEXT);
- print_hex_dump_debug("key_in@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("key_in@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key, *keylen, 1);
print_hex_dump_debug("jobdesc@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, desc, desc_bytes(desc),
@@ -405,7 +405,7 @@ static int hash_digest_key(struct caam_h
wait_for_completion(&result.completion);
ret = result.err;
- print_hex_dump_debug("digested key@"__stringify(__LINE__)": ",
+ print_hex_dump_devel("digested key@"__stringify(__LINE__)": ",
DUMP_PREFIX_ADDRESS, 16, 4, key,
digestsize, 1);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 302/411] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-06-16 14:58 ` [PATCH 5.15 301/411] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 303/411] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
` (109 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
David Carlier, Steven Rostedt (Google), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Carlier <devnexen@gmail.com>
[ Upstream commit fad217e16fded7f3c09f8637b0f6a224d58b5f2e ]
When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func()
invokes the subsystem's ext->regfunc() before attempting to install the
new probe via func_add(). If func_add() then fails (for example, when
allocate_probes() cannot allocate a new probe array under memory pressure
and returns -ENOMEM), the function returns the error without calling the
matching ext->unregfunc(), leaving the side effects of regfunc() behind
with no installed probe to justify them.
For syscall tracepoints this is particularly unpleasant: syscall_regfunc()
bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task.
After a leaked failure, the refcount is stuck at a non-zero value with no
consumer, and every task continues paying the syscall trace entry/exit
overhead until reboot. Other subsystems providing regfunc()/unregfunc()
pairs exhibit similarly scoped persistent state.
Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the
func_add() error path, gated on the same condition used there so the
unwind is symmetric with the registration.
Fixes: 8cf868affdc4 ("tracing: Have the reg function allow to fail")
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20260413190601.21993-1-devnexen@gmail.com
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
[ changed `tp->ext->unregfunc` to `tp->unregfunc` to match older struct layout ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/tracepoint.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -337,6 +337,8 @@ static int tracepoint_add_func(struct tr
lockdep_is_held(&tracepoints_mutex));
old = func_add(&tp_funcs, func, prio);
if (IS_ERR(old)) {
+ if (tp->unregfunc && !static_key_enabled(&tp->key))
+ tp->unregfunc();
WARN_ON_ONCE(warn && PTR_ERR(old) != -ENOMEM);
return PTR_ERR(old);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 303/411] smb: client: validate the whole DACL before rewriting it in cifsacl
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 302/411] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 304/411] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
` (108 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 0a8cf165566ba55a39fd0f4de172119dd646d39a upstream.
build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a
server-supplied dacloffset and then use the incoming ACL to rebuild the
chmod/chown security descriptor.
The original fix only checked that the struct smb_acl header fits before
reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate
header-field OOB read, but the rewrite helpers still walk ACEs based on
pdacl->num_aces with no structural validation of the incoming DACL body.
A malicious server can return a truncated DACL that still contains a
header, claims one or more ACEs, and then drive
replace_sids_and_copy_aces() or set_chmod_dacl() past the validated
extent while they compare or copy attacker-controlled ACEs.
Factor the DACL structural checks into validate_dacl(), extend them to
validate each ACE against the DACL bounds, and use the shared validator
before the chmod/chown rebuild paths. parse_dacl() reuses the same
validator so the read-side parser and write-side rewrite paths agree on
what constitutes a well-formed incoming DACL.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ renamed smb_acl/smb_ace/smb_sid/smb_ntsd to cifs_* and widened num_aces from u16 to u32 for 6.1's __le32 field ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsacl.c | 95 ++++++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 85 insertions(+), 10 deletions(-)
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -753,6 +753,78 @@ static void dump_ace(struct cifs_ace *pa
}
#endif
+static int validate_dacl(struct cifs_acl *pdacl, char *end_of_acl)
+{
+ int i, ace_hdr_size, ace_size, min_ace_size;
+ u16 dacl_size;
+ u32 num_aces;
+ char *acl_base, *end_of_dacl;
+ struct cifs_ace *pace;
+
+ if (!pdacl)
+ return 0;
+
+ if (end_of_acl < (char *)pdacl + sizeof(struct cifs_acl)) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ dacl_size = le16_to_cpu(pdacl->size);
+ if (dacl_size < sizeof(struct cifs_acl) ||
+ end_of_acl < (char *)pdacl + dacl_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ num_aces = le32_to_cpu(pdacl->num_aces);
+ if (!num_aces)
+ return 0;
+
+ ace_hdr_size = offsetof(struct cifs_ace, sid) +
+ offsetof(struct cifs_sid, sub_auth);
+ min_ace_size = ace_hdr_size + sizeof(__le32);
+ if (num_aces > (dacl_size - sizeof(struct cifs_acl)) / min_ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ return -EINVAL;
+ }
+
+ end_of_dacl = (char *)pdacl + dacl_size;
+ acl_base = (char *)pdacl;
+ ace_size = sizeof(struct cifs_acl);
+
+ for (i = 0; i < num_aces; ++i) {
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ pace = (struct cifs_ace *)(acl_base + ace_size);
+ acl_base = (char *)pace;
+
+ if (end_of_dacl - acl_base < ace_hdr_size ||
+ pace->sid.num_subauth == 0 ||
+ pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth;
+ if (end_of_dacl - acl_base < ace_size ||
+ le16_to_cpu(pace->size) < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+
+ ace_size = le16_to_cpu(pace->size);
+ if (end_of_dacl - acl_base < ace_size) {
+ cifs_dbg(VFS, "ACL too small to parse ACE\n");
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
+
static void parse_dacl(struct cifs_acl *pdacl, char *end_of_acl,
struct cifs_sid *pownersid, struct cifs_sid *pgrpsid,
struct cifs_fattr *fattr, bool mode_from_special_sid)
@@ -760,7 +832,7 @@ static void parse_dacl(struct cifs_acl *
int i;
int num_aces = 0;
int acl_size;
- char *acl_base;
+ char *acl_base, *end_of_dacl;
struct cifs_ace **ppace;
/* BB need to add parm so we can store the SID BB */
@@ -772,11 +844,8 @@ static void parse_dacl(struct cifs_acl *
return;
}
- /* validate that we do not go past end of acl */
- if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) {
- cifs_dbg(VFS, "ACL too small to parse DACL\n");
+ if (validate_dacl(pdacl, end_of_acl))
return;
- }
cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n",
le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size),
@@ -787,6 +856,7 @@ static void parse_dacl(struct cifs_acl *
user/group/other have no permissions */
fattr->cf_mode &= ~(0777);
+ end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size);
acl_base = (char *)pdacl;
acl_size = sizeof(struct cifs_acl);
@@ -804,7 +874,7 @@ static void parse_dacl(struct cifs_acl *
for (i = 0; i < num_aces; ++i) {
ppace[i] = (struct cifs_ace *) (acl_base + acl_size);
#ifdef CONFIG_CIFS_DEBUG2
- dump_ace(ppace[i], end_of_acl);
+ dump_ace(ppace[i], end_of_dacl);
#endif
if (mode_from_special_sid &&
ppace[i]->sid.num_subauth >= 3 &&
@@ -1263,10 +1333,9 @@ static int build_sec_desc(struct cifs_nt
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
- if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) {
- cifs_dbg(VFS, "Server returned illegal ACL size\n");
- return -EINVAL;
- }
+ rc = validate_dacl(dacl_ptr, end_of_acl);
+ if (rc)
+ return rc;
}
owner_sid_ptr = (struct cifs_sid *)((char *)pntsd +
@@ -1626,6 +1695,12 @@ id_mode_to_cifs_acl(struct inode *inode,
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
+ rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
+ if (rc) {
+ kfree(pntsd);
+ cifs_put_tlink(tlink);
+ return rc;
+ }
if (mode_from_sid)
nsecdesclen +=
le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct cifs_ace);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 304/411] usb: typec: tcpm: reset internal port states on soft reset AMS
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 303/411] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 305/411] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
` (107 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Sunil Dhamne, stable,
Badhri Jagan Sridharan, Heikki Krogerus, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amit Sunil Dhamne <amitsd@google.com>
[ Upstream commit 2909f0d4994fb4306bf116df5ccee797791fce2c ]
Reset internal port states (such as vdm_sm_running and
explicit_contract) on soft reset AMS as the port needs to negotiate a
new contract. The consequence of leaving the states in as-is cond are as
follows:
* port is in SRC power role and an explicit contract is negotiated
with the port partner (in sink role)
* port partner sends a Soft Reset AMS while VDM State Machine is
running
* port accepts the Soft Reset request and the port advertises src caps
* port partner sends a Request message but since the explicit_contract
and vdm_sm_running are true from previous negotiation, the port ends
up sending Soft Reset instead of Accept msg.
Stub Log:
[ 203.653942] AMS DISCOVER_IDENTITY start
[ 203.653947] PD TX, header: 0x176f
[ 203.655901] PD TX complete, status: 0
[ 203.657470] PD RX, header: 0x124f [1]
[ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1
[ 203.657482] AMS DISCOVER_IDENTITY finished
[ 203.657484] cc:=4
[ 204.155698] PD RX, header: 0x144f [1]
[ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1
[ 204.155741] PD TX, header: 0x196f
[ 204.157622] PD TX complete, status: 0
[ 204.160060] PD RX, header: 0x4d [1]
[ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS]
[ 204.160076] PD TX, header: 0x163
[ 204.162486] PD TX complete, status: 0
[ 204.162832] AMS SOFT_RESET_AMS finished
[ 204.162840] cc:=4
[ 204.162891] AMS POWER_NEGOTIATION start
[ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION]
[ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION]
[ 204.162913] PD TX, header: 0x1361
[ 204.165529] PD TX complete, status: 0
[ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION]
[ 204.166996] PD RX, header: 0x1242 [1]
[ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION]
[ 204.167019] AMS POWER_NEGOTIATION finished
[ 204.167020] cc:=4
[ 204.167083] AMS SOFT_RESET_AMS start
[ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS]
[ 204.167092] PD TX, header: 0x16d
[ 204.168824] PD TX complete, status: 0
[ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS]
[ 204.171876] PD RX, header: 0x43 [1]
[ 204.171879] AMS SOFT_RESET_AMS finished
This causes COMMON.PROC.PD.11.2 check failure for
TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester.
Signed-off-by: Amit Sunil Dhamne <amitsd@google.com>
Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running")
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable <stable@kernel.org>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260414-fix-soft-reset-v1-1-01d7cb9764e2@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ kept `tcpm_pd_send_control(port, PD_CTRL_ACCEPT)` call unchanged ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -4576,6 +4576,8 @@ static void run_state_machine(struct tcp
port->message_id = 0;
port->rx_msgid = -1;
tcpm_pd_send_control(port, PD_CTRL_ACCEPT);
+ port->vdm_sm_running = false;
+ port->explicit_contract = false;
tcpm_ams_finish(port);
if (port->pwr_role == TYPEC_SOURCE) {
port->upcoming_state = SRC_SEND_CAPABILITIES;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 305/411] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 304/411] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 306/411] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
` (106 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Arend van Spriel,
Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit c623b63580880cc742255eaed3d79804c1b91143 ]
Watchdog task might end between send_sig() and kthread_stop() calls, what
results in the use-after-free issue. Fix this by increasing watchdog task
reference count before calling send_sig() and dropping it by switching to
kthread_stop_put().
Cc: stable@vger.kernel.org
Fixes: 373c83a801f1 ("brcmfmac: stop watchdog before detach and free everything")
Fixes: a9ffda88be74 ("brcm80211: fmac: abstract bus_stop interface function pointer")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ replaced kthread_stop_put() with open-coded kthread_stop() + put_task_struct() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -2474,8 +2474,10 @@ static void brcmf_sdio_bus_stop(struct d
brcmf_dbg(TRACE, "Enter\n");
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
kthread_stop(bus->watchdog_tsk);
+ put_task_struct(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
@@ -4549,8 +4551,10 @@ void brcmf_sdio_remove(struct brcmf_sdio
if (bus) {
/* Stop watchdog task */
if (bus->watchdog_tsk) {
+ get_task_struct(bus->watchdog_tsk);
send_sig(SIGTERM, bus->watchdog_tsk, 1);
kthread_stop(bus->watchdog_tsk);
+ put_task_struct(bus->watchdog_tsk);
bus->watchdog_tsk = NULL;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 306/411] usb: dwc3: Move GUID programming after PHY initialization
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 305/411] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 307/411] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
` (105 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Pritam Manohar Sutar,
Selvarasu Ganesan, Thinh Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Selvarasu Ganesan <selvarasu.g@samsung.com>
[ Upstream commit aad35f9c926ec220b0742af1ada45666ae667956 ]
The Linux Version Code is currently written to the GUID register before
PHY initialization. Certain PHY implementations (such as Synopsys eUSB
PHY performing link_sw_reset) clear the GUID register to its default
value during initialization, causing the kernel version information to
be lost.
Move the GUID register programming to occur after PHY initialization
completes to ensure the Linux version information persists.
Fixes: fa0ea13e9f1c ("usb: dwc3: core: write LINUX_VERSION_CODE to our GUID register")
Cc: stable <stable@kernel.org>
Reported-by: Pritam Manohar Sutar <pritam.sutar@samsung.com>
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20260417063314.2359-1-selvarasu.g@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ adapted dwc3_writel(dwc, ...) to dwc3_writel(dwc->regs, ...) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -978,12 +978,6 @@ static int dwc3_core_init(struct dwc3 *d
hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
- /*
- * Write Linux Version Code to our GUID register so it's easy to figure
- * out which kernel version a bug was found.
- */
- dwc3_writel(dwc->regs, DWC3_GUID, LINUX_VERSION_CODE);
-
ret = dwc3_phy_setup(dwc);
if (ret)
goto err0;
@@ -1023,6 +1017,12 @@ static int dwc3_core_init(struct dwc3 *d
if (ret)
goto err1;
+ /*
+ * Write Linux Version Code to our GUID register so it's easy to figure
+ * out which kernel version a bug was found.
+ */
+ dwc3_writel(dwc->regs, DWC3_GUID, LINUX_VERSION_CODE);
+
dwc3_core_setup_global_control(dwc);
dwc3_core_num_eps(dwc);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 307/411] net: ipv4: stop checking crypto_ahash_alignmask
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 306/411] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 308/411] net: ipv6: " Greg Kroah-Hartman
` (104 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit e77f5dd701381cef35b9ea8b6dea6e62c8a7f9f3 ]
Now that the alignmask for ahash and shash algorithms is always 0,
crypto_ahash_alignmask() always returns 0 and will be removed. In
preparation for this, stop checking crypto_ahash_alignmask() in ah4.c.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: ec54093e6a8f ("xfrm: ah: account for ESN high bits in async callbacks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -27,9 +27,7 @@ static void *ah_alloc_tmp(struct crypto_
{
unsigned int len;
- len = size + crypto_ahash_digestsize(ahash) +
- (crypto_ahash_alignmask(ahash) &
- ~(crypto_tfm_ctx_alignment() - 1));
+ len = size + crypto_ahash_digestsize(ahash);
len = ALIGN(len, crypto_tfm_ctx_alignment());
@@ -46,10 +44,9 @@ static inline u8 *ah_tmp_auth(void *tmp,
return tmp + offset;
}
-static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
- unsigned int offset)
+static inline u8 *ah_tmp_icv(void *tmp, unsigned int offset)
{
- return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
+ return tmp + offset;
}
static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
@@ -129,7 +126,7 @@ static void ah_output_done(struct crypto
int ihl = ip_hdrlen(skb);
iph = AH_SKB_CB(skb)->tmp;
- icv = ah_tmp_icv(ahp->ahash, iph, ihl);
+ icv = ah_tmp_icv(iph, ihl);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos;
@@ -182,7 +179,7 @@ static int ah_output(struct xfrm_state *
if (!iph)
goto out;
seqhi = (__be32 *)((char *)iph + ihl);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
@@ -279,7 +276,7 @@ static void ah_input_done(struct crypto_
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, ihl);
- icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
@@ -374,7 +371,7 @@ static int ah_input(struct xfrm_state *x
seqhi = (__be32 *)((char *)work_iph + ihl);
auth_data = ah_tmp_auth(seqhi, seqhi_len);
- icv = ah_tmp_icv(ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 308/411] net: ipv6: stop checking crypto_ahash_alignmask
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 307/411] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 309/411] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
` (103 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit 0a6bfaa0e695facb072f2fedfb55df37c4483b50 ]
Now that the alignmask for ahash and shash algorithms is always 0,
crypto_ahash_alignmask() always returns 0 and will be removed. In
preparation for this, stop checking crypto_ahash_alignmask() in ah6.c.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: ec54093e6a8f ("xfrm: ah: account for ESN high bits in async callbacks")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ah6.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -79,9 +79,7 @@ static void *ah_alloc_tmp(struct crypto_
{
unsigned int len;
- len = size + crypto_ahash_digestsize(ahash) +
- (crypto_ahash_alignmask(ahash) &
- ~(crypto_tfm_ctx_alignment() - 1));
+ len = size + crypto_ahash_digestsize(ahash);
len = ALIGN(len, crypto_tfm_ctx_alignment());
@@ -103,10 +101,9 @@ static inline u8 *ah_tmp_auth(u8 *tmp, u
return tmp + offset;
}
-static inline u8 *ah_tmp_icv(struct crypto_ahash *ahash, void *tmp,
- unsigned int offset)
+static inline u8 *ah_tmp_icv(void *tmp, unsigned int offset)
{
- return PTR_ALIGN((u8 *)tmp + offset, crypto_ahash_alignmask(ahash) + 1);
+ return tmp + offset;
}
static inline struct ahash_request *ah_tmp_req(struct crypto_ahash *ahash,
@@ -330,7 +327,7 @@ static void ah6_output_done(struct crypt
iph_base = AH_SKB_CB(skb)->tmp;
iph_ext = ah_tmp_ext(iph_base);
- icv = ah_tmp_icv(ahp->ahash, iph_ext, extlen);
+ icv = ah_tmp_icv(iph_ext, extlen);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
@@ -387,7 +384,7 @@ static int ah6_output(struct xfrm_state
iph_ext = ah_tmp_ext(iph_base);
seqhi = (__be32 *)((char *)iph_ext + extlen);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
@@ -483,7 +480,7 @@ static void ah6_input_done(struct crypto
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, hdr_len);
- icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len);
+ icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
@@ -591,7 +588,7 @@ static int ah6_input(struct xfrm_state *
auth_data = ah_tmp_auth((u8 *)work_iph, hdr_len);
seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
- icv = ah_tmp_icv(ahash, seqhi, seqhi_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
req = ah_tmp_req(ahash, icv);
sg = ah_req_sg(ahash, req);
seqhisg = sg + nfrags;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 309/411] xfrm: ah: account for ESN high bits in async callbacks
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 308/411] net: ipv6: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 310/411] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
` (102 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steffen Klassert,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 ]
AH allocates its temporary auth/ICV layout differently when ESN is enabled:
the async ahash setup appends a 4-byte seqhi slot before the ICV or
auth_data area, but the async completion callbacks still reconstruct the
temporary layout as if seqhi were absent.
With an async AH implementation selected, that makes AH copy or compare
the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH
with ESN and forced async hmac(sha1), ping fails with 100% packet loss,
and the callback logs show the pre-fix drift:
ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24
ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36
Reconstruct the callback-side layout the same way the setup path built it
by skipping the ESN seqhi slot before locating the saved auth_data or ICV.
Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV
computation, so the async callbacks must account for the seqhi slot.
Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows
the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24
expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o
build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the
change has not been tested against a real async hardware AH engine.
Fixes: d4d573d0334d ("{IPv4,xfrm} Add ESN support for AH egress part")
Fixes: d8b2a8600b0e ("{IPv4,xfrm} Add ESN support for AH ingress part")
Fixes: 26dd70c3fad3 ("{IPv6,xfrm} Add ESN support for AH egress part")
Fixes: 8d6da6f32557 ("{IPv6,xfrm} Add ESN support for AH ingress part")
Cc: stable@vger.kernel.org
Assisted-by: Codex:gpt-5-4
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ah4.c | 14 ++++++++++++--
net/ipv6/ah6.c | 14 ++++++++++++--
2 files changed, 24 insertions(+), 4 deletions(-)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -124,9 +124,14 @@ static void ah_output_done(struct crypto
struct iphdr *top_iph = ip_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
+ int seqhi_len = 0;
+ __be32 *seqhi;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph = AH_SKB_CB(skb)->tmp;
- icv = ah_tmp_icv(iph, ihl);
+ seqhi = (__be32 *)((char *)iph + ihl);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos;
@@ -270,12 +275,17 @@ static void ah_input_done(struct crypto_
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int ihl = ip_hdrlen(skb);
int ah_hlen = (ah->hdrlen + 2) << 2;
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
- auth_data = ah_tmp_auth(work_iph, ihl);
+ seqhi = (__be32 *)((char *)work_iph + ihl);
+ auth_data = ah_tmp_auth(seqhi, seqhi_len);
icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -320,14 +320,19 @@ static void ah6_output_done(struct crypt
struct ipv6hdr *top_iph = ipv6_hdr(skb);
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
struct tmp_ext *iph_ext;
+ int seqhi_len = 0;
+ __be32 *seqhi;
extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr);
if (extlen)
extlen += sizeof(*iph_ext);
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
iph_base = AH_SKB_CB(skb)->tmp;
iph_ext = ah_tmp_ext(iph_base);
- icv = ah_tmp_icv(iph_ext, extlen);
+ seqhi = (__be32 *)((char *)iph_ext + extlen);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
@@ -474,13 +479,18 @@ static void ah6_input_done(struct crypto
struct ip_auth_hdr *ah = ip_auth_hdr(skb);
int hdr_len = skb_network_header_len(skb);
int ah_hlen = ipv6_authlen(ah);
+ int seqhi_len = 0;
+ __be32 *seqhi;
if (err)
goto out;
+ if (x->props.flags & XFRM_STATE_ESN)
+ seqhi_len = sizeof(*seqhi);
work_iph = AH_SKB_CB(skb)->tmp;
auth_data = ah_tmp_auth(work_iph, hdr_len);
- icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len);
+ seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len);
+ icv = ah_tmp_icv(seqhi, seqhi_len);
err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0;
if (err)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 310/411] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 309/411] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 311/411] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
` (101 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Kosiorek, Steffen Klassert,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kosiorek <mkosiorek121@gmail.com>
[ Upstream commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 ]
KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s
hlist_del_rcu calls under syzkaller load on linux-6.12.y stable
(reproduced on 6.12.47, also reachable via the same code path on
torvalds/master and on the ipsec tree). Nine unique signatures cluster
in the xfrm_state lifecycle, the load-bearing one being:
BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline]
BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline]
BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c
Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435
Workqueue: netns cleanup_net
Call Trace:
__hlist_del / hlist_del_rcu
__xfrm_state_delete
xfrm_state_delete
xfrm_state_flush
xfrm_state_fini
ops_exit_list
cleanup_net
The other observed signatures hit the same slab object from
__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB
write variant of __xfrm_state_delete, all on the byseq/byspi
hash chains.
__xfrm_state_delete() guards its byseq and byspi unhashes with
value-based predicates:
if (x->km.seq)
hlist_del_rcu(&x->byseq);
if (x->id.spi)
hlist_del_rcu(&x->byspi);
while everywhere else in the file (e.g. state_cache, state_cache_input)
the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets
x->id.spi = newspi inside xfrm_state_lock and then immediately inserts
into byspi, but a path that observes x->id.spi != 0 outside of
xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently
with whether x is actually on the list. The same holds for x->km.seq
versus byseq, and the bydst/bysrc unhashes have no predicate at all,
so a second __xfrm_state_delete() on the same object writes through
LIST_POISON pprev.
The defensive change here:
- Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst,
bysrc, byseq and byspi so a second deletion is a no-op rather
than a write through LIST_POISON pprev. The byseq/byspi nodes
are already initialised in xfrm_state_alloc().
- Test hlist_unhashed() rather than the value predicate for
byseq/byspi, so the unhash decision tracks list state rather than
mutable scalar fields.
Empirical verification: applied this patch on top of v6.12.47, rebuilt,
and re-ran the same syzkaller harness for 1h16m on a previously-crashy
configuration that produced ~100 hits each of slab-use-after-free
Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in
__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at
~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo
confirms the xfrm_state slab is actively allocated and freed during
the run (~143 KiB resident), so the fuzzer is still exercising those
code paths -- they just no longer crash.
Reproduction:
- Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV
- syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db
- 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal
- 9 unique signatures collected in ~9h, all within xfrm_state
lifecycle
Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.")
Reported-by: Michal Kosiorek <mkosiorek121@gmail.com>
Tested-by: Michal Kosiorek <mkosiorek121@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michal Kosiorek <mkosiorek121@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[ dropped state_cache/state_cache_input unhash hunks and xfrm_nat_keepalive_state_updated() call ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_state.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -681,12 +681,12 @@ int __xfrm_state_delete(struct xfrm_stat
x->km.state = XFRM_STATE_DEAD;
spin_lock(&net->xfrm.xfrm_state_lock);
list_del(&x->km.all);
- hlist_del_rcu(&x->bydst);
- hlist_del_rcu(&x->bysrc);
- if (x->km.seq)
- hlist_del_rcu(&x->byseq);
- if (x->id.spi)
- hlist_del_rcu(&x->byspi);
+ hlist_del_init_rcu(&x->bydst);
+ hlist_del_init_rcu(&x->bysrc);
+ if (!hlist_unhashed(&x->byseq))
+ hlist_del_init_rcu(&x->byseq);
+ if (!hlist_unhashed(&x->byspi))
+ hlist_del_init_rcu(&x->byspi);
net->xfrm.state_num--;
spin_unlock(&net->xfrm.xfrm_state_lock);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 311/411] spi: syncuacer: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 310/411] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 312/411] spi: sun4i: " Greg Kroah-Hartman
` (100 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahisa Kojima, Johan Hovold,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 75d849c3452e9611de031db45b3149ba9a99035f ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform")
Cc: stable@vger.kernel.org # 5.3
Cc: Masahisa Kojima <masahisa.kojima@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-21-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller/host to spi_master/master and kept int return type with `return 0;` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-synquacer.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-synquacer.c
+++ b/drivers/spi/spi-synquacer.c
@@ -719,7 +719,7 @@ static int synquacer_spi_probe(struct pl
pm_runtime_set_active(sspi->dev);
pm_runtime_enable(sspi->dev);
- ret = devm_spi_register_master(sspi->dev, master);
+ ret = spi_register_master(master);
if (ret)
goto disable_pm;
@@ -740,10 +740,16 @@ static int synquacer_spi_remove(struct p
struct spi_master *master = platform_get_drvdata(pdev);
struct synquacer_spi *sspi = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
pm_runtime_disable(sspi->dev);
clk_disable_unprepare(sspi->clk);
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 312/411] spi: sun4i: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 311/411] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 313/411] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
` (99 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 42108a2f03e0fdeabe9d02d085bdb058baa1189f ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: b5f6517948cc ("spi: sunxi: Add Allwinner A10 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-19-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed `host`/`spi_controller` to `master`/`spi_master` and kept `int` return type with `return 0` in remove ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun4i.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -503,7 +503,7 @@ static int sun4i_spi_probe(struct platfo
pm_runtime_enable(&pdev->dev);
pm_runtime_idle(&pdev->dev);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI master\n");
goto err_pm_disable;
@@ -521,8 +521,16 @@ err_free_master:
static int sun4i_spi_remove(struct platform_device *pdev)
{
+ struct spi_master *master = platform_get_drvdata(pdev);
+
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
pm_runtime_force_suspend(&pdev->dev);
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 313/411] spi: spi-ti-qspi: Convert to platform remove callback returning void
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 312/411] spi: sun4i: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 314/411] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
` (98 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 2f2802d1a59d79a3d00cb429841db502c2bbc3df ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is ignored (apart
from emitting a warning) and this typically results in resource leaks.
To improve here there is a quest to make the remove callback return
void. In the first step of this quest all drivers are converted to
.remove_new(), which already returns void. Eventually after all drivers
are converted, .remove_new() will be renamed to .remove().
Add an error message to the error path that returned an error before to
replace the core's error message with more information. Apart from the
different wording of the error message, this patch doesn't introduce a
semantic difference.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20231105172649.3738556-2-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0c18a1bacbb1 ("spi: ti-qspi: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -907,21 +907,22 @@ free_master:
return ret;
}
-static int ti_qspi_remove(struct platform_device *pdev)
+static void ti_qspi_remove(struct platform_device *pdev)
{
struct ti_qspi *qspi = platform_get_drvdata(pdev);
int rc;
rc = spi_master_suspend(qspi->master);
- if (rc)
- return rc;
+ if (rc) {
+ dev_alert(&pdev->dev, "spi_master_suspend() failed (%pe)\n",
+ ERR_PTR(rc));
+ return;
+ }
pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
ti_qspi_dma_cleanup(qspi);
-
- return 0;
}
static const struct dev_pm_ops ti_qspi_pm_ops = {
@@ -930,7 +931,7 @@ static const struct dev_pm_ops ti_qspi_p
static struct platform_driver ti_qspi_driver = {
.probe = ti_qspi_probe,
- .remove = ti_qspi_remove,
+ .remove_new = ti_qspi_remove,
.driver = {
.name = "ti-qspi",
.pm = &ti_qspi_pm_ops,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 314/411] spi: ti-qspi: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 313/411] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 315/411] spi: zynq-qspi: " Greg Kroah-Hartman
` (97 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Johan Hovold, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Note that the controller is suspended before disabling and releasing
resources since commit 3ac066e2227c ("spi: spi-ti-qspi: Suspend the
queue before removing the device") which avoids issues like unclocked
accesses but prevents SPI device drivers from doing I/O during
deregistration.
Fixes: 3b3a80019ff1 ("spi: ti-qspi: one only one interrupt handler")
Cc: stable@vger.kernel.org # 3.13
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-24-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller_* API calls to legacy spi_master_* equivalents and qspi->host to qspi->master ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-ti-qspi.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/drivers/spi/spi-ti-qspi.c
+++ b/drivers/spi/spi-ti-qspi.c
@@ -895,7 +895,7 @@ no_dma:
qspi->mmap_enabled = false;
qspi->current_cs = -1;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (!ret)
return 0;
@@ -910,19 +910,17 @@ free_master:
static void ti_qspi_remove(struct platform_device *pdev)
{
struct ti_qspi *qspi = platform_get_drvdata(pdev);
- int rc;
- rc = spi_master_suspend(qspi->master);
- if (rc) {
- dev_alert(&pdev->dev, "spi_master_suspend() failed (%pe)\n",
- ERR_PTR(rc));
- return;
- }
+ spi_master_get(qspi->master);
+
+ spi_unregister_master(qspi->master);
pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
ti_qspi_dma_cleanup(qspi);
+
+ spi_master_put(qspi->master);
}
static const struct dev_pm_ops ti_qspi_pm_ops = {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 315/411] spi: zynq-qspi: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 314/411] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 316/411] spi: sun6i: " Greg Kroah-Hartman
` (96 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naga Sureshkumar Relli, Johan Hovold,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit c9c012706c9fa8ca6d129a9161caf92ab625a3fd ]
Make sure to deregister the controller before disabling it during driver
unbind.
Note that clocks were also disabled before the recent commit
1f8fd9490e31 ("spi: zynq-qspi: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
Cc: stable@vger.kernel.org # 5.2: 8eb2fd00f65a
Cc: stable@vger.kernel.org # 5.2
Cc: Naga Sureshkumar Relli <naga.sureshkumar.relli@xilinx.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-27-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ kept int-returning remove() with manual clk_disable_unprepare() calls and routed probe error through existing clk_dis_all cascade instead of upstream's remove_ctlr label ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-zynq-qspi.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -652,7 +652,7 @@ static int zynq_qspi_probe(struct platfo
xqspi = spi_controller_get_devdata(ctlr);
xqspi->dev = dev;
- platform_set_drvdata(pdev, xqspi);
+ platform_set_drvdata(pdev, ctlr);
xqspi->regs = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(xqspi->regs)) {
ret = PTR_ERR(xqspi->regs);
@@ -722,9 +722,9 @@ static int zynq_qspi_probe(struct platfo
/* QSPI controller initializations */
zynq_qspi_init_hw(xqspi, ctlr->num_chipselect);
- ret = devm_spi_register_controller(&pdev->dev, ctlr);
+ ret = spi_register_controller(ctlr);
if (ret) {
- dev_err(&pdev->dev, "spi_register_master failed\n");
+ dev_err(&pdev->dev, "failed to register controller\n");
goto clk_dis_all;
}
@@ -752,13 +752,20 @@ remove_master:
*/
static int zynq_qspi_remove(struct platform_device *pdev)
{
- struct zynq_qspi *xqspi = platform_get_drvdata(pdev);
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct zynq_qspi *xqspi = spi_controller_get_devdata(ctlr);
+
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
zynq_qspi_write(xqspi, ZYNQ_QSPI_ENABLE_OFFSET, 0);
clk_disable_unprepare(xqspi->refclk);
clk_disable_unprepare(xqspi->pclk);
+ spi_controller_put(ctlr);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 316/411] spi: sun6i: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 315/411] spi: zynq-qspi: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 317/411] spi: tegra114: " Greg Kroah-Hartman
` (95 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Johan Hovold,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver")
Cc: stable@vger.kernel.org # 3.15
Cc: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-20-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller APIs to spi_master equivalents and kept int return type for sun6i_spi_remove ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-sun6i.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -688,7 +688,7 @@ static int sun6i_spi_probe(struct platfo
pm_runtime_set_active(&pdev->dev);
pm_runtime_enable(&pdev->dev);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret) {
dev_err(&pdev->dev, "cannot register SPI master\n");
goto err_pm_disable;
@@ -714,12 +714,19 @@ static int sun6i_spi_remove(struct platf
{
struct spi_master *master = platform_get_drvdata(pdev);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
pm_runtime_force_suspend(&pdev->dev);
if (master->dma_tx)
dma_release_channel(master->dma_tx);
if (master->dma_rx)
dma_release_channel(master->dma_rx);
+
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 317/411] spi: tegra114: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 316/411] spi: sun6i: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 318/411] spi: tegra20-sflash: " Greg Kroah-Hartman
` (94 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jingoo Han, Johan Hovold, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 9c9c27ff2058142d8f800de3186d6864184958de ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 5c8096439600 ("spi: tegra114: use devm_spi_register_master()")
Cc: stable@vger.kernel.org # 3.13
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-22-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller/host APIs to spi_master/master equivalents and placed spi_master_put() before the existing return 0 in remove ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra114.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -1417,7 +1417,7 @@ static int tegra_spi_probe(struct platfo
}
master->dev.of_node = pdev->dev.of_node;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret < 0) {
dev_err(&pdev->dev, "can not register to master err %d\n", ret);
goto exit_free_irq;
@@ -1443,6 +1443,10 @@ static int tegra_spi_remove(struct platf
struct spi_master *master = platform_get_drvdata(pdev);
struct tegra_spi_data *tspi = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
free_irq(tspi->irq, tspi);
if (tspi->tx_dma_chan)
@@ -1455,6 +1459,8 @@ static int tegra_spi_remove(struct platf
if (!pm_runtime_status_suspended(&pdev->dev))
tegra_spi_runtime_suspend(&pdev->dev);
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 318/411] spi: tegra20-sflash: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 317/411] spi: tegra114: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 319/411] spi: uniphier: " Greg Kroah-Hartman
` (93 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jingoo Han, Johan Hovold, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit ad7310e983327f939dd6c4e801eab13238992572 ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: f12f7318c44a ("spi: tegra20-sflash: use devm_spi_register_master()")
Cc: stable@vger.kernel.org # 3.13
Cc: Jingoo Han <jg1.han@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-23-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller/host APIs to spi_master/master equivalents and switched devm_spi_register_master to spi_register_master ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra20-sflash.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-tegra20-sflash.c
+++ b/drivers/spi/spi-tegra20-sflash.c
@@ -507,7 +507,7 @@ static int tegra_sflash_probe(struct pla
pm_runtime_put(&pdev->dev);
master->dev.of_node = pdev->dev.of_node;
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret < 0) {
dev_err(&pdev->dev, "can not register to master err %d\n", ret);
goto exit_pm_disable;
@@ -530,12 +530,18 @@ static int tegra_sflash_remove(struct pl
struct spi_master *master = platform_get_drvdata(pdev);
struct tegra_sflash_data *tsd = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
free_irq(tsd->irq, tsd);
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
tegra_sflash_runtime_suspend(&pdev->dev);
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 319/411] spi: uniphier: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 318/411] spi: tegra20-sflash: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 320/411] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
` (92 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keiji Hayashibara, Johan Hovold,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0245435f777264ac45945ed2f325dd095a41d1af ]
Make sure to deregister the controller before releasing underlying
resources like DMA during driver unbind.
Note that clocks were also disabled before the recent commit
fdca270f8f87 ("spi: uniphier: Simplify clock handling with
devm_clk_get_enabled()").
Fixes: 5ba155a4d4cc ("spi: add SPI controller driver for UniPhier SoC")
Cc: stable@vger.kernel.org # 4.19
Cc: Keiji Hayashibara <hayashibara.keiji@socionext.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-25-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_*_controller/host APIs to spi_*_master/master aliases and kept the pre-existing clk_disable_unprepare() after unregister ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-uniphier.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-uniphier.c
+++ b/drivers/spi/spi-uniphier.c
@@ -751,7 +751,7 @@ static int uniphier_spi_probe(struct pla
master->max_dma_len = min(dma_tx_burst, dma_rx_burst);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret)
goto out_release_dma;
@@ -780,6 +780,10 @@ static int uniphier_spi_remove(struct pl
struct spi_master *master = platform_get_drvdata(pdev);
struct uniphier_spi_priv *priv = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
if (master->dma_tx)
dma_release_channel(master->dma_tx);
if (master->dma_rx)
@@ -787,6 +791,8 @@ static int uniphier_spi_remove(struct pl
clk_disable_unprepare(priv->clk);
+ spi_master_put(master);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 320/411] mm/hugetlb_cma: round up per_node before logging it
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 319/411] spi: uniphier: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 321/411] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
` (91 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sang-Heon Jeon, Muchun Song,
David Hildenbrand, Oscar Salvador, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sang-Heon Jeon <ekffu200098@gmail.com>
[ Upstream commit 8f5ce56b76303c55b78a87af996e2e0f8535f979 ]
When the user requests a total hugetlb CMA size without per-node
specification, hugetlb_cma_reserve() computes per_node from
hugetlb_cma_size and the number of nodes that have memory
per_node = DIV_ROUND_UP(hugetlb_cma_size,
nodes_weight(hugetlb_bootmem_nodes));
The reservation loop later computes
size = round_up(min(per_node, hugetlb_cma_size - reserved),
PAGE_SIZE << order);
So the actually reserved per_node size is multiple of (PAGE_SIZE <<
order), but the logged per_node is not rounded up, so it may be smaller
than the actual reserved size.
For example, as the existing comment describes, if a 3 GB area is
requested on a machine with 4 NUMA nodes that have memory, 1 GB is
allocated on the first three nodes, but the printed log is
hugetlb_cma: reserve 3072 MiB, up to 768 MiB per node
Round per_node up to (PAGE_SIZE << order) before logging so that the
printed log always matches the actual reserved size. No functional change
to the actual reservation size, as the following case analysis shows
1. remaining (hugetlb_cma_size - reserved) >= rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks rounded per_node;
round_up() returns rounded per_node (no-op)
2. remaining < unrounded per_node
- AS-IS: min() picks remaining;
round_up() returns round_up(remaining)
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining)
3. unrounded per_node <= remaining < rounded per_node
- AS-IS: min() picks unrounded per_node;
round_up() returns rounded per_node
- TO-BE: min() picks remaining;
round_up() returns round_up(remaining) equals rounded per_node
Link: https://lore.kernel.org/20260422143353.852257-1-ekffu200098@gmail.com
Fixes: cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma") # 5.7
Signed-off-by: Sang-Heon Jeon <ekffu200098@gmail.com>
Reviewed-by: Muchun Song <muchun.song@linux.dev>
Cc: David Hildenbrand <david@kernel.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ applied the one-line `round_up` to `mm/hugetlb.c` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 1 +
1 file changed, 1 insertion(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -6493,6 +6493,7 @@ void __init hugetlb_cma_reserve(int orde
* let's allocate 1 GB on first three nodes and ignore the last one.
*/
per_node = DIV_ROUND_UP(hugetlb_cma_size, nr_online_nodes);
+ per_node = round_up(per_node, PAGE_SIZE << order);
pr_info("hugetlb_cma: reserve %lu MiB, up to %lu MiB per node\n",
hugetlb_cma_size / SZ_1M, per_node / SZ_1M);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 321/411] fbcon: Avoid OOB font access if console rotation fails
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 320/411] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 322/411] spi: topcliff-pch: Convert to platform remove callback returning void Greg Kroah-Hartman
` (90 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Helge Deller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit e4ef723d8975a2694cc90733a6b888a5e2841842 ]
Clear the font buffer if the reallocation during console rotation fails
in fbcon_rotate_font(). The putcs implementations for the rotated buffer
will return early in this case. See [1] for an example.
Currently, fbcon_rotate_font() keeps the old buffer, which is too small
for the rotated font. Printing to the rotated console with a high-enough
character code will overflow the font buffer.
v2:
- fix typos in commit message
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: 6cc50e1c5b57 ("[PATCH] fbcon: Console Rotation - Add support to rotate font bitmap")
Cc: stable@vger.kernel.org # v2.6.15+
Link: https://elixir.bootlin.com/linux/v6.19/source/drivers/video/fbdev/core/fbcon_ccw.c#L144 # [1]
Signed-off-by: Helge Deller <deller@gmx.de>
[ renamed `par` to `ops` to match the 6.12 local pointer name ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcon_rotate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/fbcon_rotate.c
+++ b/drivers/video/fbdev/core/fbcon_rotate.c
@@ -46,6 +46,10 @@ static int fbcon_rotate_font(struct fb_i
info->fbops->fb_sync(info);
if (ops->fd_size < d_cellsize * len) {
+ kfree(ops->fontbuffer);
+ ops->fontbuffer = NULL;
+ ops->fd_size = 0;
+
dst = kmalloc_array(len, d_cellsize, GFP_KERNEL);
if (dst == NULL) {
@@ -54,7 +58,6 @@ static int fbcon_rotate_font(struct fb_i
}
ops->fd_size = d_cellsize * len;
- kfree(ops->fontbuffer);
ops->fontbuffer = dst;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 322/411] spi: topcliff-pch: Convert to platform remove callback returning void
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 321/411] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 323/411] spi: topcliff-pch: fix controller deregistration Greg Kroah-Hartman
` (89 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit b082694f18bdff807b42a3bccc62c3a524168f23 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230303172041.2103336-83-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 5d6f477d6fc0 ("spi: topcliff-pch: fix controller deregistration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-topcliff-pch.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1417,7 +1417,7 @@ err_pci_iomap:
return ret;
}
-static int pch_spi_pd_remove(struct platform_device *plat_dev)
+static void pch_spi_pd_remove(struct platform_device *plat_dev)
{
struct pch_spi_board_data *board_dat = dev_get_platdata(&plat_dev->dev);
struct pch_spi_data *data = platform_get_drvdata(plat_dev);
@@ -1455,8 +1455,6 @@ static int pch_spi_pd_remove(struct plat
pci_iounmap(board_dat->pdev, data->io_remap_addr);
spi_unregister_master(data->master);
-
- return 0;
}
#ifdef CONFIG_PM
static int pch_spi_pd_suspend(struct platform_device *pd_dev,
@@ -1537,7 +1535,7 @@ static struct platform_driver pch_spi_pd
.name = "pch-spi",
},
.probe = pch_spi_pd_probe,
- .remove = pch_spi_pd_remove,
+ .remove_new = pch_spi_pd_remove,
.suspend = pch_spi_pd_suspend,
.resume = pch_spi_pd_resume
};
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 323/411] spi: topcliff-pch: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 322/411] spi: topcliff-pch: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 324/411] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
` (88 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masayuki Ohtake, Johan Hovold,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 5d6f477d6fc0767c57c5e1e6f55a1662820eef87 ]
Make sure to deregister the controller before disabling and releasing
underlying resources like interrupts and DMA during driver unbind.
Fixes: e8b17b5b3f30 ("spi/topcliff: Add topcliff platform controller hub (PCH) spi bus driver")
Cc: stable@vger.kernel.org # 2.6.37
Cc: Masayuki Ohtake <masa-korg@dsn.okisemi.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-8-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ renamed spi_controller_*(data->host) calls to spi_master_*(data->master) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-topcliff-pch.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1450,11 +1450,16 @@ static void pch_spi_pd_remove(struct pla
free_irq(board_dat->pdev->irq, data);
}
+ spi_master_get(data->master);
+
+ spi_unregister_master(data->master);
+
if (use_dma)
pch_free_dma_buf(board_dat, data);
pci_iounmap(board_dat->pdev, data->io_remap_addr);
- spi_unregister_master(data->master);
+
+ spi_master_put(data->master);
}
#ifdef CONFIG_PM
static int pch_spi_pd_suspend(struct platform_device *pd_dev,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 324/411] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 323/411] spi: topcliff-pch: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 325/411] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
` (87 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yochai Eisenrich, David Sterba,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yochai Eisenrich <yochaie@sweet.security>
[ Upstream commit 973e57c726c1f8e77259d1c8e519519f1e9aea77 ]
btrfs_ioctl_space_info() has a TOCTOU race between two passes over the
block group RAID type lists. The first pass counts entries to determine
the allocation size, then the second pass fills the buffer. The
groups_sem rwlock is released between passes, allowing concurrent block
group removal to reduce the entry count.
When the second pass fills fewer entries than the first pass counted,
copy_to_user() copies the full alloc_size bytes including trailing
uninitialized kmalloc bytes to userspace.
Fix by copying only total_spaces entries (the actually-filled count from
the second pass) instead of alloc_size bytes, and switch to kzalloc so
any future copy size mismatch cannot leak heap data.
Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl")
CC: stable@vger.kernel.org # 3.0
Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ adapted upstream's `return -EFAULT;` to stable's `ret = -EFAULT;` fall-through to existing `out:` cleanup label ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3612,7 +3612,7 @@ static long btrfs_ioctl_space_info(struc
return -ENOMEM;
space_args.total_spaces = 0;
- dest = kmalloc(alloc_size, GFP_KERNEL);
+ dest = kzalloc(alloc_size, GFP_KERNEL);
if (!dest)
return -ENOMEM;
dest_orig = dest;
@@ -3668,7 +3668,8 @@ static long btrfs_ioctl_space_info(struc
user_dest = (struct btrfs_ioctl_space_info __user *)
(arg + sizeof(struct btrfs_ioctl_space_args));
- if (copy_to_user(user_dest, dest_orig, alloc_size))
+ if (copy_to_user(user_dest, dest_orig,
+ space_args.total_spaces * sizeof(*dest_orig)))
ret = -EFAULT;
kfree(dest_orig);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 325/411] tracing/probes: Limit size of event probe to 3K
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 324/411] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 326/411] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
` (86 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Steven Rostedt, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit b2aa3b4d64e460ac606f386c24e7d8a873ce6f1a ]
There currently isn't a max limit an event probe can be. One could make an
event greater than PAGE_SIZE, which makes the event useless because if
it's bigger than the max event that can be recorded into the ring buffer,
then it will never be recorded.
A event probe should never need to be greater than 3K, so make that the
max size. As long as the max is less than the max that can be recorded
onto the ring buffer, it should be fine.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Fixes: 93ccae7a22274 ("tracing/kprobes: Support basic types on dynamic events")
Link: https://patch.msgid.link/20260428122302.706610ba@gandalf.local.home
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[ adjusted context for missing later-kernel infrastructure and used `goto out` instead of `goto fail` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_probe.c | 6 ++++++
kernel/trace/trace_probe.h | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -647,6 +647,12 @@ static int traceprobe_parse_probe_arg_bo
parg->offset = *size;
*size += parg->type->size * (parg->count ?: 1);
+ if (*size > MAX_PROBE_EVENT_SIZE) {
+ ret = -E2BIG;
+ trace_probe_log_err(offset, EVENT_TOO_BIG);
+ goto out;
+ }
+
ret = -ENOMEM;
if (parg->count) {
len = strlen(parg->type->fmttype) + 6;
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -33,6 +33,7 @@
#define MAX_ARRAY_LEN 64
#define MAX_ARG_NAME_LEN 32
#define MAX_STRING_SIZE PATH_MAX
+#define MAX_PROBE_EVENT_SIZE 3072
/* Reserved field names */
#define FIELD_STRING_IP "__probe_ip"
@@ -455,7 +456,8 @@ extern int traceprobe_define_arg_fields(
C(FAIL_REG_PROBE, "Failed to register probe event"),\
C(DIFF_PROBE_TYPE, "Probe type is different from existing probe"),\
C(DIFF_ARG_TYPE, "Argument type or name is different from existing probe"),\
- C(SAME_PROBE, "There is already the exact same probe event"),
+ C(SAME_PROBE, "There is already the exact same probe event"),\
+ C(EVENT_TOO_BIG, "Event too big (too many fields?)"),
#undef C
#define C(a, b) TP_ERR_##a
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 326/411] pmdomain: core: Fix detach procedure for virtual devices in genpd
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 325/411] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 327/411] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
` (85 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Geert Uytterhoeven, Ulf Hansson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit 26735dfdd8930d9ef1fa92e590a9bf77726efdf6 ]
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),
genpd calls pm_runtime_enable() for the corresponding virtual device that
it registers. While this avoids boilerplate code in drivers, there is no
corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd,
while runtime PM remains enabled for them, which is not how things are
designed to work. In worst cases it may lead to critical errors, like a
NULL pointer dereference bug in genpd_runtime_suspend(), which was recently
reported. For another case, we may end up keeping an unnecessary vote for a
performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable()
in genpd_dev_pm_detach().
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Closes: https://lore.kernel.org/all/CAMuHMdWapT40hV3c+CSBqFOW05aWcV1a6v_NiJYgoYi0i9_PDQ@mail.gmail.com/
Fixes: 3c095f32a92b ("PM / Domains: Add support for multi PM domains per device to genpd")
Cc: stable@vger.kernel.org
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/domain.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/base/power/domain.c
+++ b/drivers/base/power/domain.c
@@ -2596,6 +2596,7 @@ static struct bus_type genpd_bus_type =
static void genpd_dev_pm_detach(struct device *dev, bool power_off)
{
struct generic_pm_domain *pd;
+ bool is_virt_dev;
unsigned int i;
int ret = 0;
@@ -2605,6 +2606,13 @@ static void genpd_dev_pm_detach(struct d
dev_dbg(dev, "removing from PM domain %s\n", pd->name);
+ /* Check if the device was created by genpd at attach. */
+ is_virt_dev = dev->bus == &genpd_bus_type;
+
+ /* Disable runtime PM if we enabled it at attach. */
+ if (is_virt_dev)
+ pm_runtime_disable(dev);
+
/* Drop the default performance state */
if (dev_gpd_data(dev)->default_pstate) {
dev_pm_genpd_set_performance_state(dev, 0);
@@ -2630,7 +2638,7 @@ static void genpd_dev_pm_detach(struct d
genpd_queue_power_off_work(pd);
/* Unregister the device if it was created by genpd. */
- if (dev->bus == &genpd_bus_type)
+ if (is_virt_dev)
device_unregister(dev);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 327/411] smb: client: validate dacloffset before building DACL pointers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 326/411] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 328/411] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
` (84 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit f98b48151cc502ada59d9778f0112d21f2586ca3 ]
parse_sec_desc(), build_sec_desc(), and the chown path in
id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd
before proving a DACL header fits inside the returned security
descriptor.
On 32-bit builds a malicious server can return dacloffset near
U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip
past the later pointer-based bounds checks. build_sec_desc() and
id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped
pointer in the chmod/chown rewrite paths.
Validate dacloffset numerically before building any DACL pointer and
reuse the same helper at the three DACL entry points.
Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ renamed smb_ntsd/smb_acl structs to cifs_ntsd/cifs_acl and kept existing inline ACL size check instead of using missing validate_dacl() helper ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsacl.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -1254,6 +1254,17 @@ static int parse_sid(struct cifs_sid *ps
return 0;
}
+static bool dacl_offset_valid(unsigned int acl_len, __u32 dacloffset)
+{
+ if (acl_len < sizeof(struct cifs_acl))
+ return false;
+
+ if (dacloffset < sizeof(struct cifs_ntsd))
+ return false;
+
+ return dacloffset <= acl_len - sizeof(struct cifs_acl);
+}
+
/* Convert CIFS ACL to POSIX form */
static int parse_sec_desc(struct cifs_sb_info *cifs_sb,
@@ -1274,7 +1285,6 @@ static int parse_sec_desc(struct cifs_sb
group_sid_ptr = (struct cifs_sid *)((char *)pntsd +
le32_to_cpu(pntsd->gsidoffset));
dacloffset = le32_to_cpu(pntsd->dacloffset);
- dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n",
pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset),
le32_to_cpu(pntsd->gsidoffset),
@@ -1305,11 +1315,18 @@ static int parse_sec_desc(struct cifs_sb
return rc;
}
- if (dacloffset)
+ if (dacloffset) {
+ if (!dacl_offset_valid(acl_len, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
+ dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr,
group_sid_ptr, fattr, get_mode_from_special_sid);
- else
+ } else {
cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */
+ }
return rc;
}
@@ -1332,6 +1349,11 @@ static int build_sec_desc(struct cifs_nt
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ return -EINVAL;
+ }
+
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
rc = validate_dacl(dacl_ptr, end_of_acl);
if (rc)
@@ -1694,6 +1716,12 @@ id_mode_to_cifs_acl(struct inode *inode,
nsecdesclen = sizeof(struct cifs_ntsd) + (sizeof(struct cifs_sid) * 2);
dacloffset = le32_to_cpu(pntsd->dacloffset);
if (dacloffset) {
+ if (!dacl_offset_valid(secdesclen, dacloffset)) {
+ cifs_dbg(VFS, "Server returned illegal DACL offset\n");
+ rc = -EINVAL;
+ goto id_mode_to_cifs_acl_exit;
+ }
+
dacl_ptr = (struct cifs_acl *)((char *)pntsd + dacloffset);
rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen);
if (rc) {
@@ -1736,6 +1764,7 @@ id_mode_to_cifs_acl(struct inode *inode,
rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag);
cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
}
+id_mode_to_cifs_acl_exit:
cifs_put_tlink(tlink);
kfree(pnntsd);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 328/411] btrfs: fix missing last_unlink_trans update when removing a directory
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 327/411] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 329/411] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
` (83 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Slava0135, Filipe Manana,
David Sterba, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 999757231c49376cd1a37308d2c8c4c9932571e1 ]
When removing a directory we are not updating its last_unlink_trans field,
which can result in incorrect fsync behaviour in case some one fsyncs the
directory after it was removed because it's holding a file descriptor on
it.
Example scenario:
mkdir /mnt/dir1
mkdir /mnt/dir1/dir2
mkdir /mnt/dir3
sync -f /mnt
# Do some change to the directory and fsync it.
chmod 700 /mnt/dir1
xfs_io -c fsync /mnt/dir1
# Move dir2 out of dir1 so that dir1 becomes empty.
mv /mnt/dir1/dir2 /mnt/dir3/
open fd on /mnt/dir1
call rmdir(2) on path "/mnt/dir1"
fsync fd
<trigger power failure>
When attempting to mount the filesystem, the log replay will fail with
an -EIO error and dmesg/syslog has the following:
[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650
[445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm
[445771.627912] BTRFS info (device dm-0): start tree-log replay
[445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5
[445771.629453] memcg:ffff89f400351b00
[445771.629892] aops:btree_aops [btrfs] ino:1
[445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8
[445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00
[445771.635029] page dumped because: eb page dump
[445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir
[445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5
[445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087
[445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[445771.638097] inode generation 3 transid 9 size 16 nbytes 16384
[445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.638100] rdev 0 sequence 2 flags 0x0
[445771.638102] atime 1775744884.0
[445771.660056] ctime 1775744885.645502983
[445771.660058] mtime 1775744885.645502983
[445771.660060] otime 1775744884.0
[445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[445771.660064] index 0 name_len 2
[445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34
[445771.660068] location key (259 1 0) type 2
[445771.660070] transid 9 data_len 0 name_len 4
[445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34
[445771.660076] location key (257 1 0) type 2
[445771.660077] transid 9 data_len 0 name_len 4
[445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[445771.660079] location key (257 1 0) type 2
[445771.660080] transid 9 data_len 0 name_len 4
[445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34
[445771.660082] location key (259 1 0) type 2
[445771.660083] transid 9 data_len 0 name_len 4
[445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160
[445771.660086] inode generation 9 transid 9 size 8 nbytes 0
[445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0
[445771.660088] rdev 0 sequence 2 flags 0x0
[445771.660089] atime 1775744885.641174097
[445771.660090] ctime 1775744885.645502983
[445771.660091] mtime 1775744885.645502983
[445771.660105] otime 1775744885.641174097
[445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14
[445771.660107] index 2 name_len 4
[445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34
[445771.660109] location key (258 1 0) type 2
[445771.660110] transid 9 data_len 0 name_len 4
[445771.660111] item 9 key (257 DIR_INDEX 2) itemoff 15733 itemsize 34
[445771.660112] location key (258 1 0) type 2
[445771.660113] transid 9 data_len 0 name_len 4
[445771.660114] item 10 key (258 INODE_ITEM 0) itemoff 15573 itemsize 160
[445771.660115] inode generation 9 transid 10 size 0 nbytes 0
[445771.660116] block group 0 mode 40755 links 2 uid 0 gid 0
[445771.660117] rdev 0 sequence 0 flags 0x0
[445771.660118] atime 1775744885.645502983
[445771.660119] ctime 1775744885.645502983
[445771.660120] mtime 1775744885.645502983
[445771.660121] otime 1775744885.645502983
[445771.660122] item 11 key (258 INODE_REF 257) itemoff 15559 itemsize 14
[445771.660123] index 2 name_len 4
[445771.660124] item 12 key (258 INODE_REF 259) itemoff 15545 itemsize 14
[445771.660125] index 2 name_len 4
[445771.660126] item 13 key (259 INODE_ITEM 0) itemoff 15385 itemsize 160
[445771.660127] inode generation 9 transid 10 size 8 nbytes 0
[445771.660128] block group 0 mode 40755 links 1 uid 0 gid 0
[445771.660129] rdev 0 sequence 1 flags 0x0
[445771.660130] atime 1775744885.645502983
[445771.660130] ctime 1775744885.645502983
[445771.660131] mtime 1775744885.645502983
[445771.660132] otime 1775744885.645502983
[445771.660133] item 14 key (259 INODE_REF 256) itemoff 15371 itemsize 14
[445771.660134] index 3 name_len 4
[445771.660135] item 15 key (259 DIR_ITEM 2676584006) itemoff 15337 itemsize 34
[445771.660136] location key (258 1 0) type 2
[445771.660137] transid 10 data_len 0 name_len 4
[445771.660138] item 16 key (259 DIR_INDEX 2) itemoff 15303 itemsize 34
[445771.660139] location key (258 1 0) type 2
[445771.660140] transid 10 data_len 0 name_len 4
[445771.660144] BTRFS error (device dm-0): block=30408704 write time tree block corruption detected
[445771.661650] ------------[ cut here ]------------
[445771.662358] WARNING: fs/btrfs/disk-io.c:326 at btree_csum_one_bio+0x217/0x230 [btrfs], CPU#8: mount/3581087
[445771.663588] Modules linked in: btrfs f2fs xfs (...)
[445771.671229] CPU: 8 UID: 0 PID: 3581087 Comm: mount Tainted: G W 7.0.0-rc6-btrfs-next-230+ #2 PREEMPT(full)
[445771.672575] Tainted: [W]=WARN
[445771.672987] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[445771.674460] RIP: 0010:btree_csum_one_bio+0x217/0x230 [btrfs]
[445771.675222] Code: 89 44 24 (...)
[445771.677364] RSP: 0018:ffffd23882247660 EFLAGS: 00010246
[445771.678029] RAX: 0000000000000000 RBX: ffff89f6c51d1a90 RCX: 0000000000000000
[445771.678975] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff89f406020000
[445771.679983] RBP: ffff89f821204000 R08: 0000000000000000 R09: 00000000ffefffff
[445771.680905] R10: ffffd23882247448 R11: 0000000000000003 R12: ffffd23882247668
[445771.681978] R13: ffff89f458e40fc0 R14: ffff89f737f4f500 R15: ffff89f737f4f500
[445771.682912] FS: 00007f0447a98840(0000) GS:ffff89fb9771d000(0000) knlGS:0000000000000000
[445771.684393] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[445771.685230] CR2: 00007f0447bf1330 CR3: 000000017cb02002 CR4: 0000000000370ef0
[445771.686273] Call Trace:
[445771.686646] <TASK>
[445771.686969] btrfs_submit_bbio+0x83f/0x860 [btrfs]
[445771.687750] ? write_one_eb+0x28f/0x340 [btrfs]
[445771.688428] btree_writepages+0x2e3/0x550 [btrfs]
[445771.689180] ? kmem_cache_alloc_noprof+0x12a/0x490
[445771.689963] ? alloc_extent_state+0x19/0x120 [btrfs]
[445771.690801] ? kmem_cache_free+0x135/0x380
[445771.691328] ? preempt_count_add+0x69/0xa0
[445771.691831] ? set_extent_bit+0x252/0x8e0 [btrfs]
[445771.692468] ? xas_load+0x9/0xc0
[445771.692873] ? xas_find+0x14d/0x1a0
[445771.693304] do_writepages+0xc6/0x160
[445771.693756] filemap_writeback+0xb8/0xe0
[445771.694274] btrfs_write_marked_extents+0x61/0x170 [btrfs]
[445771.694999] btrfs_write_and_wait_transaction+0x4e/0xc0 [btrfs]
[445771.695818] btrfs_commit_transaction+0x5c8/0xd10 [btrfs]
[445771.696530] ? kmem_cache_free+0x135/0x380
[445771.697120] ? release_extent_buffer+0x34/0x160 [btrfs]
[445771.697786] btrfs_recover_log_trees+0x7be/0x7e0 [btrfs]
[445771.698525] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
[445771.699206] open_ctree+0x11e5/0x1810 [btrfs]
[445771.699776] btrfs_get_tree.cold+0xb/0x162 [btrfs]
[445771.700463] ? fscontext_read+0x165/0x180
[445771.701146] ? rw_verify_area+0x50/0x180
[445771.701866] vfs_get_tree+0x25/0xd0
[445771.702491] vfs_cmd_create+0x59/0xe0
[445771.703125] __do_sys_fsconfig+0x303/0x610
[445771.703603] do_syscall_64+0xe9/0xf20
[445771.703974] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[445771.704700] RIP: 0033:0x7f0447cbd4aa
[445771.705108] Code: 73 01 c3 (...)
[445771.707263] RSP: 002b:00007ffc4e528318 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[445771.708107] RAX: ffffffffffffffda RBX: 00005561585d8c20 RCX: 00007f0447cbd4aa
[445771.708931] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[445771.709744] RBP: 00005561585d9120 R08: 0000000000000000 R09: 0000000000000000
[445771.710674] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[445771.711477] R13: 00007f0447e4f580 R14: 00007f0447e5126c R15: 00007f0447e36a23
[445771.712277] </TASK>
[445771.712541] ---[ end trace 0000000000000000 ]---
[445771.713382] BTRFS error (device dm-0): error while writing out transaction: -5
[445771.714679] BTRFS warning (device dm-0): Skipping commit of aborted transaction.
[445771.715562] BTRFS error (device dm-0 state A): Transaction aborted (error -5)
[445771.716459] BTRFS: error (device dm-0 state A) in cleanup_transaction:2068: errno=-5 IO failure
[445771.717936] BTRFS error (device dm-0 state EA): failed to recover log trees with error: -5
[445771.719681] BTRFS error (device dm-0 state EA): open_ctree failed: -5
The problem is that such a fsync should have result in a fallback to a
transaction commit, but that did not happen because through the
btrfs_rmdir() we never update the directory's last_unlink_trans field.
Any inode that had a link removed must have its last_unlink_trans updated
to the ID of transaction used for the operation, otherwise fsync and log
replay will not work correctly.
btrfs_rmdir() calls btrfs_unlink_inode() and through that call chain we
never call btrfs_record_unlink_dir() in order to update last_unlink_trans.
However btrfs_unlink(), which is used for unlinking regular files, calls
btrfs_record_unlink_dir() and then calls btrfs_unlink_inode(). So fix
this by moving the call to btrfs_record_unlink_dir() from btrfs_unlink()
to btrfs_unlink_inode().
A test case for fstests will follow soon.
Reported-by: Slava0135 <slava.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAAJYhww5ov62Hm+n+tmhcL-e_4cBobg+OWogKjOJxVUXivC=MQ@mail.gmail.com/
CC: stable@vger.kernel.org
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ wrapped dir and inode arguments with BTRFS_I() since 6.1 btrfs_rmdir() uses struct inode * instead of struct btrfs_inode * ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4691,6 +4691,8 @@ static int btrfs_rmdir(struct inode *dir
if (err)
goto out;
+ btrfs_record_unlink_dir(trans, BTRFS_I(dir), BTRFS_I(inode), false);
+
/* now the directory is empty */
err = btrfs_unlink_inode(trans, BTRFS_I(dir),
BTRFS_I(d_inode(dentry)), dentry->d_name.name,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 329/411] smb: client: Use FullSessionKey for AES-256 encryption key derivation
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 328/411] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 330/411] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
` (82 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bharath SM, Piyush Sachdeva,
Piyush Sachdeva, Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piyush Sachdeva <s.piyush1024@gmail.com>
[ Upstream commit 5be7a0cef3229fb3b63a07c0d289daf752545424 ]
When Kerberos authentication is used with AES-256 encryption (AES-256-CCM
or AES-256-GCM), the SMB3 encryption and decryption keys must be derived
using the full session key (Session.FullSessionKey) rather than just the
first 16 bytes (Session.SessionKey).
Per MS-SMB2 section 3.2.5.3.1, when Connection.Dialect is "3.1.1" and
Connection.CipherId is AES-256-CCM or AES-256-GCM, Session.FullSessionKey
must be set to the full cryptographic key from the GSS authentication
context. The encryption and decryption key derivation (SMBC2SCipherKey,
SMBS2CCipherKey) must use this FullSessionKey as the KDF input. The
signing key derivation continues to use Session.SessionKey (first 16
bytes) in all cases.
Previously, generate_key() hardcoded SMB2_NTLMV2_SESSKEY_SIZE (16) as the
HMAC-SHA256 key input length for all derivations. When Kerberos with
AES-256 provides a 32-byte session key, the KDF for encryption/decryption
was using only the first 16 bytes, producing keys that did not match the
server's, causing mount failures with sec=krb5 and require_gcm_256=1.
Add a full_key_size parameter to generate_key() and pass the appropriate
size from generate_smb3signingkey():
- Signing: always SMB2_NTLMV2_SESSKEY_SIZE (16 bytes)
- Encryption/Decryption: ses->auth_key.len when AES-256, otherwise 16
Also fix cifs_dump_full_key() to report the actual session key length for
AES-256 instead of hardcoded CIFS_SESS_KEY_SIZE, so that userspace tools
like Wireshark receive the correct key for decryption.
Cc: <stable@vger.kernel.org>
Reviewed-by: Bharath SM <bharathsm@microsoft.com>
Signed-off-by: Piyush Sachdeva <psachdeva@microsoft.com>
Signed-off-by: Piyush Sachdeva <s.piyush1024@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[ adapted to legacy crypto_shash API and ses->binding boolean instead of upstream's hmac_sha256 helpers and chan_lock machinery ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/ioctl.c | 2 +-
fs/cifs/smb2transport.c | 36 ++++++++++++++++++++++++++----------
2 files changed, 27 insertions(+), 11 deletions(-)
--- a/fs/cifs/ioctl.c
+++ b/fs/cifs/ioctl.c
@@ -262,7 +262,7 @@ search_end:
break;
case SMB2_ENCRYPTION_AES256_CCM:
case SMB2_ENCRYPTION_AES256_GCM:
- out.session_key_length = CIFS_SESS_KEY_SIZE;
+ out.session_key_length = ses->auth_key.len;
out.server_in_key_length = out.server_out_key_length = SMB3_GCM256_CRYPTKEY_SIZE;
break;
default:
--- a/fs/cifs/smb2transport.c
+++ b/fs/cifs/smb2transport.c
@@ -291,7 +291,8 @@ out:
}
static int generate_key(struct cifs_ses *ses, struct kvec label,
- struct kvec context, __u8 *key, unsigned int key_size)
+ struct kvec context, __u8 *key, unsigned int key_size,
+ unsigned int full_key_size)
{
unsigned char zero = 0x0;
__u8 i[4] = {0, 0, 0, 1};
@@ -312,7 +313,7 @@ static int generate_key(struct cifs_ses
}
rc = crypto_shash_setkey(server->secmech.hmacsha256,
- ses->auth_key.response, SMB2_NTLMV2_SESSKEY_SIZE);
+ ses->auth_key.response, full_key_size);
if (rc) {
cifs_server_dbg(VFS, "%s: Could not set with session key\n", __func__);
goto smb3signkey_ret;
@@ -393,10 +394,9 @@ static int
generate_smb3signingkey(struct cifs_ses *ses,
const struct derivation_triplet *ptriplet)
{
- int rc;
-#ifdef CONFIG_CIFS_DEBUG_DUMP_KEYS
+ unsigned int full_key_size = SMB2_NTLMV2_SESSKEY_SIZE;
struct TCP_Server_Info *server = ses->server;
-#endif
+ int rc;
/*
* All channels use the same encryption/decryption keys but
@@ -412,30 +412,46 @@ generate_smb3signingkey(struct cifs_ses
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
cifs_ses_binding_channel(ses)->signkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
} else {
rc = generate_key(ses, ptriplet->signing.label,
ptriplet->signing.context,
ses->smb3signingkey,
- SMB3_SIGN_KEY_SIZE);
+ SMB3_SIGN_KEY_SIZE,
+ SMB2_NTLMV2_SESSKEY_SIZE);
if (rc)
return rc;
+ /*
+ * Per MS-SMB2 3.2.5.3.1, signing key always uses Session.SessionKey
+ * (first 16 bytes). Encryption/decryption keys use
+ * Session.FullSessionKey when dialect is 3.1.1 and cipher is
+ * AES-256-CCM or AES-256-GCM, otherwise Session.SessionKey.
+ */
+
+ if (server->dialect == SMB311_PROT_ID &&
+ (server->cipher_type == SMB2_ENCRYPTION_AES256_CCM ||
+ server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
+ full_key_size = ses->auth_key.len;
+
memcpy(ses->chans[0].signkey, ses->smb3signingkey,
SMB3_SIGN_KEY_SIZE);
rc = generate_key(ses, ptriplet->encryption.label,
ptriplet->encryption.context,
ses->smb3encryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
rc = generate_key(ses, ptriplet->decryption.label,
ptriplet->decryption.context,
ses->smb3decryptionkey,
- SMB3_ENC_DEC_KEY_SIZE);
+ SMB3_ENC_DEC_KEY_SIZE,
+ full_key_size);
if (rc)
return rc;
}
@@ -450,7 +466,7 @@ generate_smb3signingkey(struct cifs_ses
&ses->Suid);
cifs_dbg(VFS, "Cipher type %d\n", server->cipher_type);
cifs_dbg(VFS, "Session Key %*ph\n",
- SMB2_NTLMV2_SESSKEY_SIZE, ses->auth_key.response);
+ (int)ses->auth_key.len, ses->auth_key.response);
cifs_dbg(VFS, "Signing Key %*ph\n",
SMB3_SIGN_KEY_SIZE, ses->smb3signingkey);
if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) ||
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 330/411] mptcp: pm: prio: skip closed subflows
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 329/411] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 331/411] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
` (81 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 166b78344031bf7ac9f55cb5282776cfd85f220e ]
When sending an MP_PRIO, closed subflows need to be skipped.
This fixes the case where the initial subflow got closed, re-opened
later, then an MP_PRIO is needed for the same local address.
Note that explicit MP_PRIO cannot be sent during the 3WHS, so it is fine
to use __mptcp_subflow_active().
Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support")
Cc: stable@vger.kernel.org
Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-9-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied to renamed function `mptcp_pm_nl_mp_prio_send_ack()` in `pm_netlink.c` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -828,6 +828,9 @@ int mptcp_pm_nl_mp_prio_send_ack(struct
struct sock *sk = (struct sock *)msk;
struct mptcp_addr_info local;
+ if (!__mptcp_subflow_active(subflow))
+ continue;
+
mptcp_local_address((struct sock_common *)ssk, &local);
if (!addresses_equal(&local, addr, addr->port))
continue;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 331/411] mptcp: pm: ADD_ADDR rtx: fix potential data-race
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 330/411] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 332/411] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
` (80 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 5cd6e0ad79d2615264f63929f8b457ad97ae550d ]
This mptcp_pm_add_timer() helper is executed as a timer callback in
softirq context. To avoid any data races, the socket lock needs to be
held with bh_lock_sock().
If the socket is in use, retry again soon after, similar to what is done
with the keepalive timer.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-3-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ applied hunk to `net/mptcp/pm_netlink.c` instead of `net/mptcp/pm.c` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -330,6 +330,13 @@ static void mptcp_pm_add_timer(struct ti
if (!entry->addr.id)
return;
+ bh_lock_sock(sk);
+ if (sock_owned_by_user(sk)) {
+ /* Try again later. */
+ sk_reset_timer(sk, timer, jiffies + HZ / 20);
+ goto out;
+ }
+
if (mptcp_pm_should_add_signal_addr(msk)) {
sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
goto out;
@@ -358,6 +365,7 @@ static void mptcp_pm_add_timer(struct ti
mptcp_pm_subflow_established(msk);
out:
+ bh_unlock_sock(sk);
__sock_put(sk);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 332/411] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 331/411] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 333/411] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
` (79 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 3cf12492891c4b5ff54dda404a2de4ec54c9e1b5 ]
When an ADD_ADDR needs to be retransmitted and another one has already
been prepared -- e.g. multiple ADD_ADDRs have been sent in a row and
need to be retransmitted later -- this additional retransmission will
need to wait.
In this case, the timer was reset to TCP_RTO_MAX / 8, which is ~15
seconds. This delay is unnecessary long: it should just be rescheduled
at the next opportunity, e.g. after the retransmission timeout.
Without this modification, some issues can be seen from time to time in
the selftests when multiple ADD_ADDRs are sent, and the host takes time
to process them, e.g. the "signal addresses, ADD_ADDR timeout" MPTCP
Join selftest, especially with a debug kernel config.
Note that on older kernels, 'timeout' is not available. It should be
enough to replace it by one second (HZ).
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-6-fca8091060a4@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ replaced `TCP_RTO_MAX / 8` with `HZ` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -338,7 +338,7 @@ static void mptcp_pm_add_timer(struct ti
}
if (mptcp_pm_should_add_signal_addr(msk)) {
- sk_reset_timer(sk, timer, jiffies + TCP_RTO_MAX / 8);
+ sk_reset_timer(sk, timer, jiffies + HZ);
goto out;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 333/411] f2fs: fix incorrect file address mapping when inline inode is unwritten
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 332/411] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 334/411] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
` (78 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yongpeng Yang, Chao Yu,
Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
[ Upstream commit 68a0178981a0f493295afa29f8880246e561494c ]
When `fileinfo->fi_flags` does not have the `FIEMAP_FLAG_SYNC` bit set
and inline data has not been persisted yet, the physical address of the
extent is calculated incorrectly for unwritten inline inodes.
root@vm:/mnt/f2fs# dd if=/dev/zero of=data.3k bs=3k count=1
root@vm:/mnt/f2fs# f2fs_io fiemap 0 100 data.3k
Fiemap: offset = 0 len = 100
logical addr. physical addr. length flags
0 0000000000000000 00000ffffffff16c 0000000000000c00 00000301
This patch fixes the issue by checking if the inode's address is valid.
If the inline inode is unwritten, set the physical address to 0 and
mark the extent with `FIEMAP_EXTENT_UNKNOWN | FIEMAP_EXTENT_DELALLOC`
flags.
Cc: stable@kernel.org
Fixes: 67f8cf3cee6f ("f2fs: support fiemap for inline_data")
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ renamed `ifolio` to `ipage` in `inline_data_addr()` and `F2FS_INODE()` calls ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inline.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -771,7 +771,7 @@ int f2fs_read_inline_dir(struct file *fi
int f2fs_inline_data_fiemap(struct inode *inode,
struct fiemap_extent_info *fieinfo, __u64 start, __u64 len)
{
- __u64 byteaddr, ilen;
+ __u64 byteaddr = 0, ilen;
__u32 flags = FIEMAP_EXTENT_DATA_INLINE | FIEMAP_EXTENT_NOT_ALIGNED |
FIEMAP_EXTENT_LAST;
struct node_info ni;
@@ -804,9 +804,14 @@ int f2fs_inline_data_fiemap(struct inode
if (err)
goto out;
- byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
- byteaddr += (char *)inline_data_addr(inode, ipage) -
- (char *)F2FS_INODE(ipage);
+ if (__is_valid_data_blkaddr(ni.blk_addr)) {
+ byteaddr = (__u64)ni.blk_addr << inode->i_sb->s_blocksize_bits;
+ byteaddr += (char *)inline_data_addr(inode, ipage) -
+ (char *)F2FS_INODE(ipage);
+ } else {
+ f2fs_bug_on(F2FS_I_SB(inode), ni.blk_addr != NEW_ADDR);
+ flags |= FIEMAP_EXTENT_DELALLOC | FIEMAP_EXTENT_UNKNOWN;
+ }
err = fiemap_fill_next_extent(fieinfo, start, byteaddr, ilen, flags);
trace_f2fs_fiemap(inode, start, byteaddr, ilen, flags, err);
out:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 334/411] f2fs: fix false alarm of lockdep on cp_global_sem lock
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 333/411] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 335/411] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
` (77 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Shinichiro Kawasaki, Chao Yu,
Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 6a5e3de9c2bb0b691d16789a5d19e9276a09b308 ]
lockdep reported a potential deadlock:
a) TCMU device removal context:
- call del_gendisk() to get q->q_usage_counter
- call start_flush_work() to get work_completion of wb->dwork
b) f2fs writeback context:
- in wb_workfn(), which holds work_completion of wb->dwork
- call f2fs_balance_fs() to get sbi->gc_lock
c) f2fs vfs_write context:
- call f2fs_gc() to get sbi->gc_lock
- call f2fs_write_checkpoint() to get sbi->cp_global_sem
d) f2fs mount context:
- call recover_fsync_data() to get sbi->cp_global_sem
- call f2fs_check_and_fix_write_pointer() to call blkdev_report_zones()
that goes down to blk_mq_alloc_request and get q->q_usage_counter
Original callstack is in Closes tag.
However, I think this is a false alarm due to before mount returns
successfully (context d), we can not access file therein via vfs_write
(context c).
Let's introduce per-sb cp_global_sem_key, and assign the key for
cp_global_sem, so that lockdep can recognize cp_global_sem from
different super block correctly.
A lot of work are done by Shin'ichiro Kawasaki, thanks a lot for
the work.
Fixes: c426d99127b1 ("f2fs: Check write pointer consistency of open zones")
Cc: stable@kernel.org
Reported-and-tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Closes: https://lore.kernel.org/linux-f2fs-devel/20260218125237.3340441-1-shinichiro.kawasaki@wdc.com
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ adapted to plain `struct rw_semaphore` (no `f2fs_rwsem` wrapper) and moved success-path `lockdep_unregister_key` from `kill_f2fs_super` to `f2fs_put_super` where sbi is actually freed ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 3 +++
fs/f2fs/super.c | 11 +++++++++++
2 files changed, 14 insertions(+)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1798,6 +1798,9 @@ struct f2fs_sb_info {
spinlock_t iostat_lat_lock;
struct iostat_lat_info *iostat_io_lat;
#endif
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ struct lock_class_key cp_global_sem_key;
+#endif
};
struct f2fs_private_dio {
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1668,6 +1668,9 @@ static void f2fs_put_super(struct super_
#ifdef CONFIG_UNICODE
utf8_unload(sb->s_encoding);
#endif
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
}
@@ -4123,6 +4126,11 @@ try_onemore:
init_rwsem(&sbi->gc_lock);
mutex_init(&sbi->writepages);
init_rwsem(&sbi->cp_global_sem);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_register_key(&sbi->cp_global_sem_key);
+ lockdep_set_class(&sbi->cp_global_sem,
+ &sbi->cp_global_sem_key);
+#endif
init_rwsem(&sbi->node_write);
init_rwsem(&sbi->node_change);
@@ -4524,6 +4532,9 @@ free_sb_buf:
free_sbi:
if (sbi->s_chksum_driver)
crypto_free_shash(sbi->s_chksum_driver);
+#ifdef CONFIG_DEBUG_LOCK_ALLOC
+ lockdep_unregister_key(&sbi->cp_global_sem_key);
+#endif
kfree(sbi);
/* give only one another chance */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 335/411] spi: st-ssc4: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 334/411] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 336/411] spi: lantiq-ssc: " Greg Kroah-Hartman
` (76 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Johan Hovold, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 19857374010d06ca6a2f7c2c53464122eb804df0 ]
Make sure to deregister the controller before disabling underlying
resources like clocks during driver unbind.
Fixes: 9e862375c542 ("spi: Add new driver for STMicroelectronics' SPI Controller")
Cc: stable@vger.kernel.org # 4.0
Cc: Lee Jones <lee@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260410081757.503099-18-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ changed spi_controller/host API calls to spi_master/master equivalents ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-st-ssc4.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-st-ssc4.c
+++ b/drivers/spi/spi-st-ssc4.c
@@ -372,7 +372,7 @@ static int spi_st_probe(struct platform_
platform_set_drvdata(pdev, master);
- ret = devm_spi_register_master(&pdev->dev, master);
+ ret = spi_register_master(master);
if (ret) {
dev_err(&pdev->dev, "Failed to register master\n");
goto rpm_disable;
@@ -394,10 +394,16 @@ static int spi_st_remove(struct platform
struct spi_master *master = platform_get_drvdata(pdev);
struct spi_st *spi_st = spi_master_get_devdata(master);
+ spi_master_get(master);
+
+ spi_unregister_master(master);
+
pm_runtime_disable(&pdev->dev);
clk_disable_unprepare(spi_st->clk);
+ spi_master_put(master);
+
pinctrl_pm_select_sleep_state(&pdev->dev);
return 0;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 336/411] spi: lantiq-ssc: fix controller deregistration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 335/411] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 337/411] genetlink: Use internal flags for multicast groups Greg Kroah-Hartman
` (75 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hauke Mehrtens, Johan Hovold,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit b99206710d032c16b7f8b75e4bc18414d8e4b9f4 ]
Make sure to deregister the controller before releasing underlying
resources like clocks during driver unbind.
Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller")
Cc: stable@vger.kernel.org # 4.11
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260409120419.388546-17-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
[ adapted spi_controller/host naming to spi_master/master and preserved the int-returning remove() with trailing return 0 ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-lantiq-ssc.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-lantiq-ssc.c
+++ b/drivers/spi/spi-lantiq-ssc.c
@@ -1003,7 +1003,7 @@ static int lantiq_ssc_probe(struct platf
"Lantiq SSC SPI controller (Rev %i, TXFS %u, RXFS %u, DMA %u)\n",
revision, spi->tx_fifo_size, spi->rx_fifo_size, supports_dma);
- err = devm_spi_register_master(dev, master);
+ err = spi_register_master(master);
if (err) {
dev_err(dev, "failed to register spi_master\n");
goto err_wq_destroy;
@@ -1027,6 +1027,10 @@ static int lantiq_ssc_remove(struct plat
{
struct lantiq_ssc_spi *spi = platform_get_drvdata(pdev);
+ spi_master_get(spi->master);
+
+ spi_unregister_master(spi->master);
+
lantiq_ssc_writel(spi, 0, LTQ_SPI_IRNEN);
lantiq_ssc_writel(spi, 0, LTQ_SPI_CLC);
rx_fifo_flush(spi);
@@ -1037,6 +1041,8 @@ static int lantiq_ssc_remove(struct plat
clk_disable_unprepare(spi->spi_clk);
clk_put(spi->fpi_clk);
+ spi_master_put(spi->master);
+
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 337/411] genetlink: Use internal flags for multicast groups
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 336/411] spi: lantiq-ssc: " Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 338/411] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
` (74 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Mat Martineau,
Andy Shevchenko, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit cd4d7263d58ab98fd4dee876776e4da6c328faa3 ]
As explained in commit e03781879a0d ("drop_monitor: Require
'CAP_SYS_ADMIN' when joining "events" group"), the "flags" field in the
multicast group structure reuses uAPI flags despite the field not being
exposed to user space. This makes it impossible to extend its use
without adding new uAPI flags, which is inappropriate for internal
kernel checks.
Solve this by adding internal flags (i.e., "GENL_MCAST_*") and convert
the existing users to use them instead of the uAPI flags.
Tested using the reproducers in commit 44ec98ea5ea9 ("psample: Require
'CAP_NET_ADMIN' when joining "packets" group") and commit e03781879a0d
("drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group").
No functional changes intended.
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: d1ebfce2c1d1 ("smb: client: require net admin for CIFS SWN netlink")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/genetlink.h | 9 ++++++---
net/core/drop_monitor.c | 2 +-
net/mptcp/pm_netlink.c | 2 +-
net/netlink/genetlink.c | 4 ++--
net/psample/psample.c | 2 +-
5 files changed, 11 insertions(+), 8 deletions(-)
--- a/include/net/genetlink.h
+++ b/include/net/genetlink.h
@@ -8,16 +8,19 @@
#define GENLMSG_DEFAULT_SIZE (NLMSG_DEFAULT_SIZE - GENL_HDRLEN)
+/* Binding to multicast group requires %CAP_NET_ADMIN */
+#define GENL_MCAST_CAP_NET_ADMIN BIT(0)
+/* Binding to multicast group requires %CAP_SYS_ADMIN */
+#define GENL_MCAST_CAP_SYS_ADMIN BIT(1)
+
/**
* struct genl_multicast_group - generic netlink multicast group
* @name: name of the multicast group, names are per-family
- * @flags: GENL_* flags (%GENL_ADMIN_PERM or %GENL_UNS_ADMIN_PERM)
- * @cap_sys_admin: whether %CAP_SYS_ADMIN is required for binding
+ * @flags: GENL_MCAST_* flags
*/
struct genl_multicast_group {
char name[GENL_NAMSIZ];
u8 flags;
- u8 cap_sys_admin:1;
};
struct genl_ops;
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -184,7 +184,7 @@ out:
}
static const struct genl_multicast_group dropmon_mcgrps[] = {
- { .name = "events", .cap_sys_admin = 1 },
+ { .name = "events", .flags = GENL_MCAST_CAP_SYS_ADMIN, },
};
static void send_dm_alert(struct work_struct *work)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1207,7 +1207,7 @@ void mptcp_pm_nl_data_init(struct mptcp_
static const struct genl_multicast_group mptcp_pm_mcgrps[] = {
[MPTCP_PM_CMD_GRP_OFFSET] = { .name = MPTCP_PM_CMD_GRP_NAME, },
[MPTCP_PM_EV_GRP_OFFSET] = { .name = MPTCP_PM_EV_GRP_NAME,
- .flags = GENL_UNS_ADMIN_PERM,
+ .flags = GENL_MCAST_CAP_NET_ADMIN,
},
};
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1372,10 +1372,10 @@ static int genl_bind(struct net *net, in
continue;
grp = &family->mcgrps[i];
- if ((grp->flags & GENL_UNS_ADMIN_PERM) &&
+ if ((grp->flags & GENL_MCAST_CAP_NET_ADMIN) &&
!ns_capable(net->user_ns, CAP_NET_ADMIN))
ret = -EPERM;
- if (grp->cap_sys_admin &&
+ if ((grp->flags & GENL_MCAST_CAP_SYS_ADMIN) &&
!ns_capable(net->user_ns, CAP_SYS_ADMIN))
ret = -EPERM;
--- a/net/psample/psample.c
+++ b/net/psample/psample.c
@@ -32,7 +32,7 @@ enum psample_nl_multicast_groups {
static const struct genl_multicast_group psample_nl_mcgrps[] = {
[PSAMPLE_NL_MCGRP_CONFIG] = { .name = PSAMPLE_NL_MCGRP_CONFIG_NAME },
[PSAMPLE_NL_MCGRP_SAMPLE] = { .name = PSAMPLE_NL_MCGRP_SAMPLE_NAME,
- .flags = GENL_UNS_ADMIN_PERM },
+ .flags = GENL_MCAST_CAP_NET_ADMIN, },
};
static struct genl_family psample_nl_family __ro_after_init;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 338/411] smb: client: require net admin for CIFS SWN netlink
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 337/411] genetlink: Use internal flags for multicast groups Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 339/411] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
` (73 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit d1ebfce2c1d161186a82e77590bf7da2ea1bce91 ]
CIFS_GENL_CMD_SWN_NOTIFY is the userspace witness-notify command. The
intended sender is the cifs.witness helper, but the generic-netlink
operation currently has no capability flag, so any local process can send
RESOURCE_CHANGE or CLIENT_MOVE notifications to the in-kernel witness
handler.
The same family exposes CIFS_GENL_MCGRP_SWN without multicast-group
capability flags. Register messages sent to that group include the witness
registration id and, for NTLM-authenticated mounts, the username, domain,
and password attributes copied from the CIFS session. An unprivileged
local process should not be able to join that group and receive those
messages.
Require CAP_NET_ADMIN for incoming SWN_NOTIFY commands with
GENL_ADMIN_PERM, and require CAP_NET_ADMIN over the network namespace for
joining the SWN multicast group with GENL_MCAST_CAP_NET_ADMIN. The
cifs.witness service runs with the privileges needed for both operations.
Fixes: fed979a7e082 ("cifs: Set witness notification handler for messages from userspace daemon")
Cc: stable@vger.kernel.org
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/netlink.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/cifs/netlink.c
+++ b/fs/cifs/netlink.c
@@ -33,13 +33,17 @@ static const struct nla_policy cifs_genl
static const struct genl_ops cifs_genl_ops[] = {
{
.cmd = CIFS_GENL_CMD_SWN_NOTIFY,
+ .flags = GENL_ADMIN_PERM,
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = cifs_swn_notify,
},
};
static const struct genl_multicast_group cifs_genl_mcgrps[] = {
- [CIFS_GENL_MCGRP_SWN] = { .name = CIFS_GENL_MCGRP_SWN_NAME },
+ [CIFS_GENL_MCGRP_SWN] = {
+ .name = CIFS_GENL_MCGRP_SWN_NAME,
+ .flags = GENL_MCAST_CAP_NET_ADMIN,
+ },
};
struct genl_family cifs_genl_family = {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 339/411] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 338/411] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 340/411] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
` (72 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Safa Karakuş,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Safa Karakuş <safa.karakus@secunnix.com>
[ Upstream commit ab1513597c6cf17cd1ad2a21e3b045421b48e022 ]
bt_accept_dequeue() unlinks a not-yet-accepted child from the parent
accept queue and release_sock()s it before returning, so the returned
sk has no caller reference and is unlocked.
l2cap_sock_cleanup_listen() walks these children on listening-socket
close. A concurrent HCI disconnect drives hci_rx_work ->
l2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and
frees the child sk and its l2cap_chan; cleanup_listen() then uses both:
BUG: KASAN: slab-use-after-free in l2cap_sock_kill
l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close
Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill
This is distinct from the two fixes already in this area: commit
e83f5e24da741 ("Bluetooth: serialize accept_q access") serialises the
accept_q list/poll and takes temporary refs inside bt_accept_dequeue(),
and CVE-2025-39860 serialises the userspace close()/accept() race by
calling cleanup_listen() under lock_sock() in l2cap_sock_release().
Neither covers l2cap_conn_del() running from hci_rx_work, so this UAF
still reproduces on current bluetooth/master.
Take the reference at the source: bt_accept_dequeue() does sock_hold()
while sk is still locked, before release_sock(); callers sock_put().
cleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under
a brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops
it before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on
SOCK_DEAD. conn->lock is not taken here: cleanup_listen() runs under
the parent sk lock and that would invert
conn->lock -> chan->lock -> sk_lock (lockdep).
KASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced
12 use-after-free reports per run before this change; 0, and no lockdep
report, over 1600+ raced iterations after it on bluetooth/master.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Cc: stable@vger.kernel.org
Reported-by: Siwei Zhang <oss@fourdim.xyz>
Reviewed-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Safa Karakuş <safa.karakus@secunnix.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/af_bluetooth.c | 10 ++++++++
net/bluetooth/l2cap_sock.c | 51 +++++++++++++++++++++++++++++++++++++------
net/bluetooth/rfcomm/sock.c | 9 ++++++-
net/bluetooth/sco.c | 9 ++++++-
4 files changed, 70 insertions(+), 9 deletions(-)
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -259,6 +259,16 @@ restart:
if (newsock)
sock_graft(sk, newsock);
+ /* Hand the caller a reference taken while sk is
+ * still locked. bt_accept_unlink() just dropped
+ * the accept-queue reference; without this hold a
+ * concurrent teardown (e.g. l2cap_conn_del() ->
+ * l2cap_sock_kill()) could free sk between
+ * release_sock() and the caller using it. Every
+ * caller drops this with sock_put() when done.
+ */
+ sock_hold(sk);
+
release_sock(sk);
return sk;
}
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -366,8 +366,13 @@ static int l2cap_sock_accept(struct sock
}
nsk = bt_accept_dequeue(sk, newsock);
- if (nsk)
+ if (nsk) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps nsk alive from here.
+ */
+ sock_put(nsk);
break;
+ }
if (!timeo) {
err = -EAGAIN;
@@ -1444,22 +1449,54 @@ static void l2cap_sock_cleanup_listen(st
BT_DBG("parent %p state %s", parent,
state_to_string(parent->sk_state));
- /* Close not yet accepted channels */
+ /* Close not yet accepted channels.
+ *
+ * bt_accept_dequeue() now returns sk with an extra reference held
+ * (taken while sk was still locked) so a concurrent l2cap_conn_del()
+ * -> l2cap_sock_kill() cannot free sk under us.
+ *
+ * cleanup_listen() runs under the parent sk lock, so unlike
+ * l2cap_sock_shutdown() we must NOT take conn->lock here: that would
+ * establish sk_lock -> conn->lock and invert the established
+ * conn->lock -> chan->lock -> sk_lock order (lockdep deadlock).
+ *
+ * Instead, briefly take the child sk lock to fetch and pin its chan.
+ * l2cap_conn_del() reaches the chan free only via
+ * l2cap_chan_del() -> l2cap_sock_teardown_cb(), which itself takes
+ * the child sk lock; holding it across l2cap_chan_hold_unless_zero()
+ * therefore guarantees the chan cannot be freed while we read and
+ * pin it (hold_unless_zero() additionally skips a chan already past
+ * its last reference). We then drop the sk lock before taking
+ * chan->lock, so sk and chan locks are never held together.
+ */
while ((sk = bt_accept_dequeue(parent, NULL))) {
- struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_chan *chan;
+
+ lock_sock_nested(sk, L2CAP_NESTING_NORMAL);
+ chan = l2cap_chan_hold_unless_zero(l2cap_pi(sk)->chan);
+ release_sock(sk);
+ if (!chan) {
+ /* l2cap_conn_del() already tearing this child down */
+ sock_put(sk);
+ continue;
+ }
BT_DBG("child chan %p state %s", chan,
state_to_string(chan->state));
- l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
-
__clear_chan_timer(chan);
l2cap_chan_close(chan, ECONNRESET);
- l2cap_sock_kill(sk);
-
+ /* l2cap_conn_del() may already have killed this socket
+ * (it sets SOCK_DEAD); skip the duplicate to avoid a
+ * double sock_put()/l2cap_chan_put().
+ */
+ if (!sock_flag(sk, SOCK_DEAD))
+ l2cap_sock_kill(sk);
l2cap_chan_unlock(chan);
+
l2cap_chan_put(chan);
+ sock_put(sk);
}
}
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -190,6 +190,8 @@ static void rfcomm_sock_cleanup_listen(s
while ((sk = bt_accept_dequeue(parent, NULL))) {
rfcomm_sock_close(sk);
rfcomm_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
parent->sk_state = BT_CLOSED;
@@ -513,8 +515,13 @@ static int rfcomm_sock_accept(struct soc
}
nsk = bt_accept_dequeue(sk, newsock);
- if (nsk)
+ if (nsk) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps nsk alive from here.
+ */
+ sock_put(nsk);
break;
+ }
if (!timeo) {
err = -EAGAIN;
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -394,6 +394,8 @@ static void sco_sock_cleanup_listen(stru
while ((sk = bt_accept_dequeue(parent, NULL))) {
sco_sock_close(sk);
sco_sock_kill(sk);
+ /* Drop the reference handed back by bt_accept_dequeue(). */
+ sock_put(sk);
}
parent->sk_state = BT_CLOSED;
@@ -687,8 +689,13 @@ static int sco_sock_accept(struct socket
}
ch = bt_accept_dequeue(sk, newsock);
- if (ch)
+ if (ch) {
+ /* Drop the bridging ref from bt_accept_dequeue();
+ * the grafted socket keeps ch alive from here.
+ */
+ sock_put(ch);
break;
+ }
if (!timeo) {
err = -EAGAIN;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 340/411] Bluetooth: hci_qca: Convert timeout from jiffies to ms
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 339/411] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 341/411] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2 Greg Kroah-Hartman
` (71 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Menzel, Bartosz Golaszewski,
Shuai Zhang, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
[ Upstream commit 375ba7484132662a4a8c7547d088fb6275c00282 ]
Since the timer uses jiffies as its unit rather than ms, the timeout value
must be converted from ms to jiffies when configuring the timer. Otherwise,
the intended 8s timeout is incorrectly set to approximately 33s.
To improve readability, embed msecs_to_jiffies() directly in the macro
definitions and drop the _MS suffix from macros that now yield jiffies
values: MEMDUMP_TIMEOUT, FW_DOWNLOAD_TIMEOUT, IBS_DISABLE_SSR_TIMEOUT,
CMD_TRANS_TIMEOUT, and IBS_BTSOC_TX_IDLE_TIMEOUT.
IBS_WAKE_RETRANS_TIMEOUT_MS and IBS_HOST_TX_IDLE_TIMEOUT_MS are
intentionally left unchanged. Their values are stored in the struct fields
wake_retrans and tx_idle_delay, which hold ms values at runtime and can be
modified via debugfs. The msecs_to_jiffies() conversion happens at each
call site against the field value, so it cannot be embedded in the macro.
Wake timer depends on commit c347ca17d62a
Cc: stable@vger.kernel.org
Fixes: d841502c79e3 ("Bluetooth: hci_qca: Collect controller memory dump during SSR")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ adapted to `vmalloc`-based memdump path and older `qca_serdev_shutdown(struct device *dev)` signature ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_qca.c | 33 ++++++++++++++++-----------------
1 file changed, 16 insertions(+), 17 deletions(-)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -46,13 +46,12 @@
#define HCI_MAX_IBS_SIZE 10
#define IBS_WAKE_RETRANS_TIMEOUT_MS 100
-#define IBS_BTSOC_TX_IDLE_TIMEOUT_MS 200
+#define IBS_BTSOC_TX_IDLE_TIMEOUT msecs_to_jiffies(200)
#define IBS_HOST_TX_IDLE_TIMEOUT_MS 2000
-#define CMD_TRANS_TIMEOUT_MS 100
-#define MEMDUMP_TIMEOUT_MS 8000
-#define IBS_DISABLE_SSR_TIMEOUT_MS \
- (MEMDUMP_TIMEOUT_MS + FW_DOWNLOAD_TIMEOUT_MS)
-#define FW_DOWNLOAD_TIMEOUT_MS 3000
+#define CMD_TRANS_TIMEOUT msecs_to_jiffies(100)
+#define MEMDUMP_TIMEOUT msecs_to_jiffies(8000)
+#define FW_DOWNLOAD_TIMEOUT msecs_to_jiffies(3000)
+#define IBS_DISABLE_SSR_TIMEOUT (MEMDUMP_TIMEOUT + FW_DOWNLOAD_TIMEOUT)
/* susclk rate */
#define SUSCLK_RATE_32KHZ 32768
@@ -1058,7 +1057,7 @@ static void qca_controller_memdump(struc
dump_size);
queue_delayed_work(qca->workqueue,
&qca->ctrl_memdump_timeout,
- msecs_to_jiffies(MEMDUMP_TIMEOUT_MS)
+ MEMDUMP_TIMEOUT
);
skb_pull(skb, sizeof(dump_size));
@@ -1326,7 +1325,7 @@ static int qca_set_baudrate(struct hci_d
if (hu->serdev)
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
/* Give the controller time to process the request */
switch (qca_soc_type(hu)) {
@@ -1356,8 +1355,8 @@ static inline void host_set_baudrate(str
static int qca_send_power_pulse(struct hci_uart *hu, bool on)
{
+ int timeout = CMD_TRANS_TIMEOUT;
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
u8 cmd = on ? QCA_WCN3990_POWERON_PULSE : QCA_WCN3990_POWEROFF_PULSE;
/* These power pulses are single byte command which are sent
@@ -1556,7 +1555,7 @@ static void qca_wait_for_dump_collection
struct qca_data *qca = hu->priv;
wait_on_bit_timeout(&qca->flags, QCA_MEMDUMP_COLLECTION,
- TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT_MS);
+ TASK_UNINTERRUPTIBLE, MEMDUMP_TIMEOUT);
clear_bit(QCA_MEMDUMP_COLLECTION, &qca->flags);
}
@@ -2345,7 +2344,7 @@ static void qca_serdev_remove(struct ser
static void qca_serdev_shutdown(struct device *dev)
{
int ret;
- int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
+ int timeout = CMD_TRANS_TIMEOUT;
struct serdev_device *serdev = to_serdev_device(dev);
struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
struct hci_uart *hu = &qcadev->serdev_hu;
@@ -2403,7 +2402,7 @@ static int __maybe_unused qca_suspend(st
bool tx_pending = false;
int ret = 0;
u8 cmd;
- u32 wait_timeout = 0;
+ unsigned long wait_timeout = 0;
set_bit(QCA_SUSPENDING, &qca->flags);
@@ -2424,15 +2423,15 @@ static int __maybe_unused qca_suspend(st
if (test_bit(QCA_IBS_DISABLED, &qca->flags) ||
test_bit(QCA_SSR_TRIGGERED, &qca->flags)) {
wait_timeout = test_bit(QCA_SSR_TRIGGERED, &qca->flags) ?
- IBS_DISABLE_SSR_TIMEOUT_MS :
- FW_DOWNLOAD_TIMEOUT_MS;
+ IBS_DISABLE_SSR_TIMEOUT :
+ FW_DOWNLOAD_TIMEOUT;
/* QCA_IBS_DISABLED flag is set to true, During FW download
* and during memory dump collection. It is reset to false,
* After FW download complete.
*/
wait_on_bit_timeout(&qca->flags, QCA_IBS_DISABLED,
- TASK_UNINTERRUPTIBLE, msecs_to_jiffies(wait_timeout));
+ TASK_UNINTERRUPTIBLE, wait_timeout);
if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
bt_dev_err(hu->hdev, "SSR or FW download time out");
@@ -2484,7 +2483,7 @@ static int __maybe_unused qca_suspend(st
if (tx_pending) {
serdev_device_wait_until_sent(hu->serdev,
- msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+ CMD_TRANS_TIMEOUT);
serial_clock_vote(HCI_IBS_TX_VOTE_CLOCK_OFF, hu);
}
@@ -2493,7 +2492,7 @@ static int __maybe_unused qca_suspend(st
*/
ret = wait_event_interruptible_timeout(qca->suspend_wait_q,
qca->rx_ibs_state == HCI_IBS_RX_ASLEEP,
- msecs_to_jiffies(IBS_BTSOC_TX_IDLE_TIMEOUT_MS));
+ IBS_BTSOC_TX_IDLE_TIMEOUT);
if (ret == 0) {
ret = -ETIMEDOUT;
goto error;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 341/411] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 340/411] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 342/411] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
` (70 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz,
Marcel Holtmann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit cba6b758711cab946c787f7c15be92cc749b8e1f ]
This make use of hci_cmd_sync_queue for the following MGMT commands:
Add Advertising
Remove Advertising
Add Extended Advertising Parameters
Add Extended Advertising Data
mgmt-tester -s "Add Advertising"
Test Summary
------------
Add Advertising - Failure: LE off Passed
Add Advertising - Invalid Params 1 (AD too long) Passed
Add Advertising - Invalid Params 2 (Malformed len) Passed
Add Advertising - Invalid Params 3 (Malformed len) Passed
Add Advertising - Invalid Params 4 (Malformed len) Passed
Add Advertising - Invalid Params 5 (AD too long) Passed
Add Advertising - Invalid Params 6 (ScRsp too long) Passed
Add Advertising - Invalid Params 7 (Malformed len) Passed
Add Advertising - Invalid Params 8 (Malformed len) Passed
Add Advertising - Invalid Params 9 (Malformed len) Passed
Add Advertising - Invalid Params 10 (ScRsp too long) Passed
Add Advertising - Rejected (Timeout, !Powered) Passed
Add Advertising - Success 1 (Powered, Add Adv Inst) Passed
Add Advertising - Success 2 (!Powered, Add Adv Inst) Passed
Add Advertising - Success 3 (!Powered, Adv Enable) Passed
Add Advertising - Success 4 (Set Adv on override) Passed
Add Advertising - Success 5 (Set Adv off override) Passed
Add Advertising - Success 6 (Scan Rsp Dta, Adv ok) Passed
Add Advertising - Success 7 (Scan Rsp Dta, Scan ok) Passed
Add Advertising - Success 8 (Connectable Flag) Passed
Add Advertising - Success 9 (General Discov Flag) Passed
Add Advertising - Success 10 (Limited Discov Flag) Passed
Add Advertising - Success 11 (Managed Flags) Passed
Add Advertising - Success 12 (TX Power Flag) Passed
Add Advertising - Success 13 (ADV_SCAN_IND) Passed
Add Advertising - Success 14 (ADV_NONCONN_IND) Passed
Add Advertising - Success 15 (ADV_IND) Passed
Add Advertising - Success 16 (Connectable -> on) Passed
Add Advertising - Success 17 (Connectable -> off) Passed
Add Advertising - Success 18 (Power -> off, Remove) Passed
Add Advertising - Success 19 (Power -> off, Keep) Passed
Add Advertising - Success 20 (Add Adv override) Passed
Add Advertising - Success 21 (Timeout expires) Passed
Add Advertising - Success 22 (LE -> off, Remove) Passed
Add Advertising - Success (Empty ScRsp) Passed
Add Advertising - Success (ScRsp only) Passed
Add Advertising - Invalid Params (ScRsp too long) Passed
Add Advertising - Success (ScRsp appear) Passed
Add Advertising - Invalid Params (ScRsp appear long) Passed
Add Advertising - Success (Appear is null) Passed
Add Advertising - Success (Name is null) Passed
Add Advertising - Success (Complete name) Passed
Add Advertising - Success (Shortened name) Passed
Add Advertising - Success (Short name) Passed
Add Advertising - Success (Name + data) Passed
Add Advertising - Invalid Params (Name + data) Passed
Add Advertising - Success (Name+data+appear) Passed
Total: 47, Passed: 47 (100.0%), Failed: 0, Not Run: 0
Overall execution time: 2.17 seconds
mgmt-tester -s "Remove Advertising"
Test Summary
------------
Remove Advertising - Invalid Params 1 Passed
Remove Advertising - Success 1 Passed
Remove Advertising - Success 2 Passed
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
Overall execution time: 0.0585 seconds
mgmt-tester -s "Ext Adv MGMT Params"
Test Summary:
------------
Ext Adv MGMT Params - Unpowered Passed
Ext Adv MGMT Params - Invalid parameters Passed
Ext Adv MGMT Params - Success Passed
Ext Adv MGMT Params - (5.0) Success Passed
Total: 4, Passed: 4 (100.0%), Failed: 0, Not Run: 0
Overall execution time: 0.0746 seconds
mgmt-tester -s "Ext Adv MGMT -"
Test Summary
------------
Ext Adv MGMT - Data set without Params Passed
Ext Adv MGMT - AD Data (5.0) Invalid parameters Passed
Ext Adv MGMT - AD Data (5.0) Success Passed
Ext Adv MGMT - AD Scan Response (5.0) Success Passed
Total: 4, Passed: 4 (100.0%), Failed: 0, Not Run: 0
Overall execution time: 0.0805 seconds
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Stable-dep-of: d3f7d17960ed ("Bluetooth: MGMT: validate Add Extended Advertising Data length")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -8078,12 +8078,12 @@ static int add_ext_adv_data(struct sock
{
struct mgmt_cp_add_ext_adv_data *cp = data;
struct mgmt_rp_add_ext_adv_data rp;
+ struct hci_request req;
u8 schedule_instance = 0;
struct adv_info *next_instance;
struct adv_info *adv_instance;
int err = 0;
struct mgmt_pending_cmd *cmd;
- struct hci_request req;
BT_DBG("%s", hdev->name);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 342/411] Bluetooth: MGMT: validate Add Extended Advertising Data length
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 341/411] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2 Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 343/411] qed: Use the bitmap API to simplify some functions Greg Kroah-Hartman
` (69 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit d3f7d17960ed50df3a6709c5158caff989c8c905 ]
MGMT_OP_ADD_EXT_ADV_DATA is registered as a variable-length command,
with MGMT_ADD_EXT_ADV_DATA_SIZE as the fixed header size. The handler
then uses cp->adv_data_len and cp->scan_rsp_len to validate and copy
cp->data, but it never checks that those bytes are part of the mgmt
command payload.
A short command can therefore make add_ext_adv_data() pass an
out-of-bounds pointer into tlv_data_is_valid(). If the bytes beyond
the command buffer are addressable, they can also be copied into the
advertising instance as scan response data, where the caller can read
them back via MGMT_OP_GET_ADV_INSTANCE. The trigger requires
CAP_NET_ADMIN in the initial user namespace; KASAN reports an 8-byte
slab-out-of-bounds read.
Reject commands whose length does not match the fixed header plus both
advertising data lengths before parsing cp->data.
Fixes: 12410572833a ("Bluetooth: Break add adv into two mgmt commands")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/mgmt.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -8084,9 +8084,15 @@ static int add_ext_adv_data(struct sock
struct adv_info *adv_instance;
int err = 0;
struct mgmt_pending_cmd *cmd;
+ u16 expected_len;
BT_DBG("%s", hdev->name);
+ expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
+ if (expected_len != data_len)
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
+ MGMT_STATUS_INVALID_PARAMS);
+
hci_dev_lock(hdev);
adv_instance = hci_find_adv_instance(hdev, cp->instance);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 343/411] qed: Use the bitmap API to simplify some functions
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 342/411] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 344/411] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
` (68 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, David S. Miller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 5e6c7ccd3ea4b25dd6b4b0363859913f315deacb ]
'cid_map' is a bitmap. So use 'bitmap_zalloc()' to simplify code,
improve the semantic and avoid some open-coded arithmetic in allocator
arguments.
Also change the corresponding 'kfree()' into 'bitmap_free()' to keep
consistency.
Also change some 'memset()' into 'bitmap_zero()' to keep consistency. This
is also much less verbose.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 2bccfb8476ca ("qed: fix double free in qed_cxt_tables_alloc()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 24 +++++-------------------
1 file changed, 5 insertions(+), 19 deletions(-)
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -1037,12 +1037,12 @@ static void qed_cid_map_free(struct qed_
u32 type, vf;
for (type = 0; type < MAX_CONN_TYPES; type++) {
- kfree(p_mngr->acquired[type].cid_map);
+ bitmap_free(p_mngr->acquired[type].cid_map);
p_mngr->acquired[type].max_count = 0;
p_mngr->acquired[type].start_cid = 0;
for (vf = 0; vf < MAX_NUM_VFS; vf++) {
- kfree(p_mngr->acquired_vf[type][vf].cid_map);
+ bitmap_free(p_mngr->acquired_vf[type][vf].cid_map);
p_mngr->acquired_vf[type][vf].max_count = 0;
p_mngr->acquired_vf[type][vf].start_cid = 0;
}
@@ -1055,15 +1055,10 @@ qed_cid_map_alloc_single(struct qed_hwfn
u32 cid_start,
u32 cid_count, struct qed_cid_acquired_map *p_map)
{
- u32 size;
-
if (!cid_count)
return 0;
- size = DIV_ROUND_UP(cid_count,
- sizeof(unsigned long) * BITS_PER_BYTE) *
- sizeof(unsigned long);
- p_map->cid_map = kzalloc(size, GFP_KERNEL);
+ p_map->cid_map = bitmap_zalloc(cid_count, GFP_KERNEL);
if (!p_map->cid_map)
return -ENOMEM;
@@ -1217,7 +1212,6 @@ void qed_cxt_mngr_setup(struct qed_hwfn
struct qed_cid_acquired_map *p_map;
struct qed_conn_type_cfg *p_cfg;
int type;
- u32 len;
/* Reset acquired cids */
for (type = 0; type < MAX_CONN_TYPES; type++) {
@@ -1226,11 +1220,7 @@ void qed_cxt_mngr_setup(struct qed_hwfn
p_cfg = &p_mngr->conn_cfg[type];
if (p_cfg->cid_count) {
p_map = &p_mngr->acquired[type];
- len = DIV_ROUND_UP(p_map->max_count,
- sizeof(unsigned long) *
- BITS_PER_BYTE) *
- sizeof(unsigned long);
- memset(p_map->cid_map, 0, len);
+ bitmap_zero(p_map->cid_map, p_map->max_count);
}
if (!p_cfg->cids_per_vf)
@@ -1238,11 +1228,7 @@ void qed_cxt_mngr_setup(struct qed_hwfn
for (vf = 0; vf < MAX_NUM_VFS; vf++) {
p_map = &p_mngr->acquired_vf[type][vf];
- len = DIV_ROUND_UP(p_map->max_count,
- sizeof(unsigned long) *
- BITS_PER_BYTE) *
- sizeof(unsigned long);
- memset(p_map->cid_map, 0, len);
+ bitmap_zero(p_map->cid_map, p_map->max_count);
}
}
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 344/411] qed: fix double free in qed_cxt_tables_alloc()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 343/411] qed: Use the bitmap API to simplify some functions Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 345/411] Bluetooth: Consolidate code around sk_alloc into a helper function Greg Kroah-Hartman
` (67 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
[ Upstream commit 2bccfb8476ca5f3548afbd623dc7a6980d4e77de ]
If one of the later PF or VF CID bitmap allocations fails,
qed_cid_map_alloc() jumps to cid_map_fail and frees the previously
allocated CID bitmaps before returning an error. qed_cxt_tables_alloc()
then calls qed_cxt_mngr_free(), which invokes qed_cid_map_free()
again.
Fix this by setting each CID bitmap pointer to NULL after bitmap_free()
to avoid double free.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc3.
Runtime reproduction was not attempted because exercising the failing
allocation path requires device-specific setup.
Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Link: https://patch.msgid.link/20260520070323.2762379-1-dawei.feng@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qed/qed_cxt.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -1038,11 +1038,13 @@ static void qed_cid_map_free(struct qed_
for (type = 0; type < MAX_CONN_TYPES; type++) {
bitmap_free(p_mngr->acquired[type].cid_map);
+ p_mngr->acquired[type].cid_map = NULL;
p_mngr->acquired[type].max_count = 0;
p_mngr->acquired[type].start_cid = 0;
for (vf = 0; vf < MAX_NUM_VFS; vf++) {
bitmap_free(p_mngr->acquired_vf[type][vf].cid_map);
+ p_mngr->acquired_vf[type][vf].cid_map = NULL;
p_mngr->acquired_vf[type][vf].max_count = 0;
p_mngr->acquired_vf[type][vf].start_cid = 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 345/411] Bluetooth: Consolidate code around sk_alloc into a helper function
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 344/411] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 346/411] Bluetooth: Init sk_peer_* on bt_sock_alloc Greg Kroah-Hartman
` (66 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 6bfa273e533d7b25eee3d74e28a7fe8e6a8e7a93 ]
This consolidates code around sk_alloc into bt_sock_alloc which does
take care of common initialization.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: e83f5e24da74 ("Bluetooth: serialize accept_q access")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/bluetooth.h | 2 ++
net/bluetooth/af_bluetooth.c | 21 +++++++++++++++++++++
net/bluetooth/bnep/sock.c | 10 +---------
net/bluetooth/hci_sock.c | 10 ++--------
net/bluetooth/l2cap_sock.c | 10 +---------
net/bluetooth/rfcomm/sock.c | 13 +++----------
net/bluetooth/sco.c | 10 +---------
7 files changed, 31 insertions(+), 45 deletions(-)
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -315,6 +315,8 @@ void bt_sock_unregister(int proto);
void bt_sock_link(struct bt_sock_list *l, struct sock *s);
void bt_sock_unlink(struct bt_sock_list *l, struct sock *s);
bool bt_sock_linked(struct bt_sock_list *l, struct sock *s);
+struct sock *bt_sock_alloc(struct net *net, struct socket *sock,
+ struct proto *prot, int proto, gfp_t prio, int kern);
int bt_sock_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
int flags);
int bt_sock_stream_recvmsg(struct socket *sock, struct msghdr *msg,
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -138,6 +138,27 @@ static int bt_sock_create(struct net *ne
return err;
}
+struct sock *bt_sock_alloc(struct net *net, struct socket *sock,
+ struct proto *prot, int proto, gfp_t prio, int kern)
+{
+ struct sock *sk;
+
+ sk = sk_alloc(net, PF_BLUETOOTH, prio, prot, kern);
+ if (!sk)
+ return NULL;
+
+ sock_init_data(sock, sk);
+ INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
+
+ sock_reset_flag(sk, SOCK_ZAPPED);
+
+ sk->sk_protocol = proto;
+ sk->sk_state = BT_OPEN;
+
+ return sk;
+}
+EXPORT_SYMBOL(bt_sock_alloc);
+
void bt_sock_link(struct bt_sock_list *l, struct sock *sk)
{
write_lock(&l->lock);
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -204,21 +204,13 @@ static int bnep_sock_create(struct net *
if (sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT;
- sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &bnep_proto, kern);
+ sk = bt_sock_alloc(net, sock, &bnep_proto, protocol, GFP_ATOMIC, kern);
if (!sk)
return -ENOMEM;
- sock_init_data(sock, sk);
-
sock->ops = &bnep_sock_ops;
-
sock->state = SS_UNCONNECTED;
- sock_reset_flag(sk, SOCK_ZAPPED);
-
- sk->sk_protocol = protocol;
- sk->sk_state = BT_OPEN;
-
bt_sock_link(&bnep_sk_list, sk);
return 0;
}
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -2091,18 +2091,12 @@ static int hci_sock_create(struct net *n
sock->ops = &hci_sock_ops;
- sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hci_sk_proto, kern);
+ sk = bt_sock_alloc(net, sock, &hci_sk_proto, protocol, GFP_ATOMIC,
+ kern);
if (!sk)
return -ENOMEM;
- sock_init_data(sock, sk);
-
- sock_reset_flag(sk, SOCK_ZAPPED);
-
- sk->sk_protocol = protocol;
-
sock->state = SS_UNCONNECTED;
- sk->sk_state = BT_OPEN;
sk->sk_destruct = hci_sock_destruct;
bt_sock_link(&hci_sk_list, sk);
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1913,21 +1913,13 @@ static struct sock *l2cap_sock_alloc(str
struct sock *sk;
struct l2cap_chan *chan;
- sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto, kern);
+ sk = bt_sock_alloc(net, sock, &l2cap_proto, proto, prio, kern);
if (!sk)
return NULL;
- sock_init_data(sock, sk);
- INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
-
sk->sk_destruct = l2cap_sock_destruct;
sk->sk_sndtimeo = L2CAP_CONN_TIMEOUT;
- sock_reset_flag(sk, SOCK_ZAPPED);
-
- sk->sk_protocol = proto;
- sk->sk_state = BT_OPEN;
-
chan = l2cap_chan_create();
if (!chan) {
sk_free(sk);
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -280,18 +280,16 @@ static struct proto rfcomm_proto = {
.obj_size = sizeof(struct rfcomm_pinfo)
};
-static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio, int kern)
+static struct sock *rfcomm_sock_alloc(struct net *net, struct socket *sock,
+ int proto, gfp_t prio, int kern)
{
struct rfcomm_dlc *d;
struct sock *sk;
- sk = sk_alloc(net, PF_BLUETOOTH, prio, &rfcomm_proto, kern);
+ sk = bt_sock_alloc(net, sock, &rfcomm_proto, proto, prio, kern);
if (!sk)
return NULL;
- sock_init_data(sock, sk);
- INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
-
d = rfcomm_dlc_alloc(prio);
if (!d) {
sk_free(sk);
@@ -310,11 +308,6 @@ static struct sock *rfcomm_sock_alloc(st
sk->sk_sndbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
sk->sk_rcvbuf = RFCOMM_MAX_CREDITS * RFCOMM_DEFAULT_MTU * 10;
- sock_reset_flag(sk, SOCK_ZAPPED);
-
- sk->sk_protocol = proto;
- sk->sk_state = BT_OPEN;
-
bt_sock_link(&rfcomm_sk_list, sk);
BT_DBG("sk %p", sk);
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -501,21 +501,13 @@ static struct sock *sco_sock_alloc(struc
{
struct sock *sk;
- sk = sk_alloc(net, PF_BLUETOOTH, prio, &sco_proto, kern);
+ sk = bt_sock_alloc(net, sock, &sco_proto, proto, prio, kern);
if (!sk)
return NULL;
- sock_init_data(sock, sk);
- INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
-
sk->sk_destruct = sco_sock_destruct;
sk->sk_sndtimeo = SCO_CONN_TIMEOUT;
- sock_reset_flag(sk, SOCK_ZAPPED);
-
- sk->sk_protocol = proto;
- sk->sk_state = BT_OPEN;
-
sco_pi(sk)->setting = BT_VOICE_CVSD_16BIT;
bt_sock_link(&sco_sk_list, sk);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 346/411] Bluetooth: Init sk_peer_* on bt_sock_alloc
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 345/411] Bluetooth: Consolidate code around sk_alloc into a helper function Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 347/411] Bluetooth: serialize accept_q access Greg Kroah-Hartman
` (65 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 464c702fb9374ff8f3f816f24fb7ac719dd20e1e ]
This makes sure peer information is always available via sock when using
bt_sock_alloc.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: e83f5e24da74 ("Bluetooth: serialize accept_q access")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/af_bluetooth.c | 24 ++++++++++++++++++++++++
net/bluetooth/hidp/sock.c | 10 +---------
net/bluetooth/l2cap_sock.c | 19 -------------------
3 files changed, 25 insertions(+), 28 deletions(-)
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -155,6 +155,14 @@ struct sock *bt_sock_alloc(struct net *n
sk->sk_protocol = proto;
sk->sk_state = BT_OPEN;
+ /* Init peer information so it can be properly monitored */
+ if (!kern) {
+ spin_lock(&sk->sk_peer_lock);
+ sk->sk_peer_pid = get_pid(task_tgid(current));
+ sk->sk_peer_cred = get_current_cred();
+ spin_unlock(&sk->sk_peer_lock);
+ }
+
return sk;
}
EXPORT_SYMBOL(bt_sock_alloc);
@@ -199,6 +207,9 @@ EXPORT_SYMBOL(bt_sock_linked);
void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh)
{
+ const struct cred *old_cred;
+ struct pid *old_pid;
+
BT_DBG("parent %p, sk %p", parent, sk);
sock_hold(sk);
@@ -211,6 +222,19 @@ void bt_accept_enqueue(struct sock *pare
list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent;
+ /* Copy credentials from parent since for incoming connections the
+ * socket is allocated by the kernel.
+ */
+ spin_lock(&sk->sk_peer_lock);
+ old_pid = sk->sk_peer_pid;
+ old_cred = sk->sk_peer_cred;
+ sk->sk_peer_pid = get_pid(parent->sk_peer_pid);
+ sk->sk_peer_cred = get_cred(parent->sk_peer_cred);
+ spin_unlock(&sk->sk_peer_lock);
+
+ put_pid(old_pid);
+ put_cred(old_cred);
+
if (bh)
bh_unlock_sock(sk);
else
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -255,21 +255,13 @@ static int hidp_sock_create(struct net *
if (sock->type != SOCK_RAW)
return -ESOCKTNOSUPPORT;
- sk = sk_alloc(net, PF_BLUETOOTH, GFP_ATOMIC, &hidp_proto, kern);
+ sk = bt_sock_alloc(net, sock, &hidp_proto, protocol, GFP_ATOMIC, kern);
if (!sk)
return -ENOMEM;
- sock_init_data(sock, sk);
-
sock->ops = &hidp_sock_ops;
-
sock->state = SS_UNCONNECTED;
- sock_reset_flag(sk, SOCK_ZAPPED);
-
- sk->sk_protocol = protocol;
- sk->sk_state = BT_OPEN;
-
bt_sock_link(&hidp_sk_list, sk);
return 0;
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -177,21 +177,6 @@ done:
return err;
}
-static void l2cap_sock_init_pid(struct sock *sk)
-{
- struct l2cap_chan *chan = l2cap_pi(sk)->chan;
-
- /* Only L2CAP_MODE_EXT_FLOWCTL ever need to access the PID in order to
- * group the channels being requested.
- */
- if (chan->mode != L2CAP_MODE_EXT_FLOWCTL)
- return;
-
- spin_lock(&sk->sk_peer_lock);
- sk->sk_peer_pid = get_pid(task_tgid(current));
- spin_unlock(&sk->sk_peer_lock);
-}
-
static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
int alen, int flags)
{
@@ -267,8 +252,6 @@ static int l2cap_sock_connect(struct soc
chan->mode != L2CAP_MODE_EXT_FLOWCTL)
chan->mode = L2CAP_MODE_LE_FLOWCTL;
- l2cap_sock_init_pid(sk);
-
err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
&la.l2_bdaddr, la.l2_bdaddr_type);
if (err)
@@ -324,8 +307,6 @@ static int l2cap_sock_listen(struct sock
goto done;
}
- l2cap_sock_init_pid(sk);
-
sk->sk_max_ack_backlog = backlog;
sk->sk_ack_backlog = 0;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 347/411] Bluetooth: serialize accept_q access
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 346/411] Bluetooth: Init sk_peer_* on bt_sock_alloc Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 348/411] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
` (64 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jann Horn, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Jiexun Wang, Ren Wei, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
[ Upstream commit e83f5e24da741fa9405aeeff00b08c5ee7c37b88 ]
bt_sock_poll() walks the accept queue without synchronization, while
child teardown can unlink the same socket and drop its last reference.
The unsynchronized accept queue walk has existed since the initial
Bluetooth import.
Protect accept_q with a dedicated lock for queue updates and polling.
Also rework bt_accept_dequeue() to take temporary child references under
the queue lock before dropping it and locking the child socket.
Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reported-by: Jann Horn <jannh@google.com>
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/bluetooth.h | 1
net/bluetooth/af_bluetooth.c | 87 ++++++++++++++++++++++++++++----------
2 files changed, 66 insertions(+), 22 deletions(-)
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -291,6 +291,7 @@ void baswap(bdaddr_t *dst, const bdaddr_
struct bt_sock {
struct sock sk;
struct list_head accept_q;
+ spinlock_t accept_q_lock; /* protects accept_q */
struct sock *parent;
unsigned long flags;
void (*skb_msg_name)(struct sk_buff *, void *, int *);
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -149,6 +149,7 @@ struct sock *bt_sock_alloc(struct net *n
sock_init_data(sock, sk);
INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
+ spin_lock_init(&bt_sk(sk)->accept_q_lock);
sock_reset_flag(sk, SOCK_ZAPPED);
@@ -209,6 +210,7 @@ void bt_accept_enqueue(struct sock *pare
{
const struct cred *old_cred;
struct pid *old_pid;
+ struct bt_sock *par = bt_sk(parent);
BT_DBG("parent %p, sk %p", parent, sk);
@@ -219,9 +221,13 @@ void bt_accept_enqueue(struct sock *pare
else
lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
- list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q);
bt_sk(sk)->parent = parent;
+ spin_lock_bh(&par->accept_q_lock);
+ list_add_tail(&bt_sk(sk)->accept_q, &par->accept_q);
+ sk_acceptq_added(parent);
+ spin_unlock_bh(&par->accept_q_lock);
+
/* Copy credentials from parent since for incoming connections the
* socket is allocated by the kernel.
*/
@@ -239,8 +245,6 @@ void bt_accept_enqueue(struct sock *pare
bh_unlock_sock(sk);
else
release_sock(sk);
-
- sk_acceptq_added(parent);
}
EXPORT_SYMBOL(bt_accept_enqueue);
@@ -249,45 +253,72 @@ EXPORT_SYMBOL(bt_accept_enqueue);
*/
void bt_accept_unlink(struct sock *sk)
{
+ struct sock *parent = bt_sk(sk)->parent;
+
BT_DBG("sk %p state %d", sk, sk->sk_state);
+ spin_lock_bh(&bt_sk(parent)->accept_q_lock);
list_del_init(&bt_sk(sk)->accept_q);
- sk_acceptq_removed(bt_sk(sk)->parent);
+ sk_acceptq_removed(parent);
+ spin_unlock_bh(&bt_sk(parent)->accept_q_lock);
bt_sk(sk)->parent = NULL;
sock_put(sk);
}
EXPORT_SYMBOL(bt_accept_unlink);
+static struct sock *bt_accept_get(struct sock *parent, struct sock *sk)
+{
+ struct bt_sock *bt = bt_sk(parent);
+ struct sock *next = NULL;
+
+ /* accept_q is modified from child teardown paths too, so take a
+ * temporary reference before dropping the queue lock.
+ */
+ spin_lock_bh(&bt->accept_q_lock);
+
+ if (sk) {
+ if (bt_sk(sk)->parent != parent)
+ goto out;
+
+ if (!list_is_last(&bt_sk(sk)->accept_q, &bt->accept_q)) {
+ next = &list_next_entry(bt_sk(sk), accept_q)->sk;
+ sock_hold(next);
+ }
+ } else if (!list_empty(&bt->accept_q)) {
+ next = &list_first_entry(&bt->accept_q,
+ struct bt_sock, accept_q)->sk;
+ sock_hold(next);
+ }
+
+out:
+ spin_unlock_bh(&bt->accept_q_lock);
+ return next;
+}
+
struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
{
- struct bt_sock *s, *n;
- struct sock *sk;
+ struct sock *sk, *next;
BT_DBG("parent %p", parent);
restart:
- list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) {
- sk = (struct sock *)s;
-
+ for (sk = bt_accept_get(parent, NULL); sk; sk = next) {
/* Prevent early freeing of sk due to unlink and sock_kill */
- sock_hold(sk);
lock_sock(sk);
/* Check sk has not already been unlinked via
* bt_accept_unlink() due to serialisation caused by sk locking
*/
- if (!bt_sk(sk)->parent) {
+ if (bt_sk(sk)->parent != parent) {
BT_DBG("sk %p, already unlinked", sk);
release_sock(sk);
sock_put(sk);
- /* Restart the loop as sk is no longer in the list
- * and also avoid a potential infinite loop because
- * list_for_each_entry_safe() is not thread safe.
- */
goto restart;
}
+ next = bt_accept_get(parent, sk);
+
/* sk is safely in the parent list so reduce reference count */
sock_put(sk);
@@ -315,6 +346,8 @@ restart:
sock_hold(sk);
release_sock(sk);
+ if (next)
+ sock_put(next);
return sk;
}
@@ -513,18 +546,28 @@ EXPORT_SYMBOL(bt_sock_stream_recvmsg);
static inline __poll_t bt_accept_poll(struct sock *parent)
{
- struct bt_sock *s, *n;
+ struct bt_sock *bt = bt_sk(parent);
+ struct bt_sock *s;
struct sock *sk;
+ __poll_t mask = 0;
+
+ spin_lock_bh(&bt->accept_q_lock);
+ list_for_each_entry(s, &bt->accept_q, accept_q) {
+ int state;
- list_for_each_entry_safe(s, n, &bt_sk(parent)->accept_q, accept_q) {
sk = (struct sock *)s;
- if (sk->sk_state == BT_CONNECTED ||
- (test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags) &&
- sk->sk_state == BT_CONNECT2))
- return EPOLLIN | EPOLLRDNORM;
+ state = READ_ONCE(sk->sk_state);
+
+ if (state == BT_CONNECTED ||
+ (test_bit(BT_SK_DEFER_SETUP, &bt->flags) &&
+ state == BT_CONNECT2)) {
+ mask = EPOLLIN | EPOLLRDNORM;
+ break;
+ }
}
+ spin_unlock_bh(&bt->accept_q_lock);
- return 0;
+ return mask;
}
__poll_t bt_sock_poll(struct file *file, struct socket *sock,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 348/411] net: hsr: defer node table free until after RCU readers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 347/411] Bluetooth: serialize accept_q access Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 349/411] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
` (63 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit aaec7096f9961eb223b5b149abe9495525c205d9 ]
HSR node-list and node-status generic-netlink operations run under
rcu_read_lock(). They walk hsr->node_db through hsr_get_next_node() and
hsr_get_node_data(), but RTM_DELLINK teardown removes the same node table
with plain list_del() and frees each node immediately.
That lets a generic-netlink reader hold a struct hsr_node pointer across
hsr_dellink(). In a KASAN build, widening the reader window after
hsr_get_next_node() obtains the node reproduces a slab-use-after-free
when the reader copies node->macaddress_A; the freeing stack is
hsr_del_nodes() from hsr_dellink().
Use list_del_rcu() and defer the free through the existing
hsr_free_node_rcu() callback. This matches the lifetime rule used by the
HSR prune paths, which already delete nodes with list_del_rcu() and
call_rcu().
Fixes: b9a1e627405d ("hsr: implement dellink to clean up resources")
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260513233838.3064715-2-michael.bommarito@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ replaced `list_del`+`call_rcu(hsr_free_node_rcu)` with `list_del_rcu`+`kfree_rcu(node, rcu_head)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_framereg.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -123,8 +123,10 @@ void hsr_del_nodes(struct list_head *nod
struct hsr_node *node;
struct hsr_node *tmp;
- list_for_each_entry_safe(node, tmp, node_db, mac_list)
- kfree(node);
+ list_for_each_entry_safe(node, tmp, node_db, mac_list) {
+ list_del_rcu(&node->mac_list);
+ kfree_rcu(node, rcu_head);
+ }
}
void prp_handle_san_frame(bool san, enum hsr_port_type port,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 349/411] ice: fix VF queue configuration with low MTU values
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 348/411] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 350/411] ipv6/addrconf: annotate data-races around devconf fields (II) Greg Kroah-Hartman
` (62 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Ignacio Tornos Martinez,
Jacob Keller, Michal Swiatkowski, Paul Menzel, Rafal Romanowski,
Tony Nguyen, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
[ Upstream commit 3ba4dd024d26372733d1c02e13e076c6016e3320 ]
The ice driver's VF queue configuration validation rejects
databuffer_size values below 1024 bytes, which prevents VFs from
using MTU values below 871 bytes.
The iavf driver calculates databuffer_size based on the MTU using:
databuffer_size = ALIGN(MTU + LIBETH_RX_LL_LEN, 128)
where LIBETH_RX_LL_LEN = 26 (ETH_HLEN + 2*VLAN_HLEN + ETH_FCS_LEN).
For MTU values below 871:
MTU 870: 870 + 26 = 896, aligned to 128 = 896 (< 1024, rejected)
MTU 871: 871 + 26 = 897, aligned to 128 = 1024 (>= 1024, accepted)
The 1024-byte minimum seems unnecessarily restrictive, because the hardware
supports databuffer_size as low as 128 bytes (the alignment boundary),
which should allow MTU values down to the standard minimum of 68 bytes.
I haven't found the reason why the limit was configured in the commit
9c7dd7566d18 ("ice: add validation in OP_CONFIG_VSI_QUEUES VF message"), so
with no more information and since it is working, change the minimum
databuffer_size validation from 1024 to 128 bytes to allow standard low
MTU values while still preventing invalid configurations.
Fixes: 9c7dd7566d18 ("ice: add validation in OP_CONFIG_VSI_QUEUES VF message")
cc: stable@vger.kernel.org
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20260515182419.1597859-3-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
@@ -3585,7 +3585,7 @@ static int ice_vc_cfg_qs_msg(struct ice_
if (qpi->rxq.databuffer_size != 0 &&
(qpi->rxq.databuffer_size > ((16 * 1024) - 128) ||
- qpi->rxq.databuffer_size < 1024)) {
+ qpi->rxq.databuffer_size < 128)) {
v_ret = VIRTCHNL_STATUS_ERR_PARAM;
goto error_param;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 350/411] ipv6/addrconf: annotate data-races around devconf fields (II)
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 349/411] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 351/411] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
` (61 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jiri Pirko,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 2f0ff05a44302c91af54a5f9efe1b65b7681540e ]
Final (?) round of this series.
Annotate lockless reads on following devconf fields,
because they be changed concurrently from /proc/net/ipv6/conf.
- accept_dad
- optimistic_dad
- use_optimistic
- use_oif_addrs_only
- ra_honor_pio_life
- keep_addr_on_down
- ndisc_notify
- ndisc_evict_nocarrier
- suppress_frag_ndisc
- addr_gen_mode
- seg6_enabled
- ioam6_enabled
- ioam6_id
- ioam6_id_wide
- drop_unicast_in_l2_multicast
- mldv[12]_unsolicited_report_interval
- force_mld_version
- force_tllao
- accept_untracked_na
- drop_unsolicited_na
- accept_source_route
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: d4ea0dfd7501 ("ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/addrconf.c | 47 +++++++++++++++++++++++++----------------------
net/ipv6/exthdrs.c | 16 +++++++++-------
net/ipv6/ioam6.c | 8 ++++----
net/ipv6/ip6_input.c | 2 +-
net/ipv6/mcast.c | 14 +++++++-------
net/ipv6/ndisc.c | 12 ++++++------
net/ipv6/seg6_hmac.c | 8 +++++---
7 files changed, 57 insertions(+), 50 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1502,15 +1502,17 @@ static inline int ipv6_saddr_preferred(i
return 0;
}
-static bool ipv6_use_optimistic_addr(struct net *net,
- struct inet6_dev *idev)
+static bool ipv6_use_optimistic_addr(const struct net *net,
+ const struct inet6_dev *idev)
{
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
if (!idev)
return false;
- if (!net->ipv6.devconf_all->optimistic_dad && !idev->cnf.optimistic_dad)
+ if (!READ_ONCE(net->ipv6.devconf_all->optimistic_dad) &&
+ !READ_ONCE(idev->cnf.optimistic_dad))
return false;
- if (!net->ipv6.devconf_all->use_optimistic && !idev->cnf.use_optimistic)
+ if (!READ_ONCE(net->ipv6.devconf_all->use_optimistic) &&
+ !READ_ONCE(idev->cnf.use_optimistic))
return false;
return true;
@@ -1519,13 +1521,14 @@ static bool ipv6_use_optimistic_addr(str
#endif
}
-static bool ipv6_allow_optimistic_dad(struct net *net,
- struct inet6_dev *idev)
+static bool ipv6_allow_optimistic_dad(const struct net *net,
+ const struct inet6_dev *idev)
{
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
if (!idev)
return false;
- if (!net->ipv6.devconf_all->optimistic_dad && !idev->cnf.optimistic_dad)
+ if (!READ_ONCE(net->ipv6.devconf_all->optimistic_dad) &&
+ !READ_ONCE(idev->cnf.optimistic_dad))
return false;
return true;
@@ -1807,7 +1810,7 @@ int ipv6_dev_get_saddr(struct net *net,
idev = __in6_dev_get(dst_dev);
if ((dst_type & IPV6_ADDR_MULTICAST) ||
dst.scope <= IPV6_ADDR_SCOPE_LINKLOCAL ||
- (idev && idev->cnf.use_oif_addrs_only)) {
+ (idev && READ_ONCE(idev->cnf.use_oif_addrs_only))) {
use_oif_addr = true;
}
}
@@ -2631,8 +2634,8 @@ int addrconf_prefix_rcv_add_addr(struct
};
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
- if ((net->ipv6.devconf_all->optimistic_dad ||
- in6_dev->cnf.optimistic_dad) &&
+ if ((READ_ONCE(net->ipv6.devconf_all->optimistic_dad) ||
+ READ_ONCE(in6_dev->cnf.optimistic_dad)) &&
!net->ipv6.devconf_all->forwarding && sllao)
cfg.ifa_flags |= IFA_F_OPTIMISTIC;
#endif
@@ -3229,8 +3232,8 @@ void addrconf_add_linklocal(struct inet6
struct inet6_ifaddr *ifp;
#ifdef CONFIG_IPV6_OPTIMISTIC_DAD
- if ((dev_net(idev->dev)->ipv6.devconf_all->optimistic_dad ||
- idev->cnf.optimistic_dad) &&
+ if ((READ_ONCE(dev_net(idev->dev)->ipv6.devconf_all->optimistic_dad) ||
+ READ_ONCE(idev->cnf.optimistic_dad)) &&
!dev_net(idev->dev)->ipv6.devconf_all->forwarding)
cfg.ifa_flags |= IFA_F_OPTIMISTIC;
#endif
@@ -3798,10 +3801,10 @@ static int addrconf_ifdown(struct net_de
*/
if (!unregister && !idev->cnf.disable_ipv6) {
/* aggregate the system setting and interface setting */
- int _keep_addr = net->ipv6.devconf_all->keep_addr_on_down;
+ int _keep_addr = READ_ONCE(net->ipv6.devconf_all->keep_addr_on_down);
if (!_keep_addr)
- _keep_addr = idev->cnf.keep_addr_on_down;
+ _keep_addr = READ_ONCE(idev->cnf.keep_addr_on_down);
keep_addr = (_keep_addr > 0);
}
@@ -4024,8 +4027,8 @@ static void addrconf_dad_begin(struct in
net = dev_net(dev);
if (dev->flags&(IFF_NOARP|IFF_LOOPBACK) ||
- (net->ipv6.devconf_all->accept_dad < 1 &&
- idev->cnf.accept_dad < 1) ||
+ (READ_ONCE(net->ipv6.devconf_all->accept_dad) < 1 &&
+ READ_ONCE(idev->cnf.accept_dad) < 1) ||
!(ifp->flags&IFA_F_TENTATIVE) ||
ifp->flags & IFA_F_NODAD) {
bool send_na = false;
@@ -4117,8 +4120,8 @@ static void addrconf_dad_work(struct wor
action = DAD_ABORT;
ifp->state = INET6_IFADDR_STATE_POSTDAD;
- if ((dev_net(idev->dev)->ipv6.devconf_all->accept_dad > 1 ||
- idev->cnf.accept_dad > 1) &&
+ if ((READ_ONCE(dev_net(idev->dev)->ipv6.devconf_all->accept_dad) > 1 ||
+ READ_ONCE(idev->cnf.accept_dad) > 1) &&
!idev->cnf.disable_ipv6 &&
!(ifp->flags & IFA_F_STABLE_PRIVACY)) {
struct in6_addr addr;
@@ -4256,8 +4259,8 @@ static void addrconf_dad_completed(struc
/* send unsolicited NA if enabled */
if (send_na &&
- (ifp->idev->cnf.ndisc_notify ||
- dev_net(dev)->ipv6.devconf_all->ndisc_notify)) {
+ (READ_ONCE(ifp->idev->cnf.ndisc_notify) ||
+ READ_ONCE(dev_net(dev)->ipv6.devconf_all->ndisc_notify))) {
ndisc_send_na(dev, &in6addr_linklocal_allnodes, &ifp->addr,
/*router=*/ !!ifp->idev->cnf.forwarding,
/*solicited=*/ false, /*override=*/ true,
@@ -6431,7 +6434,7 @@ static int addrconf_sysctl_addr_gen_mode
} else if (&net->ipv6.devconf_all->addr_gen_mode == ctl->data) {
struct net_device *dev;
- net->ipv6.devconf_dflt->addr_gen_mode = new_val;
+ WRITE_ONCE(net->ipv6.devconf_dflt->addr_gen_mode, new_val);
for_each_netdev(net, dev) {
idev = __in6_dev_get(dev);
if (idev &&
@@ -6442,7 +6445,7 @@ static int addrconf_sysctl_addr_gen_mode
}
}
- *((u32 *)ctl->data) = new_val;
+ WRITE_ONCE(*((u32 *)ctl->data), new_val);
}
out:
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -382,9 +382,8 @@ static int ipv6_srh_rcv(struct sk_buff *
return -1;
}
- accept_seg6 = net->ipv6.devconf_all->seg6_enabled;
- if (accept_seg6 > idev->cnf.seg6_enabled)
- accept_seg6 = idev->cnf.seg6_enabled;
+ accept_seg6 = min(READ_ONCE(net->ipv6.devconf_all->seg6_enabled),
+ READ_ONCE(idev->cnf.seg6_enabled));
if (!accept_seg6) {
kfree_skb(skb);
@@ -689,11 +688,14 @@ static int ipv6_rthdr_rcv(struct sk_buff
struct ipv6_rt_hdr *hdr;
struct rt0_hdr *rthdr;
struct net *net = dev_net(skb->dev);
- int accept_source_route = net->ipv6.devconf_all->accept_source_route;
+ int accept_source_route;
idev = __in6_dev_get(skb->dev);
- if (idev && accept_source_route > idev->cnf.accept_source_route)
- accept_source_route = idev->cnf.accept_source_route;
+ accept_source_route = READ_ONCE(net->ipv6.devconf_all->accept_source_route);
+
+ if (idev)
+ accept_source_route = min(accept_source_route,
+ READ_ONCE(idev->cnf.accept_source_route));
if (!pskb_may_pull(skb, skb_transport_offset(skb) + 8) ||
!pskb_may_pull(skb, (skb_transport_offset(skb) +
@@ -957,7 +959,7 @@ static bool ipv6_hop_ioam(struct sk_buff
goto drop;
/* Ignore if IOAM is not enabled on ingress */
- if (!__in6_dev_get(skb->dev)->cnf.ioam6_enabled)
+ if (!READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_enabled))
goto ignore;
/* Truncated Option header */
--- a/net/ipv6/ioam6.c
+++ b/net/ipv6/ioam6.c
@@ -673,7 +673,7 @@ static void __ioam6_fill_trace_data(stru
if (!skb->dev)
raw16 = IOAM6_U16_UNAVAILABLE;
else
- raw16 = (__force u16)__in6_dev_get(skb->dev)->cnf.ioam6_id;
+ raw16 = (__force u16)READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id);
*(__be16 *)data = cpu_to_be16(raw16);
data += sizeof(__be16);
@@ -681,7 +681,7 @@ static void __ioam6_fill_trace_data(stru
if (skb_dst(skb)->dev->flags & IFF_LOOPBACK)
raw16 = IOAM6_U16_UNAVAILABLE;
else
- raw16 = (__force u16)__in6_dev_get(skb_dst(skb)->dev)->cnf.ioam6_id;
+ raw16 = (__force u16)READ_ONCE(__in6_dev_get(skb_dst(skb)->dev)->cnf.ioam6_id);
*(__be16 *)data = cpu_to_be16(raw16);
data += sizeof(__be16);
@@ -758,7 +758,7 @@ static void __ioam6_fill_trace_data(stru
if (!skb->dev)
raw32 = IOAM6_U32_UNAVAILABLE;
else
- raw32 = __in6_dev_get(skb->dev)->cnf.ioam6_id_wide;
+ raw32 = READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_id_wide);
*(__be32 *)data = cpu_to_be32(raw32);
data += sizeof(__be32);
@@ -766,7 +766,7 @@ static void __ioam6_fill_trace_data(stru
if (skb_dst(skb)->dev->flags & IFF_LOOPBACK)
raw32 = IOAM6_U32_UNAVAILABLE;
else
- raw32 = __in6_dev_get(skb_dst(skb)->dev)->cnf.ioam6_id_wide;
+ raw32 = READ_ONCE(__in6_dev_get(skb_dst(skb)->dev)->cnf.ioam6_id_wide);
*(__be32 *)data = cpu_to_be32(raw32);
data += sizeof(__be32);
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -228,7 +228,7 @@ static struct sk_buff *ip6_rcv_core(stru
if (!ipv6_addr_is_multicast(&hdr->daddr) &&
(skb->pkt_type == PACKET_BROADCAST ||
skb->pkt_type == PACKET_MULTICAST) &&
- idev->cnf.drop_unicast_in_l2_multicast)
+ READ_ONCE(idev->cnf.drop_unicast_in_l2_multicast))
goto err;
/* RFC4291 2.7
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -159,9 +159,9 @@ static int unsolicited_report_interval(s
int iv;
if (mld_in_v1_mode(idev))
- iv = idev->cnf.mldv1_unsolicited_report_interval;
+ iv = READ_ONCE(idev->cnf.mldv1_unsolicited_report_interval);
else
- iv = idev->cnf.mldv2_unsolicited_report_interval;
+ iv = READ_ONCE(idev->cnf.mldv2_unsolicited_report_interval);
return iv > 0 ? iv : 1;
}
@@ -1201,15 +1201,15 @@ static bool mld_marksources(struct ifmca
static int mld_force_mld_version(const struct inet6_dev *idev)
{
+ const struct net *net = dev_net(idev->dev);
+ int all_force;
+
+ all_force = READ_ONCE(net->ipv6.devconf_all->force_mld_version);
/* Normally, both are 0 here. If enforcement to a particular is
* being used, individual device enforcement will have a lower
* precedence over 'all' device (.../conf/all/force_mld_version).
*/
-
- if (dev_net(idev->dev)->ipv6.devconf_all->force_mld_version != 0)
- return dev_net(idev->dev)->ipv6.devconf_all->force_mld_version;
- else
- return idev->cnf.force_mld_version;
+ return all_force ?: READ_ONCE(idev->cnf.force_mld_version);
}
static bool mld_in_v2_mode_only(const struct inet6_dev *idev)
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -450,7 +450,7 @@ static void ip6_nd_hdr(struct sk_buff *s
rcu_read_lock();
idev = __in6_dev_get(skb->dev);
- tclass = idev ? idev->cnf.ndisc_tclass : 0;
+ tclass = idev ? READ_ONCE(idev->cnf.ndisc_tclass) : 0;
rcu_read_unlock();
skb_push(skb, sizeof(*hdr));
@@ -538,7 +538,7 @@ void ndisc_send_na(struct net_device *de
src_addr = solicited_addr;
if (ifp->flags & IFA_F_OPTIMISTIC)
override = false;
- inc_opt |= ifp->idev->cnf.force_tllao;
+ inc_opt |= READ_ONCE(ifp->idev->cnf.force_tllao);
in6_ifa_put(ifp);
} else {
if (ipv6_dev_get_saddr(dev_net(dev), dev, daddr,
@@ -991,7 +991,7 @@ static void ndisc_recv_na(struct sk_buff
* and thus should not be accepted.
*/
if (!msg->icmph.icmp6_solicited && idev &&
- idev->cnf.drop_unsolicited_na)
+ READ_ONCE(idev->cnf.drop_unsolicited_na))
return;
if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts)) {
@@ -1749,7 +1749,7 @@ static bool ndisc_suppress_frag_ndisc(st
if (!idev)
return true;
if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED &&
- idev->cnf.suppress_frag_ndisc) {
+ READ_ONCE(idev->cnf.suppress_frag_ndisc)) {
net_warn_ratelimited("Received fragmented ndisc packet. Carefully consider disabling suppress_frag_ndisc.\n");
return true;
}
@@ -1824,8 +1824,8 @@ static int ndisc_netdev_event(struct not
idev = in6_dev_get(dev);
if (!idev)
break;
- if (idev->cnf.ndisc_notify ||
- net->ipv6.devconf_all->ndisc_notify)
+ if (READ_ONCE(idev->cnf.ndisc_notify) ||
+ READ_ONCE(net->ipv6.devconf_all->ndisc_notify))
ndisc_send_unsol_na(dev);
in6_dev_put(idev);
break;
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -242,6 +242,7 @@ bool seg6_hmac_validate_skb(struct sk_bu
struct sr6_tlv_hmac *tlv;
struct ipv6_sr_hdr *srh;
struct inet6_dev *idev;
+ int require_hmac;
idev = __in6_dev_get(skb->dev);
if (!idev)
@@ -251,16 +252,17 @@ bool seg6_hmac_validate_skb(struct sk_bu
tlv = seg6_get_tlv_hmac(srh);
+ require_hmac = READ_ONCE(idev->cnf.seg6_require_hmac);
/* mandatory check but no tlv */
- if (idev->cnf.seg6_require_hmac > 0 && !tlv)
+ if (require_hmac > 0 && !tlv)
return false;
/* no check */
- if (idev->cnf.seg6_require_hmac < 0)
+ if (require_hmac < 0)
return true;
/* check only if present */
- if (idev->cnf.seg6_require_hmac == 0 && !tlv)
+ if (require_hmac == 0 && !tlv)
return true;
/* now, seg6_require_hmac >= 0 && tlv */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 351/411] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 350/411] ipv6/addrconf: annotate data-races around devconf fields (II) Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 352/411] use less confusing names for iov_iter direction initializers Greg Kroah-Hartman
` (60 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Ido Schimmel,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@gmail.com>
[ Upstream commit d4ea0dfd75011b78cebf3808f98ac4c4f51a6fb9 ]
Reported by Sashiko:
The function ipv6_hop_ioam() accesses
__in6_dev_get(skb->dev)->cnf.ioam6_enabled without validating the returned
idev pointer. Because addrconf_ifdown() can concurrently clear dev->ip6_ptr
via RCU, __in6_dev_get() can return NULL during interface teardown, which
could cause a NULL pointer dereference when processing an IOAM Hop-by-Hop
option.
Let's add a check and use SKB_DROP_REASON_IPV6DISABLED accordingly.
Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")
Cc: stable@vger.kernel.org
Signed-off-by: Justin Iurman <justin.iurman@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260517183059.29140-1-justin.iurman@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -952,14 +952,20 @@ static bool ipv6_hop_ioam(struct sk_buff
{
struct ioam6_trace_hdr *trace;
struct ioam6_namespace *ns;
+ struct inet6_dev *idev;
struct ioam6_hdr *hdr;
/* Bad alignment (must be 4n-aligned) */
if (optoff & 3)
goto drop;
+ /* Does the device still have IPv6 configuration? */
+ idev = __in6_dev_get(skb->dev);
+ if (!idev)
+ goto drop;
+
/* Ignore if IOAM is not enabled on ingress */
- if (!READ_ONCE(__in6_dev_get(skb->dev)->cnf.ioam6_enabled))
+ if (!READ_ONCE(idev->cnf.ioam6_enabled))
goto ignore;
/* Truncated Option header */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 352/411] use less confusing names for iov_iter direction initializers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 351/411] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 353/411] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
` (59 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit de4eda9de2d957ef2d6a8365a01e26a435e958cb ]
READ/WRITE proved to be actively confusing - the meanings are
"data destination, as used with read(2)" and "data source, as
used with write(2)", but people keep interpreting those as
"we read data from it" and "we write data to it", i.e. exactly
the wrong way.
Call them ITER_DEST and ITER_SOURCE - at least that is harder
to misinterpret...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Stable-dep-of: a4f0b001782b ("vsock/virtio: reset connection on receiving queue overflow")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/microcode/intel.c | 4 ++--
crypto/testmgr.c | 4 ++--
drivers/block/drbd/drbd_main.c | 2 +-
drivers/block/drbd/drbd_receiver.c | 2 +-
drivers/block/loop.c | 14 +++++++-------
drivers/block/nbd.c | 10 +++++-----
drivers/char/random.c | 4 ++--
drivers/fsi/fsi-sbefifo.c | 6 +++---
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +-
drivers/isdn/mISDN/l1oip_core.c | 2 +-
drivers/misc/vmw_vmci/vmci_queue_pair.c | 6 +++---
drivers/net/ppp/ppp_generic.c | 2 +-
drivers/nvme/host/tcp.c | 4 ++--
drivers/nvme/target/io-cmd-file.c | 4 ++--
drivers/nvme/target/tcp.c | 2 +-
drivers/scsi/sg.c | 2 +-
drivers/target/iscsi/iscsi_target_util.c | 4 ++--
drivers/target/target_core_file.c | 2 +-
drivers/usb/usbip/usbip_common.c | 2 +-
drivers/vhost/net.c | 6 +++---
drivers/vhost/scsi.c | 10 +++++-----
drivers/vhost/vhost.c | 6 +++---
drivers/vhost/vringh.c | 4 ++--
drivers/vhost/vsock.c | 4 ++--
drivers/xen/pvcalls-back.c | 8 ++++----
fs/9p/vfs_addr.c | 4 ++--
fs/9p/vfs_dir.c | 2 +-
fs/9p/xattr.c | 4 ++--
fs/afs/cmservice.c | 2 +-
fs/afs/dir.c | 2 +-
fs/afs/file.c | 4 ++--
fs/afs/internal.h | 4 ++--
fs/afs/rxrpc.c | 10 +++++-----
fs/afs/write.c | 4 ++--
fs/aio.c | 4 ++--
fs/ceph/addr.c | 2 +-
fs/ceph/file.c | 4 ++--
fs/cifs/connect.c | 6 +++---
fs/cifs/file.c | 4 ++--
fs/cifs/smb2ops.c | 4 ++--
fs/cifs/transport.c | 6 +++---
fs/fuse/ioctl.c | 4 ++--
fs/nfsd/vfs.c | 4 ++--
fs/ocfs2/cluster/tcp.c | 2 +-
fs/orangefs/inode.c | 8 ++++----
fs/read_write.c | 12 ++++++------
fs/seq_file.c | 2 +-
fs/splice.c | 10 +++++-----
include/linux/uio.h | 3 +++
mm/madvise.c | 2 +-
mm/page_io.c | 2 +-
mm/process_vm_access.c | 2 +-
net/9p/client.c | 2 +-
net/bluetooth/6lowpan.c | 2 +-
net/bluetooth/a2mp.c | 2 +-
net/bluetooth/smp.c | 2 +-
net/ceph/messenger_v1.c | 4 ++--
net/ceph/messenger_v2.c | 14 +++++++-------
net/compat.c | 2 +-
net/ipv4/tcp.c | 4 ++--
net/netfilter/ipvs/ip_vs_sync.c | 2 +-
net/smc/smc_clc.c | 6 +++---
net/socket.c | 12 ++++++------
net/sunrpc/socklib.c | 6 +++---
net/sunrpc/svcsock.c | 4 ++--
net/sunrpc/xprtsock.c | 6 +++---
net/tipc/topsrv.c | 2 +-
net/tls/tls_device.c | 4 ++--
net/xfrm/espintcp.c | 2 +-
security/keys/keyctl.c | 4 ++--
70 files changed, 158 insertions(+), 155 deletions(-)
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -940,7 +940,7 @@ static enum ucode_state request_microcod
kvec.iov_base = (void *)firmware->data;
kvec.iov_len = firmware->size;
- iov_iter_kvec(&iter, WRITE, &kvec, 1, firmware->size);
+ iov_iter_kvec(&iter, ITER_SOURCE, &kvec, 1, firmware->size);
ret = generic_load_microcode(cpu, &iter);
release_firmware(firmware);
@@ -959,7 +959,7 @@ request_microcode_user(int cpu, const vo
iov.iov_base = (void __user *)buf;
iov.iov_len = size;
- iov_iter_init(&iter, WRITE, &iov, 1, size);
+ iov_iter_init(&iter, ITER_SOURCE, &iov, 1, size);
return generic_load_microcode(cpu, &iter);
}
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -750,7 +750,7 @@ static int build_cipher_test_sglists(str
struct iov_iter input;
int err;
- iov_iter_kvec(&input, WRITE, inputs, nr_inputs, src_total_len);
+ iov_iter_kvec(&input, ITER_SOURCE, inputs, nr_inputs, src_total_len);
err = build_test_sglist(&tsgls->src, cfg->src_divs, alignmask,
cfg->inplace ?
max(dst_total_len, src_total_len) :
@@ -1133,7 +1133,7 @@ static int build_hash_sglist(struct test
kv.iov_base = (void *)vec->plaintext;
kv.iov_len = vec->psize;
- iov_iter_kvec(&input, WRITE, &kv, 1, vec->psize);
+ iov_iter_kvec(&input, ITER_SOURCE, &kv, 1, vec->psize);
return build_test_sglist(tsgl, cfg->src_divs, alignmask, vec->psize,
&input, divs);
}
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -1843,7 +1843,7 @@ int drbd_send(struct drbd_connection *co
/* THINK if (signal_pending) return ... ? */
- iov_iter_kvec(&msg.msg_iter, WRITE, &iov, 1, size);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, &iov, 1, size);
if (sock == connection->data.socket) {
rcu_read_lock();
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -507,7 +507,7 @@ static int drbd_recv_short(struct socket
struct msghdr msg = {
.msg_flags = (flags ? flags : MSG_WAITALL | MSG_NOSIGNAL)
};
- iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, size);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &iov, 1, size);
return sock_recvmsg(sock, &msg, msg.msg_flags);
}
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -310,7 +310,7 @@ static int lo_write_bvec(struct file *fi
struct iov_iter i;
ssize_t bw;
- iov_iter_bvec(&i, WRITE, bvec, 1, bvec->bv_len);
+ iov_iter_bvec(&i, ITER_SOURCE, bvec, 1, bvec->bv_len);
file_start_write(file);
bw = vfs_iter_write(file, &i, ppos, 0);
@@ -388,7 +388,7 @@ static int lo_read_simple(struct loop_de
ssize_t len;
rq_for_each_segment(bvec, rq, iter) {
- iov_iter_bvec(&i, READ, &bvec, 1, bvec.bv_len);
+ iov_iter_bvec(&i, ITER_DEST, &bvec, 1, bvec.bv_len);
len = vfs_iter_read(lo->lo_backing_file, &i, &pos, 0);
if (len < 0)
return len;
@@ -429,7 +429,7 @@ static int lo_read_transfer(struct loop_
b.bv_offset = 0;
b.bv_len = bvec.bv_len;
- iov_iter_bvec(&i, READ, &b, 1, b.bv_len);
+ iov_iter_bvec(&i, ITER_DEST, &b, 1, b.bv_len);
len = vfs_iter_read(lo->lo_backing_file, &i, &pos, 0);
if (len < 0) {
ret = len;
@@ -551,7 +551,7 @@ static void lo_rw_aio_complete(struct ki
}
static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
- loff_t pos, bool rw)
+ loff_t pos, int rw)
{
struct iov_iter iter;
struct req_iterator rq_iter;
@@ -607,7 +607,7 @@ static int lo_rw_aio(struct loop_device
cmd->iocb.ki_flags = IOCB_DIRECT;
cmd->iocb.ki_ioprio = req_get_ioprio(rq);
- if (rw == WRITE)
+ if (rw == ITER_SOURCE)
ret = call_write_iter(file, &cmd->iocb, &iter);
else
ret = call_read_iter(file, &cmd->iocb, &iter);
@@ -651,14 +651,14 @@ static int do_req_filebacked(struct loop
if (lo->transfer)
return lo_write_transfer(lo, rq, pos);
else if (cmd->use_aio)
- return lo_rw_aio(lo, cmd, pos, WRITE);
+ return lo_rw_aio(lo, cmd, pos, ITER_SOURCE);
else
return lo_write_simple(lo, rq, pos);
case REQ_OP_READ:
if (lo->transfer)
return lo_read_transfer(lo, rq, pos);
else if (cmd->use_aio)
- return lo_rw_aio(lo, cmd, pos, READ);
+ return lo_rw_aio(lo, cmd, pos, ITER_DEST);
else
return lo_read_simple(lo, rq, pos);
default:
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -562,7 +562,7 @@ static int nbd_send_cmd(struct nbd_devic
u32 nbd_cmd_flags = 0;
int sent = nsock->sent, skip = 0;
- iov_iter_kvec(&from, WRITE, &iov, 1, sizeof(request));
+ iov_iter_kvec(&from, ITER_SOURCE, &iov, 1, sizeof(request));
type = req_to_nbd_cmd_type(req);
if (type == U32_MAX)
@@ -648,7 +648,7 @@ send_pages:
dev_dbg(nbd_to_dev(nbd), "request %p: sending %d bytes data\n",
req, bvec.bv_len);
- iov_iter_bvec(&from, WRITE, &bvec, 1, bvec.bv_len);
+ iov_iter_bvec(&from, ITER_SOURCE, &bvec, 1, bvec.bv_len);
if (skip) {
if (skip >= iov_iter_count(&from)) {
skip -= iov_iter_count(&from);
@@ -700,7 +700,7 @@ static int nbd_read_reply(struct nbd_dev
int result;
reply->magic = 0;
- iov_iter_kvec(&to, READ, &iov, 1, sizeof(*reply));
+ iov_iter_kvec(&to, ITER_DEST, &iov, 1, sizeof(*reply));
result = sock_xmit(nbd, index, 0, &to, MSG_WAITALL, NULL);
if (result < 0) {
if (!nbd_disconnected(nbd->config))
@@ -777,7 +777,7 @@ static struct nbd_cmd *nbd_handle_reply(
struct iov_iter to;
rq_for_each_segment(bvec, req, iter) {
- iov_iter_bvec(&to, READ, &bvec, 1, bvec.bv_len);
+ iov_iter_bvec(&to, ITER_DEST, &bvec, 1, bvec.bv_len);
result = sock_xmit(nbd, index, 0, &to, MSG_WAITALL, NULL);
if (result < 0) {
dev_err(disk_to_dev(nbd->disk), "Receive data failed (result %d)\n",
@@ -1228,7 +1228,7 @@ static void send_disconnects(struct nbd_
for (i = 0; i < config->num_connections; i++) {
struct nbd_sock *nsock = config->socks[i];
- iov_iter_kvec(&from, WRITE, &iov, 1, sizeof(request));
+ iov_iter_kvec(&from, ITER_SOURCE, &iov, 1, sizeof(request));
mutex_lock(&nsock->tx_lock);
ret = sock_xmit(nbd, i, 1, &from, 0, NULL);
if (ret < 0)
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1236,7 +1236,7 @@ SYSCALL_DEFINE3(getrandom, char __user *
return ret;
}
- ret = import_single_range(READ, ubuf, len, &iov, &iter);
+ ret = import_single_range(ITER_DEST, ubuf, len, &iov, &iter);
if (unlikely(ret))
return ret;
return get_random_bytes_user(&iter);
@@ -1347,7 +1347,7 @@ static long random_ioctl(struct file *f,
return -EINVAL;
if (get_user(len, p++))
return -EFAULT;
- ret = import_single_range(WRITE, p, len, &iov, &iter);
+ ret = import_single_range(ITER_SOURCE, p, len, &iov, &iter);
if (unlikely(ret))
return ret;
ret = write_pool_user(&iter);
--- a/drivers/fsi/fsi-sbefifo.c
+++ b/drivers/fsi/fsi-sbefifo.c
@@ -640,7 +640,7 @@ static void sbefifo_collect_async_ffdc(s
}
ffdc_iov.iov_base = ffdc;
ffdc_iov.iov_len = SBEFIFO_MAX_FFDC_SIZE;
- iov_iter_kvec(&ffdc_iter, READ, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE);
+ iov_iter_kvec(&ffdc_iter, ITER_DEST, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE);
cmd[0] = cpu_to_be32(2);
cmd[1] = cpu_to_be32(SBEFIFO_CMD_GET_SBE_FFDC);
rc = sbefifo_do_command(sbefifo, cmd, 2, &ffdc_iter);
@@ -737,7 +737,7 @@ int sbefifo_submit(struct device *dev, c
rbytes = (*resp_len) * sizeof(__be32);
resp_iov.iov_base = response;
resp_iov.iov_len = rbytes;
- iov_iter_kvec(&resp_iter, READ, &resp_iov, 1, rbytes);
+ iov_iter_kvec(&resp_iter, ITER_DEST, &resp_iov, 1, rbytes);
/* Perform the command */
mutex_lock(&sbefifo->lock);
@@ -817,7 +817,7 @@ static ssize_t sbefifo_user_read(struct
/* Prepare iov iterator */
resp_iov.iov_base = buf;
resp_iov.iov_len = len;
- iov_iter_init(&resp_iter, READ, &resp_iov, 1, len);
+ iov_iter_init(&resp_iter, ITER_DEST, &resp_iov, 1, len);
/* Perform the command */
mutex_lock(&sbefifo->lock);
--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
@@ -968,7 +968,7 @@ static void rtrs_clt_init_req(struct rtr
refcount_set(&req->ref, 1);
req->mp_policy = clt_path->clt->mp_policy;
- iov_iter_kvec(&iter, WRITE, vec, 1, usr_len);
+ iov_iter_kvec(&iter, ITER_SOURCE, vec, 1, usr_len);
len = _copy_from_iter(req->iu->buf, usr_len, &iter);
WARN_ON(len != usr_len);
--- a/drivers/isdn/mISDN/l1oip_core.c
+++ b/drivers/isdn/mISDN/l1oip_core.c
@@ -706,7 +706,7 @@ l1oip_socket_thread(void *data)
printk(KERN_DEBUG "%s: socket created and open\n",
__func__);
while (!signal_pending(current)) {
- iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, recvbuf_size);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &iov, 1, recvbuf_size);
recvlen = sock_recvmsg(socket, &msg, 0);
if (recvlen > 0) {
l1oip_socket_parse(hc, &sin_rx, recvbuf, recvlen);
--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
+++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
@@ -3032,7 +3032,7 @@ ssize_t vmci_qpair_enqueue(struct vmci_q
if (!qpair || !buf)
return VMCI_ERROR_INVALID_ARGS;
- iov_iter_kvec(&from, WRITE, &v, 1, buf_size);
+ iov_iter_kvec(&from, ITER_SOURCE, &v, 1, buf_size);
qp_lock(qpair);
@@ -3076,7 +3076,7 @@ ssize_t vmci_qpair_dequeue(struct vmci_q
if (!qpair || !buf)
return VMCI_ERROR_INVALID_ARGS;
- iov_iter_kvec(&to, READ, &v, 1, buf_size);
+ iov_iter_kvec(&to, ITER_DEST, &v, 1, buf_size);
qp_lock(qpair);
@@ -3121,7 +3121,7 @@ ssize_t vmci_qpair_peek(struct vmci_qp *
if (!qpair || !buf)
return VMCI_ERROR_INVALID_ARGS;
- iov_iter_kvec(&to, READ, &v, 1, buf_size);
+ iov_iter_kvec(&to, ITER_DEST, &v, 1, buf_size);
qp_lock(qpair);
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -492,7 +492,7 @@ static ssize_t ppp_read(struct file *fil
ret = -EFAULT;
iov.iov_base = buf;
iov.iov_len = count;
- iov_iter_init(&to, READ, &iov, 1, count);
+ iov_iter_init(&to, ITER_DEST, &iov, 1, count);
if (skb_copy_datagram_iter(skb, 0, &to, skb->len))
goto outf;
ret = skb->len;
--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -297,7 +297,7 @@ static inline void nvme_tcp_advance_req(
if (!iov_iter_count(&req->iter) &&
req->data_sent < req->data_len) {
req->curr_bio = req->curr_bio->bi_next;
- nvme_tcp_init_iter(req, WRITE);
+ nvme_tcp_init_iter(req, ITER_SOURCE);
}
}
@@ -775,7 +775,7 @@ static int nvme_tcp_recv_data(struct nvm
nvme_tcp_init_recv_ctx(queue);
return -EIO;
}
- nvme_tcp_init_iter(req, READ);
+ nvme_tcp_init_iter(req, ITER_DEST);
}
/* we can read only from what is left in this bio */
--- a/drivers/nvme/target/io-cmd-file.c
+++ b/drivers/nvme/target/io-cmd-file.c
@@ -92,10 +92,10 @@ static ssize_t nvmet_file_submit_bvec(st
if (req->cmd->rw.control & cpu_to_le16(NVME_RW_FUA))
ki_flags |= IOCB_DSYNC;
call_iter = req->ns->file->f_op->write_iter;
- rw = WRITE;
+ rw = ITER_SOURCE;
} else {
call_iter = req->ns->file->f_op->read_iter;
- rw = READ;
+ rw = ITER_DEST;
}
iov_iter_bvec(&iter, rw, req->f.bvec, nr_segs, count);
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -351,7 +351,7 @@ static void nvmet_tcp_build_pdu_iovec(st
sg_offset = 0;
}
- iov_iter_bvec(&cmd->recv_msg.msg_iter, READ, cmd->iov,
+ iov_iter_bvec(&cmd->recv_msg.msg_iter, ITER_DEST, cmd->iov,
nr_pages, cmd->pdu_len);
}
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1721,7 +1721,7 @@ sg_start_req(Sg_request *srp, unsigned c
Sg_scatter_hold *rsv_schp = &sfp->reserve;
struct request_queue *q = sfp->parentdp->device->request_queue;
struct rq_map_data *md, map_data;
- int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? WRITE : READ;
+ int rw = hp->dxfer_direction == SG_DXFER_TO_DEV ? ITER_SOURCE : ITER_DEST;
unsigned char *long_cmdp = NULL;
SCSI_LOG_TIMEOUT(4, sg_printk(KERN_INFO, sfp->parentdp,
--- a/drivers/target/iscsi/iscsi_target_util.c
+++ b/drivers/target/iscsi/iscsi_target_util.c
@@ -1231,7 +1231,7 @@ int rx_data(
return -1;
memset(&msg, 0, sizeof(struct msghdr));
- iov_iter_kvec(&msg.msg_iter, READ, iov, iov_count, data);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, iov, iov_count, data);
while (msg_data_left(&msg)) {
rx_loop = sock_recvmsg(conn->sock, &msg, MSG_WAITALL);
@@ -1267,7 +1267,7 @@ int tx_data(
memset(&msg, 0, sizeof(struct msghdr));
- iov_iter_kvec(&msg.msg_iter, WRITE, iov, iov_count, data);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iov, iov_count, data);
while (msg_data_left(&msg)) {
int tx_loop = sock_sendmsg(conn->sock, &msg);
--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -472,7 +472,7 @@ fd_execute_write_same(struct se_cmd *cmd
len += se_dev->dev_attrib.block_size;
}
- iov_iter_bvec(&iter, WRITE, bvec, nolb, len);
+ iov_iter_bvec(&iter, ITER_SOURCE, bvec, nolb, len);
ret = vfs_iter_write(fd_dev->fd_file, &iter, &pos, 0);
kfree(bvec);
--- a/drivers/usb/usbip/usbip_common.c
+++ b/drivers/usb/usbip/usbip_common.c
@@ -309,7 +309,7 @@ int usbip_recv(struct socket *sock, void
if (!sock || !buf || !size)
return -EINVAL;
- iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, size);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &iov, 1, size);
usbip_dbg_xmit("enter\n");
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -615,7 +615,7 @@ static size_t init_iov_iter(struct vhost
/* Skip header. TODO: support TSO. */
size_t len = iov_length(vq->iov, out);
- iov_iter_init(iter, WRITE, vq->iov, out, len);
+ iov_iter_init(iter, ITER_SOURCE, vq->iov, out, len);
iov_iter_advance(iter, hdr_size);
return iov_iter_count(iter);
@@ -1193,14 +1193,14 @@ static void handle_rx(struct vhost_net *
msg.msg_control = vhost_net_buf_consume(&nvq->rxq);
/* On overrun, truncate and discard */
if (unlikely(headcount > UIO_MAXIOV)) {
- iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
+ iov_iter_init(&msg.msg_iter, ITER_DEST, vq->iov, 1, 1);
err = sock->ops->recvmsg(sock, &msg,
1, MSG_DONTWAIT | MSG_TRUNC);
pr_debug("Discarded rx packet: len %zd\n", sock_len);
continue;
}
/* We don't need to be notified again. */
- iov_iter_init(&msg.msg_iter, READ, vq->iov, in, vhost_len);
+ iov_iter_init(&msg.msg_iter, ITER_DEST, vq->iov, in, vhost_len);
fixup = msg.msg_iter;
if (unlikely((vhost_hlen))) {
/* We will supply the header ourselves
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -558,7 +558,7 @@ static void vhost_scsi_complete_cmd_work
memcpy(v_rsp.sense, cmd->tvc_sense_buf,
se_cmd->scsi_sense_length);
- iov_iter_init(&iov_iter, READ, &cmd->tvc_resp_iov,
+ iov_iter_init(&iov_iter, ITER_DEST, &cmd->tvc_resp_iov,
cmd->tvc_in_iovs, sizeof(v_rsp));
ret = copy_to_iter(&v_rsp, sizeof(v_rsp), &iov_iter);
if (likely(ret == sizeof(v_rsp))) {
@@ -863,7 +863,7 @@ vhost_scsi_get_desc(struct vhost_scsi *v
* point at the start of the outgoing WRITE payload, if
* DMA_TO_DEVICE is set.
*/
- iov_iter_init(&vc->out_iter, WRITE, vq->iov, vc->out, vc->out_size);
+ iov_iter_init(&vc->out_iter, ITER_SOURCE, vq->iov, vc->out, vc->out_size);
ret = 0;
done:
@@ -1016,7 +1016,7 @@ vhost_scsi_handle_vq(struct vhost_scsi *
data_direction = DMA_FROM_DEVICE;
exp_data_len = vc.in_size - vc.rsp_size;
- iov_iter_init(&in_iter, READ, &vq->iov[vc.out], vc.in,
+ iov_iter_init(&in_iter, ITER_DEST, &vq->iov[vc.out], vc.in,
vc.rsp_size + exp_data_len);
iov_iter_advance(&in_iter, vc.rsp_size);
data_iter = in_iter;
@@ -1146,7 +1146,7 @@ vhost_scsi_send_tmf_resp(struct vhost_sc
memset(&rsp, 0, sizeof(rsp));
rsp.response = tmf_resp_code;
- iov_iter_init(&iov_iter, READ, resp_iov, in_iovs, sizeof(rsp));
+ iov_iter_init(&iov_iter, ITER_DEST, resp_iov, in_iovs, sizeof(rsp));
ret = copy_to_iter(&rsp, sizeof(rsp), &iov_iter);
if (likely(ret == sizeof(rsp)))
@@ -1241,7 +1241,7 @@ vhost_scsi_send_an_resp(struct vhost_scs
memset(&rsp, 0, sizeof(rsp)); /* event_actual = 0 */
rsp.response = VIRTIO_SCSI_S_OK;
- iov_iter_init(&iov_iter, READ, &vq->iov[vc->out], vc->in, sizeof(rsp));
+ iov_iter_init(&iov_iter, ITER_DEST, &vq->iov[vc->out], vc->in, sizeof(rsp));
ret = copy_to_iter(&rsp, sizeof(rsp), &iov_iter);
if (likely(ret == sizeof(rsp)))
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -841,7 +841,7 @@ static int vhost_copy_to_user(struct vho
VHOST_ACCESS_WO);
if (ret < 0)
goto out;
- iov_iter_init(&t, WRITE, vq->iotlb_iov, ret, size);
+ iov_iter_init(&t, ITER_SOURCE, vq->iotlb_iov, ret, size);
ret = copy_to_iter(from, size, &t);
if (ret == size)
ret = 0;
@@ -880,7 +880,7 @@ static int vhost_copy_from_user(struct v
(unsigned long long) size);
goto out;
}
- iov_iter_init(&f, READ, vq->iotlb_iov, ret, size);
+ iov_iter_init(&f, ITER_DEST, vq->iotlb_iov, ret, size);
ret = copy_from_iter(to, size, &f);
if (ret == size)
ret = 0;
@@ -2137,7 +2137,7 @@ static int get_indirect(struct vhost_vir
vq_err(vq, "Translation failure %d in indirect.\n", ret);
return ret;
}
- iov_iter_init(&from, READ, vq->indirect, ret, len);
+ iov_iter_init(&from, ITER_DEST, vq->indirect, ret, len);
count = len / sizeof desc;
/* Buffers are chained via a 16 bit next field, so
* we can have at most 2^16 of these. */
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -1160,7 +1160,7 @@ static inline int copy_from_iotlb(const
if (ret < 0)
return ret;
- iov_iter_bvec(&iter, READ, iov, ret, len);
+ iov_iter_bvec(&iter, ITER_DEST, iov, ret, len);
ret = copy_from_iter(dst, len, &iter);
@@ -1179,7 +1179,7 @@ static inline int copy_to_iotlb(const st
if (ret < 0)
return ret;
- iov_iter_bvec(&iter, WRITE, iov, ret, len);
+ iov_iter_bvec(&iter, ITER_SOURCE, iov, ret, len);
return copy_to_iter(src, len, &iter);
}
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -166,7 +166,7 @@ vhost_transport_do_send_pkt(struct vhost
break;
}
- iov_iter_init(&iov_iter, READ, &vq->iov[out], in, iov_len);
+ iov_iter_init(&iov_iter, ITER_DEST, &vq->iov[out], in, iov_len);
payload_len = pkt->len - pkt->off;
/* If the packet is greater than the space available in the
@@ -372,7 +372,7 @@ vhost_vsock_alloc_pkt(struct vhost_virtq
return NULL;
len = iov_length(vq->iov, out);
- iov_iter_init(&iov_iter, WRITE, vq->iov, out, len);
+ iov_iter_init(&iov_iter, ITER_SOURCE, vq->iov, out, len);
nbytes = copy_from_iter(&pkt->hdr, sizeof(pkt->hdr), &iov_iter);
if (nbytes != sizeof(pkt->hdr)) {
--- a/drivers/xen/pvcalls-back.c
+++ b/drivers/xen/pvcalls-back.c
@@ -129,13 +129,13 @@ static bool pvcalls_conn_back_read(void
if (masked_prod < masked_cons) {
vec[0].iov_base = data->in + masked_prod;
vec[0].iov_len = wanted;
- iov_iter_kvec(&msg.msg_iter, READ, vec, 1, wanted);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, vec, 1, wanted);
} else {
vec[0].iov_base = data->in + masked_prod;
vec[0].iov_len = array_size - masked_prod;
vec[1].iov_base = data->in;
vec[1].iov_len = wanted - vec[0].iov_len;
- iov_iter_kvec(&msg.msg_iter, READ, vec, 2, wanted);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, vec, 2, wanted);
}
atomic_set(&map->read, 0);
@@ -188,13 +188,13 @@ static bool pvcalls_conn_back_write(stru
if (pvcalls_mask(prod, array_size) > pvcalls_mask(cons, array_size)) {
vec[0].iov_base = data->out + pvcalls_mask(cons, array_size);
vec[0].iov_len = size;
- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, size);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, vec, 1, size);
} else {
vec[0].iov_base = data->out + pvcalls_mask(cons, array_size);
vec[0].iov_len = array_size - pvcalls_mask(cons, array_size);
vec[1].iov_base = data->out;
vec[1].iov_len = size - vec[0].iov_len;
- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, size);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, vec, 2, size);
}
atomic_set(&map->write, 0);
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -50,7 +50,7 @@ static int v9fs_fid_readpage(void *data,
if (retval == 0)
return retval;
- iov_iter_bvec(&to, READ, &bvec, 1, PAGE_SIZE);
+ iov_iter_bvec(&to, ITER_DEST, &bvec, 1, PAGE_SIZE);
retval = p9_client_read(fid, page_offset(page), &to, &err);
if (err) {
@@ -163,7 +163,7 @@ static int v9fs_vfs_writepage_locked(str
bvec.bv_page = page;
bvec.bv_offset = 0;
bvec.bv_len = len;
- iov_iter_bvec(&from, WRITE, &bvec, 1, len);
+ iov_iter_bvec(&from, ITER_SOURCE, &bvec, 1, len);
/* We should have writeback_fid always set */
BUG_ON(!v9inode->writeback_fid);
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -108,7 +108,7 @@ static int v9fs_dir_readdir(struct file
if (rdir->tail == rdir->head) {
struct iov_iter to;
int n;
- iov_iter_kvec(&to, READ, &kvec, 1, buflen);
+ iov_iter_kvec(&to, ITER_DEST, &kvec, 1, buflen);
n = p9_client_read(file->private_data, ctx->pos, &to,
&err);
if (err)
--- a/fs/9p/xattr.c
+++ b/fs/9p/xattr.c
@@ -32,7 +32,7 @@ ssize_t v9fs_fid_xattr_get(struct p9_fid
struct iov_iter to;
int err;
- iov_iter_kvec(&to, READ, &kvec, 1, buffer_size);
+ iov_iter_kvec(&to, ITER_DEST, &kvec, 1, buffer_size);
attr_fid = p9_client_xattrwalk(fid, name, &attr_size);
if (IS_ERR(attr_fid)) {
@@ -117,7 +117,7 @@ int v9fs_fid_xattr_set(struct p9_fid *fi
struct iov_iter from;
int retval, err;
- iov_iter_kvec(&from, WRITE, &kvec, 1, value_len);
+ iov_iter_kvec(&from, ITER_SOURCE, &kvec, 1, value_len);
p9_debug(P9_DEBUG_VFS, "name = %s value_len = %zu flags = %d\n",
name, value_len, flags);
--- a/fs/afs/cmservice.c
+++ b/fs/afs/cmservice.c
@@ -298,7 +298,7 @@ static int afs_deliver_cb_callback(struc
if (call->count2 != call->count && call->count2 != 0)
return afs_protocol_error(call, afs_eproto_cb_count);
call->iter = &call->def_iter;
- iov_iter_discard(&call->def_iter, READ, call->count2 * 3 * 4);
+ iov_iter_discard(&call->def_iter, ITER_DEST, call->count2 * 3 * 4);
call->unmarshall++;
fallthrough;
--- a/fs/afs/dir.c
+++ b/fs/afs/dir.c
@@ -315,7 +315,7 @@ expand:
req->actual_len = i_size; /* May change */
req->len = nr_pages * PAGE_SIZE; /* We can ask for more than there is */
req->data_version = dvnode->status.data_version; /* May change */
- iov_iter_xarray(&req->def_iter, READ, &dvnode->vfs_inode.i_mapping->i_pages,
+ iov_iter_xarray(&req->def_iter, ITER_DEST, &dvnode->vfs_inode.i_mapping->i_pages,
0, i_size);
req->iter = &req->def_iter;
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -305,7 +305,7 @@ static void afs_req_issue_op(struct netf
fsreq->vnode = vnode;
fsreq->iter = &fsreq->def_iter;
- iov_iter_xarray(&fsreq->def_iter, READ,
+ iov_iter_xarray(&fsreq->def_iter, ITER_DEST,
&fsreq->vnode->vfs_inode.i_mapping->i_pages,
fsreq->pos, fsreq->len);
@@ -327,7 +327,7 @@ static int afs_symlink_readpage(struct p
fsreq->len = PAGE_SIZE;
fsreq->vnode = vnode;
fsreq->iter = &fsreq->def_iter;
- iov_iter_xarray(&fsreq->def_iter, READ, &page->mapping->i_pages,
+ iov_iter_xarray(&fsreq->def_iter, ITER_DEST, &page->mapping->i_pages,
fsreq->pos, fsreq->len);
ret = afs_fetch_data(fsreq->vnode, fsreq);
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -1296,7 +1296,7 @@ static inline void afs_extract_begin(str
call->iov_len = size;
call->kvec[0].iov_base = buf;
call->kvec[0].iov_len = size;
- iov_iter_kvec(&call->def_iter, READ, call->kvec, 1, size);
+ iov_iter_kvec(&call->def_iter, ITER_DEST, call->kvec, 1, size);
}
static inline void afs_extract_to_tmp(struct afs_call *call)
@@ -1314,7 +1314,7 @@ static inline void afs_extract_to_tmp64(
static inline void afs_extract_discard(struct afs_call *call, size_t size)
{
call->iov_len = size;
- iov_iter_discard(&call->def_iter, READ, size);
+ iov_iter_discard(&call->def_iter, ITER_DEST, size);
}
static inline void afs_extract_to_buf(struct afs_call *call, size_t size)
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -358,7 +358,7 @@ void afs_make_call(struct afs_addr_curso
msg.msg_name = NULL;
msg.msg_namelen = 0;
- iov_iter_kvec(&msg.msg_iter, WRITE, iov, 1, call->request_size);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iov, 1, call->request_size);
msg.msg_control = NULL;
msg.msg_controllen = 0;
msg.msg_flags = MSG_WAITALL | (call->write_iter ? MSG_MORE : 0);
@@ -399,7 +399,7 @@ error_do_abort:
RX_USER_ABORT, ret, "KSD");
} else {
len = 0;
- iov_iter_kvec(&msg.msg_iter, READ, NULL, 0, 0);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, NULL, 0, 0);
rxrpc_kernel_recv_data(call->net->socket, rxcall,
&msg.msg_iter, &len, false,
&call->abort_code, &call->service_id);
@@ -484,7 +484,7 @@ static void afs_deliver_to_call(struct a
) {
if (state == AFS_CALL_SV_AWAIT_ACK) {
len = 0;
- iov_iter_kvec(&call->def_iter, READ, NULL, 0, 0);
+ iov_iter_kvec(&call->def_iter, ITER_DEST, NULL, 0, 0);
ret = rxrpc_kernel_recv_data(call->net->socket,
call->rxcall, &call->def_iter,
&len, false, &remote_abort,
@@ -821,7 +821,7 @@ void afs_send_empty_reply(struct afs_cal
msg.msg_name = NULL;
msg.msg_namelen = 0;
- iov_iter_kvec(&msg.msg_iter, WRITE, NULL, 0, 0);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, NULL, 0, 0);
msg.msg_control = NULL;
msg.msg_controllen = 0;
msg.msg_flags = 0;
@@ -861,7 +861,7 @@ void afs_send_simple_reply(struct afs_ca
iov[0].iov_len = len;
msg.msg_name = NULL;
msg.msg_namelen = 0;
- iov_iter_kvec(&msg.msg_iter, WRITE, iov, 1, len);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iov, 1, len);
msg.msg_control = NULL;
msg.msg_controllen = 0;
msg.msg_flags = 0;
--- a/fs/afs/write.c
+++ b/fs/afs/write.c
@@ -601,7 +601,7 @@ static ssize_t afs_write_back_from_locke
if (start < i_size) {
_debug("write back %x @%llx [%llx]", len, start, i_size);
- iov_iter_xarray(&iter, WRITE, &mapping->i_pages, start, len);
+ iov_iter_xarray(&iter, ITER_SOURCE, &mapping->i_pages, start, len);
ret = afs_store_data(vnode, &iter, start, false);
} else {
_debug("write discard %x @%llx [%llx]", len, start, i_size);
@@ -972,7 +972,7 @@ int afs_launder_page(struct page *page)
bv[0].bv_page = page;
bv[0].bv_offset = f;
bv[0].bv_len = t - f;
- iov_iter_bvec(&iter, WRITE, bv, 1, bv[0].bv_len);
+ iov_iter_bvec(&iter, ITER_SOURCE, bv, 1, bv[0].bv_len);
trace_afs_page_dirty(vnode, tracepoint_string("launder"), page);
ret = afs_store_data(vnode, &iter, page_offset(page) + f, true);
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1546,7 +1546,7 @@ static int aio_read(struct kiocb *req, c
if (unlikely(!file->f_op->read_iter))
return -EINVAL;
- ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter);
+ ret = aio_setup_rw(ITER_DEST, iocb, &iovec, vectored, compat, &iter);
if (ret < 0)
return ret;
ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter));
@@ -1574,7 +1574,7 @@ static int aio_write(struct kiocb *req,
if (unlikely(!file->f_op->write_iter))
return -EINVAL;
- ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter);
+ ret = aio_setup_rw(ITER_SOURCE, iocb, &iovec, vectored, compat, &iter);
if (ret < 0)
return ret;
ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter));
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -263,7 +263,7 @@ static void ceph_netfs_issue_op(struct n
}
dout("%s: pos=%llu orig_len=%zu len=%llu\n", __func__, subreq->start, subreq->len, len);
- iov_iter_xarray(&iter, READ, &rreq->mapping->i_pages, subreq->start, len);
+ iov_iter_xarray(&iter, ITER_DEST, &rreq->mapping->i_pages, subreq->start, len);
err = iov_iter_get_pages_alloc(&iter, &pages, len, &page_off);
if (err < 0) {
dout("%s: iov_ter_get_pages_alloc returned %d\n", __func__, err);
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -1111,7 +1111,7 @@ static void ceph_aio_complete_req(struct
aio_req->total_len = rc + zlen;
}
- iov_iter_bvec(&i, READ, osd_data->bvec_pos.bvecs,
+ iov_iter_bvec(&i, ITER_DEST, osd_data->bvec_pos.bvecs,
osd_data->num_bvecs, len);
iov_iter_advance(&i, rc);
iov_iter_zero(zlen, &i);
@@ -1347,7 +1347,7 @@ ceph_direct_read_write(struct kiocb *ioc
int zlen = min_t(size_t, len - ret,
size - pos - ret);
- iov_iter_bvec(&i, READ, bvecs, num_pages, len);
+ iov_iter_bvec(&i, ITER_DEST, bvecs, num_pages, len);
iov_iter_advance(&i, ret);
iov_iter_zero(zlen, &i);
ret += zlen;
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -621,7 +621,7 @@ cifs_read_from_socket(struct TCP_Server_
{
struct msghdr smb_msg = {};
struct kvec iov = {.iov_base = buf, .iov_len = to_read};
- iov_iter_kvec(&smb_msg.msg_iter, READ, &iov, 1, to_read);
+ iov_iter_kvec(&smb_msg.msg_iter, ITER_DEST, &iov, 1, to_read);
return cifs_readv_from_socket(server, &smb_msg);
}
@@ -636,7 +636,7 @@ cifs_discard_from_socket(struct TCP_Serv
* and cifs_readv_from_socket sets msg_control and msg_controllen
* so little to initialize in struct msghdr
*/
- iov_iter_discard(&smb_msg.msg_iter, READ, to_read);
+ iov_iter_discard(&smb_msg.msg_iter, ITER_DEST, to_read);
return cifs_readv_from_socket(server, &smb_msg);
}
@@ -648,7 +648,7 @@ cifs_read_page_from_socket(struct TCP_Se
struct msghdr smb_msg = {};
struct bio_vec bv = {
.bv_page = page, .bv_len = to_read, .bv_offset = page_offset};
- iov_iter_bvec(&smb_msg.msg_iter, READ, &bv, 1, to_read);
+ iov_iter_bvec(&smb_msg.msg_iter, ITER_DEST, &bv, 1, to_read);
return cifs_readv_from_socket(server, &smb_msg);
}
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -3265,7 +3265,7 @@ static ssize_t __cifs_writev(
ctx->iter = *from;
ctx->len = len;
} else {
- rc = setup_aio_ctx_iter(ctx, from, WRITE);
+ rc = setup_aio_ctx_iter(ctx, from, ITER_SOURCE);
if (rc) {
kref_put(&ctx->refcount, cifs_aio_ctx_release);
return rc;
@@ -4010,7 +4010,7 @@ static ssize_t __cifs_readv(
ctx->iter = *to;
ctx->len = len;
} else {
- rc = setup_aio_ctx_iter(ctx, to, READ);
+ rc = setup_aio_ctx_iter(ctx, to, ITER_DEST);
if (rc) {
kref_put(&ctx->refcount, cifs_aio_ctx_release);
return rc;
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -4960,13 +4960,13 @@ handle_read_data(struct TCP_Server_Info
return 0;
}
- iov_iter_bvec(&iter, WRITE, bvec, npages, data_len);
+ iov_iter_bvec(&iter, ITER_SOURCE, bvec, npages, data_len);
} else if (buf_len >= data_offset + data_len) {
/* read response payload is in buf */
WARN_ONCE(npages > 0, "read data can be either in buf or in pages");
iov.iov_base = buf + data_offset;
iov.iov_len = data_len;
- iov_iter_kvec(&iter, WRITE, &iov, 1, data_len);
+ iov_iter_kvec(&iter, ITER_SOURCE, &iov, 1, data_len);
} else {
/* read response payload cannot be in both buf and pages */
WARN_ONCE(1, "buf can not contain only a part of read data");
--- a/fs/cifs/transport.c
+++ b/fs/cifs/transport.c
@@ -349,7 +349,7 @@ __smb_send_rqst(struct TCP_Server_Info *
.iov_base = &rfc1002_marker,
.iov_len = 4
};
- iov_iter_kvec(&smb_msg.msg_iter, WRITE, &hiov, 1, 4);
+ iov_iter_kvec(&smb_msg.msg_iter, ITER_SOURCE, &hiov, 1, 4);
rc = smb_send_kvec(server, &smb_msg, &sent);
if (rc < 0)
goto unmask;
@@ -370,7 +370,7 @@ __smb_send_rqst(struct TCP_Server_Info *
size += iov[i].iov_len;
}
- iov_iter_kvec(&smb_msg.msg_iter, WRITE, iov, n_vec, size);
+ iov_iter_kvec(&smb_msg.msg_iter, ITER_SOURCE, iov, n_vec, size);
rc = smb_send_kvec(server, &smb_msg, &sent);
if (rc < 0)
@@ -386,7 +386,7 @@ __smb_send_rqst(struct TCP_Server_Info *
rqst_page_get_length(&rqst[j], i, &bvec.bv_len,
&bvec.bv_offset);
- iov_iter_bvec(&smb_msg.msg_iter, WRITE,
+ iov_iter_bvec(&smb_msg.msg_iter, ITER_SOURCE,
&bvec, 1, bvec.bv_len);
rc = smb_send_kvec(server, &smb_msg, &sent);
if (rc < 0)
--- a/fs/fuse/ioctl.c
+++ b/fs/fuse/ioctl.c
@@ -264,7 +264,7 @@ long fuse_do_ioctl(struct file *file, un
ap.args.in_pages = true;
err = -EFAULT;
- iov_iter_init(&ii, WRITE, in_iov, in_iovs, in_size);
+ iov_iter_init(&ii, ITER_SOURCE, in_iov, in_iovs, in_size);
for (i = 0; iov_iter_count(&ii) && !WARN_ON(i >= ap.num_pages); i++) {
c = copy_page_from_iter(ap.pages[i], 0, PAGE_SIZE, &ii);
if (c != PAGE_SIZE && iov_iter_count(&ii))
@@ -331,7 +331,7 @@ long fuse_do_ioctl(struct file *file, un
goto out;
err = -EFAULT;
- iov_iter_init(&ii, READ, out_iov, out_iovs, transferred);
+ iov_iter_init(&ii, ITER_DEST, out_iov, out_iovs, transferred);
for (i = 0; iov_iter_count(&ii) && !WARN_ON(i >= ap.num_pages); i++) {
c = copy_page_to_iter(ap.pages[i], 0, PAGE_SIZE, &ii);
if (c != PAGE_SIZE && iov_iter_count(&ii))
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1027,7 +1027,7 @@ __be32 nfsd_readv(struct svc_rqst *rqstp
ssize_t host_err;
trace_nfsd_read_vector(rqstp, fhp, offset, *count);
- iov_iter_kvec(&iter, READ, vec, vlen, *count);
+ iov_iter_kvec(&iter, ITER_DEST, vec, vlen, *count);
host_err = vfs_iter_read(file, &iter, &ppos, 0);
return nfsd_finish_read(rqstp, fhp, file, offset, count, eof, host_err);
}
@@ -1117,7 +1117,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
if (stable && !use_wgather)
flags |= RWF_SYNC;
- iov_iter_kvec(&iter, WRITE, vec, vlen, *cnt);
+ iov_iter_kvec(&iter, ITER_SOURCE, vec, vlen, *cnt);
since = READ_ONCE(file->f_wb_err);
if (verf)
nfsd_copy_write_verifier(verf, nn);
--- a/fs/ocfs2/cluster/tcp.c
+++ b/fs/ocfs2/cluster/tcp.c
@@ -900,7 +900,7 @@ static int o2net_recv_tcp_msg(struct soc
{
struct kvec vec = { .iov_len = len, .iov_base = data, };
struct msghdr msg = { .msg_flags = MSG_DONTWAIT, };
- iov_iter_kvec(&msg.msg_iter, READ, &vec, 1, len);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1, len);
return sock_recvmsg(sock, &msg, MSG_DONTWAIT);
}
--- a/fs/orangefs/inode.c
+++ b/fs/orangefs/inode.c
@@ -53,7 +53,7 @@ static int orangefs_writepage_locked(str
bv.bv_len = wlen;
bv.bv_offset = off % PAGE_SIZE;
WARN_ON(wlen == 0);
- iov_iter_bvec(&iter, WRITE, &bv, 1, wlen);
+ iov_iter_bvec(&iter, ITER_SOURCE, &bv, 1, wlen);
ret = wait_for_direct_io(ORANGEFS_IO_WRITE, inode, &off, &iter, wlen,
len, wr, NULL, NULL);
@@ -111,7 +111,7 @@ static int orangefs_writepages_work(stru
else
ow->bv[i].bv_offset = 0;
}
- iov_iter_bvec(&iter, WRITE, ow->bv, ow->npages, ow->len);
+ iov_iter_bvec(&iter, ITER_SOURCE, ow->bv, ow->npages, ow->len);
WARN_ON(ow->off >= len);
if (ow->off + ow->len > len)
@@ -269,7 +269,7 @@ static void orangefs_readahead(struct re
offset = readahead_pos(rac);
i_pages = &rac->mapping->i_pages;
- iov_iter_xarray(&iter, READ, i_pages, offset, readahead_length(rac));
+ iov_iter_xarray(&iter, ITER_DEST, i_pages, offset, readahead_length(rac));
/* read in the pages. */
if ((ret = wait_for_direct_io(ORANGEFS_IO_READ, inode,
@@ -302,7 +302,7 @@ static int orangefs_readpage(struct file
bv.bv_page = page;
bv.bv_len = PAGE_SIZE;
bv.bv_offset = 0;
- iov_iter_bvec(&iter, READ, &bv, 1, PAGE_SIZE);
+ iov_iter_bvec(&iter, ITER_DEST, &bv, 1, PAGE_SIZE);
ret = wait_for_direct_io(ORANGEFS_IO_READ, inode, &off, &iter,
PAGE_SIZE, inode->i_size, NULL, NULL, file);
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -399,7 +399,7 @@ static ssize_t new_sync_read(struct file
init_sync_kiocb(&kiocb, filp);
kiocb.ki_pos = (ppos ? *ppos : 0);
- iov_iter_init(&iter, READ, &iov, 1, len);
+ iov_iter_init(&iter, ITER_DEST, &iov, 1, len);
ret = call_read_iter(filp, &kiocb, &iter);
BUG_ON(ret == -EIOCBQUEUED);
@@ -439,7 +439,7 @@ ssize_t __kernel_read(struct file *file,
init_sync_kiocb(&kiocb, file);
kiocb.ki_pos = pos ? *pos : 0;
- iov_iter_kvec(&iter, READ, &iov, 1, iov.iov_len);
+ iov_iter_kvec(&iter, ITER_DEST, &iov, 1, iov.iov_len);
ret = file->f_op->read_iter(&kiocb, &iter);
if (ret > 0) {
if (pos)
@@ -502,7 +502,7 @@ static ssize_t new_sync_write(struct fil
init_sync_kiocb(&kiocb, filp);
kiocb.ki_pos = (ppos ? *ppos : 0);
- iov_iter_init(&iter, WRITE, &iov, 1, len);
+ iov_iter_init(&iter, ITER_SOURCE, &iov, 1, len);
ret = call_write_iter(filp, &kiocb, &iter);
BUG_ON(ret == -EIOCBQUEUED);
@@ -535,7 +535,7 @@ ssize_t __kernel_write(struct file *file
init_sync_kiocb(&kiocb, file);
kiocb.ki_pos = pos ? *pos : 0;
- iov_iter_kvec(&iter, WRITE, &iov, 1, iov.iov_len);
+ iov_iter_kvec(&iter, ITER_SOURCE, &iov, 1, iov.iov_len);
ret = file->f_op->write_iter(&kiocb, &iter);
if (ret > 0) {
if (pos)
@@ -905,7 +905,7 @@ static ssize_t vfs_readv(struct file *fi
struct iov_iter iter;
ssize_t ret;
- ret = import_iovec(READ, vec, vlen, ARRAY_SIZE(iovstack), &iov, &iter);
+ ret = import_iovec(ITER_DEST, vec, vlen, ARRAY_SIZE(iovstack), &iov, &iter);
if (ret >= 0) {
ret = do_iter_read(file, &iter, pos, flags);
kfree(iov);
@@ -922,7 +922,7 @@ static ssize_t vfs_writev(struct file *f
struct iov_iter iter;
ssize_t ret;
- ret = import_iovec(WRITE, vec, vlen, ARRAY_SIZE(iovstack), &iov, &iter);
+ ret = import_iovec(ITER_SOURCE, vec, vlen, ARRAY_SIZE(iovstack), &iov, &iter);
if (ret >= 0) {
file_start_write(file);
ret = do_iter_write(file, &iter, pos, flags);
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -156,7 +156,7 @@ ssize_t seq_read(struct file *file, char
ssize_t ret;
init_sync_kiocb(&kiocb, file);
- iov_iter_init(&iter, READ, &iov, 1, size);
+ iov_iter_init(&iter, ITER_DEST, &iov, 1, size);
kiocb.ki_pos = *ppos;
ret = seq_read_iter(&kiocb, &iter);
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -304,7 +304,7 @@ ssize_t generic_file_splice_read(struct
unsigned int i_head;
int ret;
- iov_iter_pipe(&to, READ, pipe, len);
+ iov_iter_pipe(&to, ITER_DEST, pipe, len);
i_head = to.head;
init_sync_kiocb(&kiocb, in);
kiocb.ki_pos = *ppos;
@@ -685,7 +685,7 @@ iter_file_splice_write(struct pipe_inode
n++;
}
- iov_iter_bvec(&from, WRITE, array, n, sd.total_len - left);
+ iov_iter_bvec(&from, ITER_SOURCE, array, n, sd.total_len - left);
ret = vfs_iter_write(out, &from, &sd.pos, 0);
if (ret <= 0)
break;
@@ -1296,9 +1296,9 @@ static int vmsplice_type(struct fd f, in
if (!f.file)
return -EBADF;
if (f.file->f_mode & FMODE_WRITE) {
- *type = WRITE;
+ *type = ITER_SOURCE;
} else if (f.file->f_mode & FMODE_READ) {
- *type = READ;
+ *type = ITER_DEST;
} else {
fdput(f);
return -EBADF;
@@ -1347,7 +1347,7 @@ SYSCALL_DEFINE4(vmsplice, int, fd, const
if (!iov_iter_count(&iter))
error = 0;
- else if (iov_iter_rw(&iter) == WRITE)
+ else if (type == ITER_SOURCE)
error = vmsplice_to_pipe(f.file, &iter, flags);
else
error = vmsplice_to_user(f.file, &iter, flags);
--- a/include/linux/uio.h
+++ b/include/linux/uio.h
@@ -27,6 +27,9 @@ enum iter_type {
ITER_DISCARD,
};
+#define ITER_SOURCE 1 // == WRITE
+#define ITER_DEST 0 // == READ
+
struct iov_iter_state {
size_t iov_offset;
size_t count;
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1251,7 +1251,7 @@ SYSCALL_DEFINE5(process_madvise, int, pi
goto out;
}
- ret = import_iovec(READ, vec, vlen, ARRAY_SIZE(iovstack), &iov, &iter);
+ ret = import_iovec(ITER_DEST, vec, vlen, ARRAY_SIZE(iovstack), &iov, &iter);
if (ret < 0)
goto out;
--- a/mm/page_io.c
+++ b/mm/page_io.c
@@ -252,7 +252,7 @@ int __swap_writepage(struct page *page,
};
struct iov_iter from;
- iov_iter_bvec(&from, WRITE, &bv, 1, PAGE_SIZE);
+ iov_iter_bvec(&from, ITER_SOURCE, &bv, 1, PAGE_SIZE);
init_sync_kiocb(&kiocb, swap_file);
kiocb.ki_pos = page_file_offset(page);
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -263,7 +263,7 @@ static ssize_t process_vm_rw(pid_t pid,
struct iovec *iov_r;
struct iov_iter iter;
ssize_t rc;
- int dir = vm_write ? WRITE : READ;
+ int dir = vm_write ? ITER_SOURCE : ITER_DEST;
if (flags != 0)
return -EINVAL;
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -2096,7 +2096,7 @@ int p9_client_readdir(struct p9_fid *fid
struct kvec kv = {.iov_base = data, .iov_len = count};
struct iov_iter to;
- iov_iter_kvec(&to, READ, &kv, 1, count);
+ iov_iter_kvec(&to, ITER_DEST, &kv, 1, count);
p9_debug(P9_DEBUG_9P, ">>> TREADDIR fid %d offset %llu count %d\n",
fid->fid, offset, count);
--- a/net/bluetooth/6lowpan.c
+++ b/net/bluetooth/6lowpan.c
@@ -449,7 +449,7 @@ static int send_pkt(struct l2cap_chan *c
iv.iov_len = skb->len;
memset(&msg, 0, sizeof(msg));
- iov_iter_kvec(&msg.msg_iter, WRITE, &iv, 1, skb->len);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, &iv, 1, skb->len);
err = l2cap_chan_send(chan, &msg, skb->len);
if (err > 0) {
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -56,7 +56,7 @@ static void a2mp_send(struct amp_mgr *mg
memset(&msg, 0, sizeof(msg));
- iov_iter_kvec(&msg.msg_iter, WRITE, &iv, 1, total_len);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, &iv, 1, total_len);
l2cap_chan_send(chan, &msg, total_len);
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -605,7 +605,7 @@ static void smp_send_cmd(struct l2cap_co
memset(&msg, 0, sizeof(msg));
- iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
+ iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
l2cap_chan_send(chan, &msg, 1 + len);
--- a/net/ceph/messenger_v1.c
+++ b/net/ceph/messenger_v1.c
@@ -30,7 +30,7 @@ static int ceph_tcp_recvmsg(struct socke
if (!buf)
msg.msg_flags |= MSG_TRUNC;
- iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, len);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &iov, 1, len);
r = sock_recvmsg(sock, &msg, msg.msg_flags);
if (r == -EAGAIN)
r = 0;
@@ -49,7 +49,7 @@ static int ceph_tcp_recvpage(struct sock
int r;
BUG_ON(page_offset + length > PAGE_SIZE);
- iov_iter_bvec(&msg.msg_iter, READ, &bvec, 1, length);
+ iov_iter_bvec(&msg.msg_iter, ITER_DEST, &bvec, 1, length);
r = sock_recvmsg(sock, &msg, msg.msg_flags);
if (r == -EAGAIN)
r = 0;
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -167,7 +167,7 @@ static int do_try_sendpage(struct socket
bv.bv_offset, bv.bv_len,
CEPH_MSG_FLAGS);
} else {
- iov_iter_bvec(&msg.msg_iter, WRITE, &bv, 1, bv.bv_len);
+ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bv, 1, bv.bv_len);
ret = sock_sendmsg(sock, &msg);
}
if (ret <= 0) {
@@ -224,7 +224,7 @@ static void reset_in_kvecs(struct ceph_c
WARN_ON(iov_iter_count(&con->v2.in_iter));
con->v2.in_kvec_cnt = 0;
- iov_iter_kvec(&con->v2.in_iter, READ, con->v2.in_kvecs, 0, 0);
+ iov_iter_kvec(&con->v2.in_iter, ITER_DEST, con->v2.in_kvecs, 0, 0);
}
static void set_in_bvec(struct ceph_connection *con, const struct bio_vec *bv)
@@ -232,7 +232,7 @@ static void set_in_bvec(struct ceph_conn
WARN_ON(iov_iter_count(&con->v2.in_iter));
con->v2.in_bvec = *bv;
- iov_iter_bvec(&con->v2.in_iter, READ, &con->v2.in_bvec, 1, bv->bv_len);
+ iov_iter_bvec(&con->v2.in_iter, ITER_DEST, &con->v2.in_bvec, 1, bv->bv_len);
}
static void set_in_skip(struct ceph_connection *con, int len)
@@ -240,7 +240,7 @@ static void set_in_skip(struct ceph_conn
WARN_ON(iov_iter_count(&con->v2.in_iter));
dout("%s con %p len %d\n", __func__, con, len);
- iov_iter_discard(&con->v2.in_iter, READ, len);
+ iov_iter_discard(&con->v2.in_iter, ITER_DEST, len);
}
static void add_out_kvec(struct ceph_connection *con, void *buf, int len)
@@ -264,7 +264,7 @@ static void reset_out_kvecs(struct ceph_
con->v2.out_kvec_cnt = 0;
- iov_iter_kvec(&con->v2.out_iter, WRITE, con->v2.out_kvecs, 0, 0);
+ iov_iter_kvec(&con->v2.out_iter, ITER_SOURCE, con->v2.out_kvecs, 0, 0);
con->v2.out_iter_sendpage = false;
}
@@ -276,7 +276,7 @@ static void set_out_bvec(struct ceph_con
con->v2.out_bvec = *bv;
con->v2.out_iter_sendpage = zerocopy;
- iov_iter_bvec(&con->v2.out_iter, WRITE, &con->v2.out_bvec, 1,
+ iov_iter_bvec(&con->v2.out_iter, ITER_SOURCE, &con->v2.out_bvec, 1,
con->v2.out_bvec.bv_len);
}
@@ -289,7 +289,7 @@ static void set_out_bvec_zero(struct cep
con->v2.out_bvec.bv_offset = 0;
con->v2.out_bvec.bv_len = min(con->v2.out_zero, (int)PAGE_SIZE);
con->v2.out_iter_sendpage = true;
- iov_iter_bvec(&con->v2.out_iter, WRITE, &con->v2.out_bvec, 1,
+ iov_iter_bvec(&con->v2.out_iter, ITER_SOURCE, &con->v2.out_bvec, 1,
con->v2.out_bvec.bv_len);
}
--- a/net/compat.c
+++ b/net/compat.c
@@ -98,7 +98,7 @@ int get_compat_msghdr(struct msghdr *kms
if (err)
return err;
- err = import_iovec(save_addr ? READ : WRITE, compat_ptr(ptr), len,
+ err = import_iovec(save_addr ? ITER_DEST : ITER_SOURCE, compat_ptr(ptr), len,
UIO_FASTIOV, iov, &kmsg->msg_iter);
return err < 0 ? err : 0;
}
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1886,7 +1886,7 @@ static int receive_fallback_to_copy(stru
if (copy_address != zc->copybuf_address)
return -EINVAL;
- err = import_single_range(READ, (void __user *)copy_address,
+ err = import_single_range(ITER_DEST, (void __user *)copy_address,
inq, &iov, &msg.msg_iter);
if (err)
return err;
@@ -1920,7 +1920,7 @@ static int tcp_copy_straggler_data(struc
if (copy_address != zc->copybuf_address)
return -EINVAL;
- err = import_single_range(READ, (void __user *)copy_address,
+ err = import_single_range(ITER_DEST, (void __user *)copy_address,
copylen, &iov, &msg.msg_iter);
if (err)
return err;
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -1617,7 +1617,7 @@ ip_vs_receive(struct socket *sock, char
EnterFunction(7);
/* Receive a packet */
- iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, buflen);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &iov, 1, buflen);
len = sock_recvmsg(sock, &msg, MSG_DONTWAIT);
if (len < 0)
return len;
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -361,7 +361,7 @@ int smc_clc_wait_msg(struct smc_sock *sm
*/
krflags = MSG_PEEK | MSG_WAITALL;
clc_sk->sk_rcvtimeo = timeout;
- iov_iter_kvec(&msg.msg_iter, READ, &vec, 1,
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1,
sizeof(struct smc_clc_msg_hdr));
len = sock_recvmsg(smc->clcsock, &msg, krflags);
if (signal_pending(current)) {
@@ -408,7 +408,7 @@ int smc_clc_wait_msg(struct smc_sock *sm
} else {
recvlen = datlen;
}
- iov_iter_kvec(&msg.msg_iter, READ, &vec, 1, recvlen);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1, recvlen);
krflags = MSG_WAITALL;
len = sock_recvmsg(smc->clcsock, &msg, krflags);
if (len < recvlen || !smc_clc_msg_hdr_valid(clcm, check_trl)) {
@@ -425,7 +425,7 @@ int smc_clc_wait_msg(struct smc_sock *sm
/* receive remaining proposal message */
recvlen = datlen > SMC_CLC_RECV_BUF_LEN ?
SMC_CLC_RECV_BUF_LEN : datlen;
- iov_iter_kvec(&msg.msg_iter, READ, &vec, 1, recvlen);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1, recvlen);
len = sock_recvmsg(smc->clcsock, &msg, krflags);
if (len < recvlen) {
smc->sk.sk_err = EPROTO;
--- a/net/socket.c
+++ b/net/socket.c
@@ -761,7 +761,7 @@ EXPORT_SYMBOL(sock_sendmsg);
int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
struct kvec *vec, size_t num, size_t size)
{
- iov_iter_kvec(&msg->msg_iter, WRITE, vec, num, size);
+ iov_iter_kvec(&msg->msg_iter, ITER_SOURCE, vec, num, size);
return sock_sendmsg(sock, msg);
}
EXPORT_SYMBOL(kernel_sendmsg);
@@ -787,7 +787,7 @@ int kernel_sendmsg_locked(struct sock *s
if (!sock->ops->sendmsg_locked)
return sock_no_sendmsg_locked(sk, msg, size);
- iov_iter_kvec(&msg->msg_iter, WRITE, vec, num, size);
+ iov_iter_kvec(&msg->msg_iter, ITER_SOURCE, vec, num, size);
return sock->ops->sendmsg_locked(sk, msg, msg_data_left(msg));
}
@@ -1008,7 +1008,7 @@ int kernel_recvmsg(struct socket *sock,
struct kvec *vec, size_t num, size_t size, int flags)
{
msg->msg_control_is_user = false;
- iov_iter_kvec(&msg->msg_iter, READ, vec, num, size);
+ iov_iter_kvec(&msg->msg_iter, ITER_DEST, vec, num, size);
return sock_recvmsg(sock, msg, flags);
}
EXPORT_SYMBOL(kernel_recvmsg);
@@ -2049,7 +2049,7 @@ int __sys_sendto(int fd, void __user *bu
struct iovec iov;
int fput_needed;
- err = import_single_range(WRITE, buff, len, &iov, &msg.msg_iter);
+ err = import_single_range(ITER_SOURCE, buff, len, &iov, &msg.msg_iter);
if (unlikely(err))
return err;
sock = sockfd_lookup_light(fd, &err, &fput_needed);
@@ -2110,7 +2110,7 @@ int __sys_recvfrom(int fd, void __user *
int err, err2;
int fput_needed;
- err = import_single_range(READ, ubuf, size, &iov, &msg.msg_iter);
+ err = import_single_range(ITER_DEST, ubuf, size, &iov, &msg.msg_iter);
if (unlikely(err))
return err;
sock = sockfd_lookup_light(fd, &err, &fput_needed);
@@ -2381,7 +2381,7 @@ static int copy_msghdr_from_user(struct
if (err)
return err;
- err = import_iovec(save_addr ? READ : WRITE,
+ err = import_iovec(save_addr ? ITER_DEST : ITER_SOURCE,
msg.msg_iov, msg.msg_iovlen,
UIO_FASTIOV, iov, &kmsg->msg_iter);
return err < 0 ? err : 0;
--- a/net/sunrpc/socklib.c
+++ b/net/sunrpc/socklib.c
@@ -213,7 +213,7 @@ static inline int xprt_sendmsg(struct so
static int xprt_send_kvec(struct socket *sock, struct msghdr *msg,
struct kvec *vec, size_t seek)
{
- iov_iter_kvec(&msg->msg_iter, WRITE, vec, 1, vec->iov_len);
+ iov_iter_kvec(&msg->msg_iter, ITER_SOURCE, vec, 1, vec->iov_len);
return xprt_sendmsg(sock, msg, seek);
}
@@ -226,7 +226,7 @@ static int xprt_send_pagedata(struct soc
if (err < 0)
return err;
- iov_iter_bvec(&msg->msg_iter, WRITE, xdr->bvec, xdr_buf_pagecount(xdr),
+ iov_iter_bvec(&msg->msg_iter, ITER_SOURCE, xdr->bvec, xdr_buf_pagecount(xdr),
xdr->page_len + xdr->page_base);
return xprt_sendmsg(sock, msg, base + xdr->page_base);
}
@@ -249,7 +249,7 @@ static int xprt_send_rm_and_kvec(struct
};
size_t len = iov[0].iov_len + iov[1].iov_len;
- iov_iter_kvec(&msg->msg_iter, WRITE, iov, 2, len);
+ iov_iter_kvec(&msg->msg_iter, ITER_SOURCE, iov, 2, len);
return xprt_sendmsg(sock, msg, base);
}
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -260,7 +260,7 @@ static ssize_t svc_tcp_read_msg(struct s
rqstp->rq_respages = &rqstp->rq_pages[i];
rqstp->rq_next_page = rqstp->rq_respages + 1;
- iov_iter_bvec(&msg.msg_iter, READ, bvec, i, buflen);
+ iov_iter_bvec(&msg.msg_iter, ITER_DEST, bvec, i, buflen);
if (seek) {
iov_iter_advance(&msg.msg_iter, seek);
buflen -= seek;
@@ -871,7 +871,7 @@ static ssize_t svc_tcp_read_marker(struc
want = sizeof(rpc_fraghdr) - svsk->sk_tcplen;
iov.iov_base = ((char *)&svsk->sk_marker) + svsk->sk_tcplen;
iov.iov_len = want;
- iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, want);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &iov, 1, want);
len = sock_recvmsg(svsk->sk_sock, &msg, MSG_DONTWAIT);
if (len < 0)
return len;
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -363,7 +363,7 @@ static ssize_t
xs_read_kvec(struct socket *sock, struct msghdr *msg, int flags,
struct kvec *kvec, size_t count, size_t seek)
{
- iov_iter_kvec(&msg->msg_iter, READ, kvec, 1, count);
+ iov_iter_kvec(&msg->msg_iter, ITER_DEST, kvec, 1, count);
return xs_sock_recvmsg(sock, msg, flags, seek);
}
@@ -372,7 +372,7 @@ xs_read_bvec(struct socket *sock, struct
struct bio_vec *bvec, unsigned long nr, size_t count,
size_t seek)
{
- iov_iter_bvec(&msg->msg_iter, READ, bvec, nr, count);
+ iov_iter_bvec(&msg->msg_iter, ITER_DEST, bvec, nr, count);
return xs_sock_recvmsg(sock, msg, flags, seek);
}
@@ -380,7 +380,7 @@ static ssize_t
xs_read_discard(struct socket *sock, struct msghdr *msg, int flags,
size_t count)
{
- iov_iter_discard(&msg->msg_iter, READ, count);
+ iov_iter_discard(&msg->msg_iter, ITER_DEST, count);
return sock_recvmsg(sock, msg, flags);
}
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -396,7 +396,7 @@ static int tipc_conn_rcv_from_sock(struc
iov.iov_base = &s;
iov.iov_len = sizeof(s);
msg.msg_name = NULL;
- iov_iter_kvec(&msg.msg_iter, READ, &iov, 1, iov.iov_len);
+ iov_iter_kvec(&msg.msg_iter, ITER_DEST, &iov, 1, iov.iov_len);
ret = sock_recvmsg(con->sock, &msg, MSG_DONTWAIT);
if (ret == -EWOULDBLOCK)
return -EWOULDBLOCK;
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -571,7 +571,7 @@ int tls_device_sendpage(struct sock *sk,
kaddr = kmap(page);
iov.iov_base = kaddr + offset;
iov.iov_len = size;
- iov_iter_kvec(&msg_iter, WRITE, &iov, 1, size);
+ iov_iter_kvec(&msg_iter, ITER_SOURCE, &iov, 1, size);
rc = tls_push_data(sk, &msg_iter, size,
flags, TLS_RECORD_TYPE_DATA);
kunmap(page);
@@ -646,7 +646,7 @@ static int tls_device_push_pending_recor
{
struct iov_iter msg_iter;
- iov_iter_kvec(&msg_iter, WRITE, NULL, 0, 0);
+ iov_iter_kvec(&msg_iter, ITER_SOURCE, NULL, 0, 0);
return tls_push_data(sk, &msg_iter, 0, flags, TLS_RECORD_TYPE_DATA);
}
--- a/net/xfrm/espintcp.c
+++ b/net/xfrm/espintcp.c
@@ -362,7 +362,7 @@ static int espintcp_sendmsg(struct sock
*((__be16 *)buf) = cpu_to_be16(msglen);
pfx_iov.iov_base = buf;
pfx_iov.iov_len = sizeof(buf);
- iov_iter_kvec(&pfx_iter, WRITE, &pfx_iov, 1, pfx_iov.iov_len);
+ iov_iter_kvec(&pfx_iter, ITER_SOURCE, &pfx_iov, 1, pfx_iov.iov_len);
err = sk_msg_memcopy_from_iter(sk, &pfx_iter, &emsg->skmsg,
pfx_iov.iov_len);
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1256,7 +1256,7 @@ long keyctl_instantiate_key(key_serial_t
struct iov_iter from;
int ret;
- ret = import_single_range(WRITE, (void __user *)_payload, plen,
+ ret = import_single_range(ITER_SOURCE, (void __user *)_payload, plen,
&iov, &from);
if (unlikely(ret))
return ret;
@@ -1288,7 +1288,7 @@ long keyctl_instantiate_key_iov(key_seri
if (!_payload_iov)
ioc = 0;
- ret = import_iovec(WRITE, _payload_iov, ioc,
+ ret = import_iovec(ITER_SOURCE, _payload_iov, ioc,
ARRAY_SIZE(iovstack), &iov, &from);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 353/411] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 352/411] use less confusing names for iov_iter direction initializers Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 354/411] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
` (58 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Xiasong, Matthieu Baerts (NGI0),
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Xiasong <lixiasong1@huawei.com>
[ Upstream commit 51e398a3b8961b26a8c0a4ba9a777c5339791707 ]
When TCP option space is insufficient (e.g., when sending ADD_ADDR with an
IPv6 address and port while tcp_timestamps is enabled), the original code
jumped to out_unlock without clearing the addr_signal flag. This caused
mptcp_pm_add_timer to keep rescheduling indefinitely, not sending ADD_ADDR,
preventing subsequent addresses in the endpoint list from being announced.
Handle this case by clearing the ADD_ADDR signal and skipping the matching
ADD_ADDR retransmission entry. The skip path cancels the matching timer
(with id check) and advances PM state progression, preserving forward
progress to subsequent PM work.
This cancellation is inherently best-effort. A concurrent add_timer
callback may already be running and may acquire pm.lock before the
cancel path updates entry state. In that case, one final ADD_ADDR
transmit attempt can still be executed.
Once the cancel path sets entry->retrans_times to ADD_ADDR_RETRANS_MAX,
the callback-side retrans_times check suppresses further ADD_ADDR
retransmissions.
Note that when an ADD_ADDR is being prepared, a pure-ACK is queued. On
the output side, it means that it is fine to skip non-pure-ACK packets,
when drop_other_suboptions is set: a pure-ACK will be processed soon
after.
Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Li Xiasong <lixiasong1@huawei.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-2-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 34 +++++++++++++++++++++++++++-------
net/mptcp/pm_netlink.c | 16 +++++++++++++---
2 files changed, 40 insertions(+), 10 deletions(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -270,6 +270,7 @@ bool mptcp_pm_add_addr_signal(struct mpt
struct mptcp_addr_info *addr, bool *echo,
bool *drop_other_suboptions)
{
+ bool skip_add_addr = false;
int ret = false;
u8 add_addr;
u8 family;
@@ -291,24 +292,43 @@ bool mptcp_pm_add_addr_signal(struct mpt
}
*echo = mptcp_pm_should_add_signal_echo(msk);
- port = !!(*echo ? msk->pm.remote.port : msk->pm.local.port);
-
- family = *echo ? msk->pm.remote.family : msk->pm.local.family;
- if (remaining < mptcp_add_addr_len(family, *echo, port))
- goto out_unlock;
-
if (*echo) {
*addr = msk->pm.remote;
add_addr = msk->pm.addr_signal & ~BIT(MPTCP_ADD_ADDR_ECHO);
+ port = !!msk->pm.remote.port;
+ family = msk->pm.remote.family;
} else {
*addr = msk->pm.local;
add_addr = msk->pm.addr_signal & ~BIT(MPTCP_ADD_ADDR_SIGNAL);
+ port = !!msk->pm.local.port;
+ family = msk->pm.local.family;
}
- WRITE_ONCE(msk->pm.addr_signal, add_addr);
+
+ if (remaining < mptcp_add_addr_len(family, *echo, port)) {
+ if (!*drop_other_suboptions)
+ goto out_unlock;
+
+ if (!*echo)
+ skip_add_addr = true;
+ goto drop_signal_mark;
+ }
+
ret = true;
+drop_signal_mark:
+ WRITE_ONCE(msk->pm.addr_signal, add_addr);
+
out_unlock:
spin_unlock_bh(&msk->pm.lock);
+
+ /* On pure-ACK option-space exhaustion, stop retrying this ADD_ADDR:
+ * clear the signal bit, cancel the matching retransmission timer, and
+ * let the PM state machine progress.
+ */
+ if (skip_add_addr) {
+ mptcp_pm_del_add_timer(msk, addr, true);
+ mptcp_pm_subflow_established(msk);
+ }
return ret;
}
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -348,7 +348,13 @@ static void mptcp_pm_add_timer(struct ti
spin_lock_bh(&msk->pm.lock);
- if (!mptcp_pm_should_add_signal_addr(msk)) {
+ /* The cancel path (mptcp_pm_del_add_timer()) can race with this
+ * callback. Once cancel updates retrans_times to MAX, suppress further
+ * retransmissions here. If this callback acquires pm.lock first, one
+ * final transmit attempt is still possible.
+ */
+ if (entry->retrans_times < ADD_ADDR_RETRANS_MAX &&
+ !mptcp_pm_should_add_signal_addr(msk)) {
pr_debug("retransmit ADD_ADDR id=%d\n", entry->addr.id);
mptcp_pm_announce_addr(msk, &entry->addr, false);
mptcp_pm_add_addr_send_ack(msk);
@@ -392,8 +398,12 @@ mptcp_pm_del_add_timer(struct mptcp_sock
/* Note: entry might have been removed by another thread.
* We hold rcu_read_lock() to ensure it is not freed under us.
*/
- if (stop_timer)
- sk_stop_timer_sync(sk, &entry->add_timer);
+ if (stop_timer) {
+ if (check_id)
+ sk_stop_timer(sk, &entry->add_timer);
+ else
+ sk_stop_timer_sync(sk, &entry->add_timer);
+ }
rcu_read_unlock();
return entry;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 354/411] selftests: mptcp: drop nanoseconds width specifier
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 353/411] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 355/411] mptcp: do not drop partial packets Greg Kroah-Hartman
` (57 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts (NGI0), Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 01ff78e4b3d98689184c52d97f9575dfbdc3b10f ]
Using the format specifier +%s%3N with GNU date is honoured, and only
prints 3 digits of the nanoseconds portion of the seconds since epoch,
which corresponds to the milliseconds.
The uutils implementation of date currently does not honour this, and
always prints all 9 digits. This is a known issue [1], but can be worked
around by adapting this test to use nanoseconds instead of microseconds,
and then divide it by 1e6.
This fix is similar to what has been done on systemd side [2], and it is
needed to run the selftests on Ubuntu 26.04, containing uutils 0.8.0.
Note that the Fixes tag is there even if this patch doesn't fix an issue
in the kernel selftests, but it is useful for those using uutils 0.8.0.
Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
Cc: stable@vger.kernel.org
Link: https://github.com/uutils/coreutils/issues/11658 [1]
Link: https://github.com/systemd/systemd/pull/41627 [2]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-6-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
@@ -462,7 +462,7 @@ do_transfer()
wait_local_port_listen "${listener_ns}" "${port}"
local start
- start=$(date +%s%3N)
+ start=$(date +%s%N)
timeout ${timeout_test} \
ip netns exec ${connector_ns} \
./mptcp_connect -t ${timeout_poll} -p $port -s ${cl_proto} \
@@ -475,7 +475,7 @@ do_transfer()
local rets=$?
local stop
- stop=$(date +%s%3N)
+ stop=$(date +%s%N)
if $capture; then
sleep 1
@@ -491,7 +491,7 @@ do_transfer()
fi
local duration
- duration=$((stop-start))
+ duration=$(((stop-start) / 1000000))
printf "(duration %05sms) " "${duration}"
if [ ${rets} -ne 0 ] || [ ${retc} -ne 0 ]; then
echo "[ FAIL ] client exit code $retc, server $rets" 1>&2
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 355/411] mptcp: do not drop partial packets
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 354/411] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 356/411] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
` (56 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shardul Bankar, Paolo Abeni,
Matthieu Baerts (NGI0), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
[ Upstream commit 50c2d91c5dfa0e465826ec1f8dbad9cdc254bd85 ]
When a packet arrives with map_seq < ack_seq < end_seq, the beginning
of the packet has already been acknowledged but the end contains new
data. Currently the entire packet is dropped as "old data," forcing
the sender to retransmit.
Instead, skip the already-acked bytes by adjusting the skb offset and
enqueue only the new portion. Update bytes_received and ack_seq to
reflect the new data consumed.
A previous attempt at this fix has been sent by Paolo Abeni [1], but had
issues [2]: it also added a zero-window check and changed rcv_wnd_sent
initialization, which caused test regressions. This version addresses
only the partial packet handling without modifying receive window
accounting.
Fixes: ab174ad8ef76 ("mptcp: move ooo skbs into msk out of order queue.")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/c9b426a4e163aa3c4fe8b80c79f1a610f47ae7d8.1763075056.git.pabeni@redhat.com [1]
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/600 [2]
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
[pabeni@redhat.com: update map]
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260515-net-mptcp-misc-fixes-7-1-rc4-v2-1-701e96419f2f@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ dropped `msk->bytes_received += copy_len;` and relocated the `drop:` label to the function end for the existing RCVPRUNED `goto drop;` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -329,10 +329,26 @@ static bool __mptcp_move_skb(struct mptc
return false;
}
- /* old data, keep it simple and drop the whole pkt, sender
- * will retransmit as needed, if needed.
+ /* Completely old data? */
+ if (!after64(MPTCP_SKB_CB(skb)->end_seq, msk->ack_seq)) {
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
+ mptcp_drop(sk, skb);
+ return false;
+ }
+
+ /* Partial packet: map_seq < ack_seq < end_seq.
+ * Skip the already-acked bytes and enqueue the new data.
*/
- MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_DUPDATA);
+ copy_len = MPTCP_SKB_CB(skb)->end_seq - msk->ack_seq;
+ MPTCP_SKB_CB(skb)->offset += msk->ack_seq - MPTCP_SKB_CB(skb)->map_seq;
+ MPTCP_SKB_CB(skb)->map_seq += msk->ack_seq -
+ MPTCP_SKB_CB(skb)->map_seq;
+ WRITE_ONCE(msk->ack_seq, msk->ack_seq + copy_len);
+
+ skb_set_owner_r(skb, sk);
+ __skb_queue_tail(&sk->sk_receive_queue, skb);
+ return true;
+
drop:
mptcp_drop(sk, skb);
return false;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 356/411] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 355/411] mptcp: do not drop partial packets Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 357/411] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
` (55 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sunil Goutham, Linu Cherian,
Geetha sowjanya, hariprasad, Subbaraya Sundeep, Andrew Lunn,
stable, Sam Daly, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Daly <sam@samdaly.ie>
[ Upstream commit c0bf0a4f3f1f5f57aa83e1400ba4f56f0abfd542 ]
cgx_speed_mbps has 13 elements but RESP_LINKSTAT_SPEED can yield values
0-15. If it returns a value >= 13, this causes an out-of-bounds array
access. Add a bounds check and default to speed 0 if the index is out of
range.
Fixes: 61071a871ea6 ("octeontx2-af: Forward CGX link notifications to PFs")
Cc: Sunil Goutham <sgoutham@marvell.com>
Cc: Linu Cherian <lcherian@marvell.com>
Cc: Geetha sowjanya <gakula@marvell.com>
Cc: hariprasad <hkelam@marvell.com>
Cc: Subbaraya Sundeep <sbhatta@marvell.com>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>
Cc: stable <stable@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://patch.msgid.link/2026051352-refined-demise-e88d@gregkh
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
@@ -1096,10 +1096,13 @@ static inline void link_status_user_form
struct cgx *cgx, u8 lmac_id)
{
const char *lmac_string;
+ unsigned int speed;
linfo->link_up = FIELD_GET(RESP_LINKSTAT_UP, lstat);
linfo->full_duplex = FIELD_GET(RESP_LINKSTAT_FDUPLEX, lstat);
- linfo->speed = cgx_speed_mbps[FIELD_GET(RESP_LINKSTAT_SPEED, lstat)];
+ speed = FIELD_GET(RESP_LINKSTAT_SPEED, lstat);
+ linfo->speed = speed < ARRAY_SIZE(cgx_speed_mbps) ?
+ cgx_speed_mbps[speed] : 0;
linfo->an = FIELD_GET(RESP_LINKSTAT_AN, lstat);
linfo->fec = FIELD_GET(RESP_LINKSTAT_FEC, lstat);
linfo->lmac_type_id = cgx_get_lmac_type(cgx, lmac_id);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 357/411] octeontx2-pf: avoid double free of pool->stack on AQ init failure
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 356/411] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 358/411] spi: qup: switch to use modern name Greg Kroah-Hartman
` (54 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Dawei Feng, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
[ Upstream commit 9b244c242bec48b37e82b89787afd6a4c43457e1 ]
otx2_pool_aq_init() frees pool->stack when mailbox sync or retry
allocation fails, but leaves the pointer unchanged. Later,
otx2_sq_aura_pool_init() unwinds the partial setup through
otx2_aura_pool_free(), which frees pool->stack again. The CN20K-specific
cn20k_pool_aq_init() implementation has the same bug in
its corresponding error path.
Set pool->stack to NULL immediately after the local free so the shared
cleanup path does not free the same stack again while cleaning up
partially initialized pool state.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc3.
Runtime validation was not performed because reproducing this path
requires OcteonTX2/CN20K hardware.
Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues")
Fixes: d322fbd17203 ("octeontx2-pf: Initialize cn20k specific aura and pool contexts")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260515151826.1005397-1-dawei.feng@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
@@ -1258,11 +1258,13 @@ static int otx2_pool_init(struct otx2_ni
err = otx2_sync_mbox_msg(&pfvf->mbox);
if (err) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return err;
}
aq = otx2_mbox_alloc_msg_npa_aq_enq(&pfvf->mbox);
if (!aq) {
qmem_free(pfvf->dev, pool->stack);
+ pool->stack = NULL;
return -ENOMEM;
}
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 358/411] spi: qup: switch to use modern name
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 357/411] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 359/411] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
` (53 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 597442ff4f6226206b7cc28b86eb2be0ae9c6418 ]
Change legacy name master to modern name host or controller.
No functional changed.
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20230818093154.1183529-10-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: a7e8f3efd50a ("spi: qup: fix error pointer deref after DMA setup failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-qup.c | 164 +++++++++++++++++++++++++-------------------------
1 file changed, 82 insertions(+), 82 deletions(-)
--- a/drivers/spi/spi-qup.c
+++ b/drivers/spi/spi-qup.c
@@ -386,20 +386,20 @@ static void spi_qup_write(struct spi_qup
} while (remainder);
}
-static int spi_qup_prep_sg(struct spi_master *master, struct scatterlist *sgl,
+static int spi_qup_prep_sg(struct spi_controller *host, struct scatterlist *sgl,
unsigned int nents, enum dma_transfer_direction dir,
dma_async_tx_callback callback)
{
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_qup *qup = spi_controller_get_devdata(host);
unsigned long flags = DMA_PREP_INTERRUPT | DMA_PREP_FENCE;
struct dma_async_tx_descriptor *desc;
struct dma_chan *chan;
dma_cookie_t cookie;
if (dir == DMA_MEM_TO_DEV)
- chan = master->dma_tx;
+ chan = host->dma_tx;
else
- chan = master->dma_rx;
+ chan = host->dma_rx;
desc = dmaengine_prep_slave_sg(chan, sgl, nents, dir, flags);
if (IS_ERR_OR_NULL(desc))
@@ -413,13 +413,13 @@ static int spi_qup_prep_sg(struct spi_ma
return dma_submit_error(cookie);
}
-static void spi_qup_dma_terminate(struct spi_master *master,
+static void spi_qup_dma_terminate(struct spi_controller *host,
struct spi_transfer *xfer)
{
if (xfer->tx_buf)
- dmaengine_terminate_all(master->dma_tx);
+ dmaengine_terminate_all(host->dma_tx);
if (xfer->rx_buf)
- dmaengine_terminate_all(master->dma_rx);
+ dmaengine_terminate_all(host->dma_rx);
}
static u32 spi_qup_sgl_get_nents_len(struct scatterlist *sgl, u32 max,
@@ -446,8 +446,8 @@ static int spi_qup_do_dma(struct spi_dev
unsigned long timeout)
{
dma_async_tx_callback rx_done = NULL, tx_done = NULL;
- struct spi_master *master = spi->master;
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_controller *host = spi->controller;
+ struct spi_qup *qup = spi_controller_get_devdata(host);
struct scatterlist *tx_sgl, *rx_sgl;
int ret;
@@ -482,20 +482,20 @@ static int spi_qup_do_dma(struct spi_dev
return ret;
}
if (rx_sgl) {
- ret = spi_qup_prep_sg(master, rx_sgl, rx_nents,
+ ret = spi_qup_prep_sg(host, rx_sgl, rx_nents,
DMA_DEV_TO_MEM, rx_done);
if (ret)
return ret;
- dma_async_issue_pending(master->dma_rx);
+ dma_async_issue_pending(host->dma_rx);
}
if (tx_sgl) {
- ret = spi_qup_prep_sg(master, tx_sgl, tx_nents,
+ ret = spi_qup_prep_sg(host, tx_sgl, tx_nents,
DMA_MEM_TO_DEV, tx_done);
if (ret)
return ret;
- dma_async_issue_pending(master->dma_tx);
+ dma_async_issue_pending(host->dma_tx);
}
if (!wait_for_completion_timeout(&qup->done, timeout))
@@ -514,8 +514,8 @@ static int spi_qup_do_dma(struct spi_dev
static int spi_qup_do_pio(struct spi_device *spi, struct spi_transfer *xfer,
unsigned long timeout)
{
- struct spi_master *master = spi->master;
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_controller *host = spi->controller;
+ struct spi_qup *qup = spi_controller_get_devdata(host);
int ret, n_words, iterations, offset = 0;
n_words = qup->n_words;
@@ -660,7 +660,7 @@ static irqreturn_t spi_qup_qup_irq(int i
/* set clock freq ... bits per word, determine mode */
static int spi_qup_io_prep(struct spi_device *spi, struct spi_transfer *xfer)
{
- struct spi_qup *controller = spi_master_get_devdata(spi->master);
+ struct spi_qup *controller = spi_controller_get_devdata(spi->controller);
int ret;
if (spi->mode & SPI_LOOP && xfer->len > controller->in_fifo_sz) {
@@ -681,9 +681,9 @@ static int spi_qup_io_prep(struct spi_de
if (controller->n_words <= (controller->in_fifo_sz / sizeof(u32)))
controller->mode = QUP_IO_M_MODE_FIFO;
- else if (spi->master->can_dma &&
- spi->master->can_dma(spi->master, spi, xfer) &&
- spi->master->cur_msg_mapped)
+ else if (spi->controller->can_dma &&
+ spi->controller->can_dma(spi->controller, spi, xfer) &&
+ spi->controller->cur_msg_mapped)
controller->mode = QUP_IO_M_MODE_BAM;
else
controller->mode = QUP_IO_M_MODE_BLOCK;
@@ -694,7 +694,7 @@ static int spi_qup_io_prep(struct spi_de
/* prep qup for another spi transaction of specific type */
static int spi_qup_io_config(struct spi_device *spi, struct spi_transfer *xfer)
{
- struct spi_qup *controller = spi_master_get_devdata(spi->master);
+ struct spi_qup *controller = spi_controller_get_devdata(spi->controller);
u32 config, iomode, control;
unsigned long flags;
@@ -842,11 +842,11 @@ static int spi_qup_io_config(struct spi_
return 0;
}
-static int spi_qup_transfer_one(struct spi_master *master,
+static int spi_qup_transfer_one(struct spi_controller *host,
struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
unsigned long timeout, flags;
int ret;
@@ -880,21 +880,21 @@ static int spi_qup_transfer_one(struct s
spin_unlock_irqrestore(&controller->lock, flags);
if (ret && spi_qup_is_dma_xfer(controller->mode))
- spi_qup_dma_terminate(master, xfer);
+ spi_qup_dma_terminate(host, xfer);
return ret;
}
-static bool spi_qup_can_dma(struct spi_master *master, struct spi_device *spi,
+static bool spi_qup_can_dma(struct spi_controller *host, struct spi_device *spi,
struct spi_transfer *xfer)
{
- struct spi_qup *qup = spi_master_get_devdata(master);
+ struct spi_qup *qup = spi_controller_get_devdata(host);
size_t dma_align = dma_get_cache_alignment();
int n_words;
if (xfer->rx_buf) {
if (!IS_ALIGNED((size_t)xfer->rx_buf, dma_align) ||
- IS_ERR_OR_NULL(master->dma_rx))
+ IS_ERR_OR_NULL(host->dma_rx))
return false;
if (qup->qup_v1 && (xfer->len % qup->in_blk_sz))
return false;
@@ -902,7 +902,7 @@ static bool spi_qup_can_dma(struct spi_m
if (xfer->tx_buf) {
if (!IS_ALIGNED((size_t)xfer->tx_buf, dma_align) ||
- IS_ERR_OR_NULL(master->dma_tx))
+ IS_ERR_OR_NULL(host->dma_tx))
return false;
if (qup->qup_v1 && (xfer->len % qup->out_blk_sz))
return false;
@@ -915,30 +915,30 @@ static bool spi_qup_can_dma(struct spi_m
return true;
}
-static void spi_qup_release_dma(struct spi_master *master)
+static void spi_qup_release_dma(struct spi_controller *host)
{
- if (!IS_ERR_OR_NULL(master->dma_rx))
- dma_release_channel(master->dma_rx);
- if (!IS_ERR_OR_NULL(master->dma_tx))
- dma_release_channel(master->dma_tx);
+ if (!IS_ERR_OR_NULL(host->dma_rx))
+ dma_release_channel(host->dma_rx);
+ if (!IS_ERR_OR_NULL(host->dma_tx))
+ dma_release_channel(host->dma_tx);
}
-static int spi_qup_init_dma(struct spi_master *master, resource_size_t base)
+static int spi_qup_init_dma(struct spi_controller *host, resource_size_t base)
{
- struct spi_qup *spi = spi_master_get_devdata(master);
+ struct spi_qup *spi = spi_controller_get_devdata(host);
struct dma_slave_config *rx_conf = &spi->rx_conf,
*tx_conf = &spi->tx_conf;
struct device *dev = spi->dev;
int ret;
/* allocate dma resources, if available */
- master->dma_rx = dma_request_chan(dev, "rx");
- if (IS_ERR(master->dma_rx))
- return PTR_ERR(master->dma_rx);
-
- master->dma_tx = dma_request_chan(dev, "tx");
- if (IS_ERR(master->dma_tx)) {
- ret = PTR_ERR(master->dma_tx);
+ host->dma_rx = dma_request_chan(dev, "rx");
+ if (IS_ERR(host->dma_rx))
+ return PTR_ERR(host->dma_rx);
+
+ host->dma_tx = dma_request_chan(dev, "tx");
+ if (IS_ERR(host->dma_tx)) {
+ ret = PTR_ERR(host->dma_tx);
goto err_tx;
}
@@ -953,13 +953,13 @@ static int spi_qup_init_dma(struct spi_m
tx_conf->dst_addr = base + QUP_OUTPUT_FIFO;
tx_conf->dst_maxburst = spi->out_blk_sz;
- ret = dmaengine_slave_config(master->dma_rx, rx_conf);
+ ret = dmaengine_slave_config(host->dma_rx, rx_conf);
if (ret) {
dev_err(dev, "failed to configure RX channel\n");
goto err;
}
- ret = dmaengine_slave_config(master->dma_tx, tx_conf);
+ ret = dmaengine_slave_config(host->dma_tx, tx_conf);
if (ret) {
dev_err(dev, "failed to configure TX channel\n");
goto err;
@@ -968,9 +968,9 @@ static int spi_qup_init_dma(struct spi_m
return 0;
err:
- dma_release_channel(master->dma_tx);
+ dma_release_channel(host->dma_tx);
err_tx:
- dma_release_channel(master->dma_rx);
+ dma_release_channel(host->dma_rx);
return ret;
}
@@ -980,7 +980,7 @@ static void spi_qup_set_cs(struct spi_de
u32 spi_ioc;
u32 spi_ioc_orig;
- controller = spi_master_get_devdata(spi->master);
+ controller = spi_controller_get_devdata(spi->controller);
spi_ioc = readl_relaxed(controller->base + SPI_IO_CONTROL);
spi_ioc_orig = spi_ioc;
if (!val)
@@ -994,7 +994,7 @@ static void spi_qup_set_cs(struct spi_de
static int spi_qup_probe(struct platform_device *pdev)
{
- struct spi_master *master;
+ struct spi_controller *host;
struct clk *iclk, *cclk;
struct spi_qup *controller;
struct resource *res;
@@ -1030,32 +1030,32 @@ static int spi_qup_probe(struct platform
return -ENXIO;
}
- master = spi_alloc_master(dev, sizeof(struct spi_qup));
- if (!master) {
- dev_err(dev, "cannot allocate master\n");
+ host = spi_alloc_master(dev, sizeof(struct spi_qup));
+ if (!host) {
+ dev_err(dev, "cannot allocate host\n");
return -ENOMEM;
}
/* use num-cs unless not present or out of range */
if (of_property_read_u32(dev->of_node, "num-cs", &num_cs) ||
num_cs > SPI_NUM_CHIPSELECTS)
- master->num_chipselect = SPI_NUM_CHIPSELECTS;
+ host->num_chipselect = SPI_NUM_CHIPSELECTS;
else
- master->num_chipselect = num_cs;
+ host->num_chipselect = num_cs;
- master->bus_num = pdev->id;
- master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LOOP;
- master->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
- master->max_speed_hz = max_freq;
- master->transfer_one = spi_qup_transfer_one;
- master->dev.of_node = pdev->dev.of_node;
- master->auto_runtime_pm = true;
- master->dma_alignment = dma_get_cache_alignment();
- master->max_dma_len = SPI_MAX_XFER;
+ host->bus_num = pdev->id;
+ host->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH | SPI_LOOP;
+ host->bits_per_word_mask = SPI_BPW_RANGE_MASK(4, 32);
+ host->max_speed_hz = max_freq;
+ host->transfer_one = spi_qup_transfer_one;
+ host->dev.of_node = pdev->dev.of_node;
+ host->auto_runtime_pm = true;
+ host->dma_alignment = dma_get_cache_alignment();
+ host->max_dma_len = SPI_MAX_XFER;
- platform_set_drvdata(pdev, master);
+ platform_set_drvdata(pdev, host);
- controller = spi_master_get_devdata(master);
+ controller = spi_controller_get_devdata(host);
controller->dev = dev;
controller->base = base;
@@ -1063,16 +1063,16 @@ static int spi_qup_probe(struct platform
controller->cclk = cclk;
controller->irq = irq;
- ret = spi_qup_init_dma(master, res->start);
+ ret = spi_qup_init_dma(host, res->start);
if (ret == -EPROBE_DEFER)
goto error;
else if (!ret)
- master->can_dma = spi_qup_can_dma;
+ host->can_dma = spi_qup_can_dma;
controller->qup_v1 = (uintptr_t)of_device_get_match_data(dev);
if (!controller->qup_v1)
- master->set_cs = spi_qup_set_cs;
+ host->set_cs = spi_qup_set_cs;
spin_lock_init(&controller->lock);
init_completion(&controller->done);
@@ -1150,7 +1150,7 @@ static int spi_qup_probe(struct platform
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
- ret = devm_spi_register_master(dev, master);
+ ret = devm_spi_register_controller(dev, host);
if (ret)
goto disable_pm;
@@ -1162,17 +1162,17 @@ error_clk:
clk_disable_unprepare(cclk);
clk_disable_unprepare(iclk);
error_dma:
- spi_qup_release_dma(master);
+ spi_qup_release_dma(host);
error:
- spi_master_put(master);
+ spi_controller_put(host);
return ret;
}
#ifdef CONFIG_PM
static int spi_qup_pm_suspend_runtime(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
u32 config;
/* Enable clocks auto gaiting */
@@ -1188,8 +1188,8 @@ static int spi_qup_pm_suspend_runtime(st
static int spi_qup_pm_resume_runtime(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
u32 config;
int ret;
@@ -1214,8 +1214,8 @@ static int spi_qup_pm_resume_runtime(str
#ifdef CONFIG_PM_SLEEP
static int spi_qup_suspend(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
int ret;
if (pm_runtime_suspended(device)) {
@@ -1223,7 +1223,7 @@ static int spi_qup_suspend(struct device
if (ret)
return ret;
}
- ret = spi_master_suspend(master);
+ ret = spi_controller_suspend(host);
if (ret)
return ret;
@@ -1238,8 +1238,8 @@ static int spi_qup_suspend(struct device
static int spi_qup_resume(struct device *device)
{
- struct spi_master *master = dev_get_drvdata(device);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(device);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
int ret;
ret = clk_prepare_enable(controller->iclk);
@@ -1256,7 +1256,7 @@ static int spi_qup_resume(struct device
if (ret)
goto disable_clk;
- ret = spi_master_resume(master);
+ ret = spi_controller_resume(host);
if (ret)
goto disable_clk;
@@ -1271,8 +1271,8 @@ disable_clk:
static int spi_qup_remove(struct platform_device *pdev)
{
- struct spi_master *master = dev_get_drvdata(&pdev->dev);
- struct spi_qup *controller = spi_master_get_devdata(master);
+ struct spi_controller *host = dev_get_drvdata(&pdev->dev);
+ struct spi_qup *controller = spi_controller_get_devdata(host);
int ret;
ret = pm_runtime_get_sync(&pdev->dev);
@@ -1290,7 +1290,7 @@ static int spi_qup_remove(struct platfor
ERR_PTR(ret));
}
- spi_qup_release_dma(master);
+ spi_qup_release_dma(host);
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 359/411] spi: qup: fix error pointer deref after DMA setup failure
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 358/411] spi: qup: switch to use modern name Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 360/411] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
` (52 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit a7e8f3efd50a165ba0189f6dc57f7e51a7d149db ]
The driver falls back to PIO mode if DMA setup fails during probe.
Make sure to the clear the DMA channel pointers on setup failure to
avoid dereferencing an error pointer (or attempting to release a channel
a second time) on later probe errors or driver unbind.
This issue was flagged by Sashiko when reviewing a devres allocation
conversion patch.
Fixes: 612762e82ae6 ("spi: qup: Add DMA capabilities")
Link: https://sashiko.dev/#/patchset/20260505072909.618363-1-johan%40kernel.org?part=4
Cc: stable@vger.kernel.org # 4.1
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260512074334.914735-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-qup.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/spi/spi-qup.c
+++ b/drivers/spi/spi-qup.c
@@ -969,8 +969,11 @@ static int spi_qup_init_dma(struct spi_c
err:
dma_release_channel(host->dma_tx);
+ host->dma_tx = NULL;
err_tx:
dma_release_channel(host->dma_rx);
+ host->dma_rx = NULL;
+
return ret;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 360/411] arm64: tlb: Flush walk cache when unsharing PMD tables
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 359/411] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 361/411] phy: tegra: xusb: Disable trk clk when not in use Greg Kroah-Hartman
` (51 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeng Heng, Catalin Marinas,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit c2ff4764e03e7a8d758352f4aceb8fe1be6ac971 ]
When huge_pmd_unshare() is called to unshare a PMD table, the
tlb_unshare_pmd_ptdesc() function sets tlb->unshared_tables=true
but the aarch64 tlb_flush() only checked tlb->freed_tables to
determine whether to use TLBF_NONE (vae1is, invalidates walk
cache) or TLBF_NOWALKCACHE (vale1is, leaf-only).
This caused the stale PMD page table entry to remain in the walk cache
after unshare, potentially leading to incorrect page table walks.
Fix by including unshared_tables in the check, so that when
unsharing tables, TLBF_NONE is used and the walk cache is properly
invalidated.
Here is the detailed distinction between vae1is and vale1is:
| Instruction Combination | Actual Invalidation Scope |
| ------------------------ | --------------------------------------------------|
| `VAE1IS` + TTL=`0` | All entries at all levels (full invalidation) |
| `VAE1IS` + TTL=`2` (L2) | Non-leaf at Level 0/1 + leaf at Level 2 |
| `VALE1IS` + TTL=`0` | Leaf entries at all levels (non-leaf not cleared) |
| `VALE1IS` + TTL=`2` (L2) | Leaf entry at Level 2 only |
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Fixes: 8ce720d5bd91 ("mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather")
Cc: <stable@vger.kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/tlb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/include/asm/tlb.h
+++ b/arch/arm64/include/asm/tlb.h
@@ -53,7 +53,7 @@ static inline int tlb_get_level(struct m
static inline void tlb_flush(struct mmu_gather *tlb)
{
struct vm_area_struct vma = TLB_FLUSH_VMA(tlb->mm, 0);
- bool last_level = !tlb->freed_tables;
+ bool last_level = !(tlb->freed_tables || tlb->unshared_tables);
unsigned long stride = tlb_get_unmap_size(tlb);
int tlb_level = tlb_get_level(tlb);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 361/411] phy: tegra: xusb: Disable trk clk when not in use
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 360/411] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
@ 2026-06-16 14:59 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 362/411] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
` (50 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 14:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wayne Chang, Jon Hunter, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
[ Upstream commit 71d9e899584e11bbd7eaf9934a619c69a15060d8 ]
Pad tracking is a one-time calibration for Tegra186 and Tegra194.
Clk should be disabled after calibration.
Disable clk after calibration.
While at it add 100us delay for HW recording the calibration value.
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://lore.kernel.org/r/20230111110450.24617-5-jonathanh@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: da110228b54f ("phy: tegra: xusb: Fix per-pad high-speed termination calibration")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb-tegra186.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/phy/tegra/xusb-tegra186.c
+++ b/drivers/phy/tegra/xusb-tegra186.c
@@ -612,6 +612,10 @@ static void tegra186_utmi_bias_pad_power
value &= ~USB2_PD_TRK;
padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL1);
+ udelay(100);
+
+ clk_disable_unprepare(priv->usb2_trk_clk);
+
mutex_unlock(&padctl->lock);
}
@@ -636,8 +640,6 @@ static void tegra186_utmi_bias_pad_power
value |= USB2_PD_TRK;
padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL1);
- clk_disable_unprepare(priv->usb2_trk_clk);
-
mutex_unlock(&padctl->lock);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 362/411] phy: tegra: xusb: Fix per-pad high-speed termination calibration
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-06-16 14:59 ` [PATCH 5.15 361/411] phy: tegra: xusb: Disable trk clk when not in use Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 363/411] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
` (49 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wayne Chang, Wei-Cheng Chen,
Jon Hunter, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
[ Upstream commit da110228b54f2e2143d97ea7151e0dc22e539d67 ]
The existing code reads a single hs_term_range_adj value from bit field
[10:7] of FUSE_SKU_CALIB_0 and applies it to all USB2 pads uniformly.
However, on SoCs that support per-pad termination, each pad has its own
hs_term_range_adj field: pad 0 in FUSE_SKU_CALIB_0[10:7], and pads 1-3
in FUSE_USB_CALIB_EXT_0 at bit offsets [8:5], [12:9], and [16:13]
respectively.
Fix the calibration by reading per-pad values from the appropriate fuse
registers. For SoCs that do not support per-pad termination, replicate
pad 0's value to all pads to maintain existing behavior.
Add a has_per_pad_term flag to the SoC data to indicate whether per-pad
termination values are available in FUSE_USB_CALIB_EXT_0.
Fixes: 1ef535c6ba8e ("phy: tegra: xusb: Add Tegra194 support")
Cc: stable@vger.kernel.org
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260504033305.2283145-1-weichengc@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb-tegra186.c | 32 +++++++++++++++++++++++++-------
drivers/phy/tegra/xusb.h | 1 +
2 files changed, 26 insertions(+), 7 deletions(-)
--- a/drivers/phy/tegra/xusb-tegra186.c
+++ b/drivers/phy/tegra/xusb-tegra186.c
@@ -20,8 +20,8 @@
/* FUSE USB_CALIB registers */
#define HS_CURR_LEVEL_PADX_SHIFT(x) ((x) ? (11 + (x - 1) * 6) : 0)
#define HS_CURR_LEVEL_PAD_MASK 0x3f
-#define HS_TERM_RANGE_ADJ_SHIFT 7
-#define HS_TERM_RANGE_ADJ_MASK 0xf
+#define HS_TERM_RANGE_ADJ_PADX_SHIFT(x) ((x) ? (5 + (x - 1) * 4) : 7)
+#define HS_TERM_RANGE_ADJ_PAD_MASK 0xf
#define HS_SQUELCH_SHIFT 29
#define HS_SQUELCH_MASK 0x7
@@ -238,7 +238,7 @@
struct tegra_xusb_fuse_calibration {
u32 *hs_curr_level;
u32 hs_squelch;
- u32 hs_term_range_adj;
+ u32 *hs_term_range_adj;
u32 rpd_ctrl;
};
@@ -864,7 +864,7 @@ static int tegra186_utmi_phy_power_on(st
value = padctl_readl(padctl, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index));
value &= ~TERM_RANGE_ADJ(~0);
- value |= TERM_RANGE_ADJ(priv->calib.hs_term_range_adj);
+ value |= TERM_RANGE_ADJ(priv->calib.hs_term_range_adj[index]);
value &= ~RPD_CTRL(~0);
value |= RPD_CTRL(priv->calib.rpd_ctrl);
padctl_writel(padctl, value, XUSB_PADCTL_USB2_OTG_PADX_CTL1(index));
@@ -1400,17 +1400,23 @@ static const char * const tegra186_usb3_
static int
tegra186_xusb_read_fuse_calibration(struct tegra186_xusb_padctl *padctl)
{
+ const struct tegra_xusb_padctl_soc *soc = padctl->base.soc;
struct device *dev = padctl->base.dev;
unsigned int i, count;
u32 value, *level;
+ u32 *hs_term_range_adj;
int err;
- count = padctl->base.soc->ports.usb2.count;
+ count = soc->ports.usb2.count;
level = devm_kcalloc(dev, count, sizeof(u32), GFP_KERNEL);
if (!level)
return -ENOMEM;
+ hs_term_range_adj = devm_kcalloc(dev, count, sizeof(u32), GFP_KERNEL);
+ if (!hs_term_range_adj)
+ return -ENOMEM;
+
err = tegra_fuse_readl(TEGRA_FUSE_SKU_CALIB_0, &value);
if (err) {
if (err != -EPROBE_DEFER)
@@ -1429,8 +1435,8 @@ tegra186_xusb_read_fuse_calibration(stru
padctl->calib.hs_squelch = (value >> HS_SQUELCH_SHIFT) &
HS_SQUELCH_MASK;
- padctl->calib.hs_term_range_adj = (value >> HS_TERM_RANGE_ADJ_SHIFT) &
- HS_TERM_RANGE_ADJ_MASK;
+ hs_term_range_adj[0] = (value >> HS_TERM_RANGE_ADJ_PADX_SHIFT(0)) &
+ HS_TERM_RANGE_ADJ_PAD_MASK;
err = tegra_fuse_readl(TEGRA_FUSE_USB_CALIB_EXT_0, &value);
if (err) {
@@ -1442,6 +1448,17 @@ tegra186_xusb_read_fuse_calibration(stru
padctl->calib.rpd_ctrl = (value >> RPD_CTRL_SHIFT) & RPD_CTRL_MASK;
+ for (i = 1; i < count; i++) {
+ if (soc->has_per_pad_term)
+ hs_term_range_adj[i] =
+ (value >> HS_TERM_RANGE_ADJ_PADX_SHIFT(i)) &
+ HS_TERM_RANGE_ADJ_PAD_MASK;
+ else
+ hs_term_range_adj[i] = hs_term_range_adj[0];
+ }
+
+ padctl->calib.hs_term_range_adj = hs_term_range_adj;
+
return 0;
}
@@ -1643,6 +1660,7 @@ const struct tegra_xusb_padctl_soc tegra
.supply_names = tegra194_xusb_padctl_supply_names,
.num_supplies = ARRAY_SIZE(tegra194_xusb_padctl_supply_names),
.supports_gen2 = true,
+ .has_per_pad_term = true,
};
EXPORT_SYMBOL_GPL(tegra194_xusb_padctl_soc);
#endif
--- a/drivers/phy/tegra/xusb.h
+++ b/drivers/phy/tegra/xusb.h
@@ -431,6 +431,7 @@ struct tegra_xusb_padctl_soc {
unsigned int num_supplies;
bool supports_gen2;
bool need_fake_usb3_port;
+ bool has_per_pad_term;
};
struct tegra_xusb_padctl {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 363/411] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 362/411] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 364/411] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
` (48 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siwei Zhang, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siwei Zhang <oss@fourdim.xyz>
[ Upstream commit 8c8e620467a7b51562dbcefbd1f09f288d7d710d ]
l2cap_chan_close() removes the channel from conn->chan_l, which
must be done under conn->lock. cleanup_listen() runs under the
parent sk_lock, so acquiring conn->lock would invert the
established conn->lock -> chan->lock -> sk_lock order.
Instead of calling l2cap_chan_close() directly, schedule
l2cap_chan_timeout with delay 0 to close the channel
asynchronously. The timeout handler already acquires conn->lock
and chan->lock in the correct order.
The timer is only armed when chan->conn is still set: if it is
already NULL, l2cap_conn_del() has already processed this channel
(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),
so there is nothing left to do. If l2cap_conn_del() races in
after the timer is armed, __clear_chan_timer() inside
l2cap_chan_del() cancels it; if the timer has already fired, the
handler returns harmlessly because chan->conn was cleared.
Fixes: 3df91ea20e74 ("Bluetooth: Revert to mutexes from RCU list")
Cc: <stable@vger.kernel.org> # 0b58004: Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_sock.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1449,6 +1449,10 @@ static void l2cap_sock_cleanup_listen(st
* pin it (hold_unless_zero() additionally skips a chan already past
* its last reference). We then drop the sk lock before taking
* chan->lock, so sk and chan locks are never held together.
+ *
+ * Since we cannot call l2cap_chan_close() without conn->lock,
+ * schedule l2cap_chan_timeout to close the channel; it already
+ * acquires conn->lock -> chan->lock in the correct order.
*/
while ((sk = bt_accept_dequeue(parent, NULL))) {
struct l2cap_chan *chan;
@@ -1466,14 +1470,12 @@ static void l2cap_sock_cleanup_listen(st
state_to_string(chan->state));
l2cap_chan_lock(chan);
- __clear_chan_timer(chan);
- l2cap_chan_close(chan, ECONNRESET);
- /* l2cap_conn_del() may already have killed this socket
- * (it sets SOCK_DEAD); skip the duplicate to avoid a
- * double sock_put()/l2cap_chan_put().
+ /* Since we cannot call l2cap_chan_close() without
+ * conn->lock, schedule its timer to trigger the close
+ * and cleanup of this channel.
*/
- if (!sock_flag(sk, SOCK_DEAD))
- l2cap_sock_kill(sk);
+ if (chan->conn)
+ __set_chan_timer(chan, 0);
l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 364/411] iio: gyro: adis16260: fix division by zero in write_raw
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 363/411] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 365/411] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
` (47 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Nuno Sá,
Stable, Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
[ Upstream commit 761e8b489e6cf166c574034b70637f8a7eadd0ee ]
Add a validation check for the sampling frequency value before using it
as a divisor. A user writing zero to the sampling_frequency sysfs
attribute triggers a division by zero in the kernel.
Fixes: 089a41985c6c ("staging: iio: adis16260 digital gyro driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/gyro/adis16260.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iio/gyro/adis16260.c
+++ b/drivers/iio/gyro/adis16260.c
@@ -288,6 +288,9 @@ static int adis16260_write_raw(struct ii
addr = adis16260_addresses[chan->scan_index][1];
return adis_write_reg_16(adis, addr, val);
case IIO_CHAN_INFO_SAMP_FREQ:
+ if (val <= 0)
+ return -EINVAL;
+
adis_dev_lock(adis);
if (spi_get_device_id(adis->spi)->driver_data)
t = 256 / val;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 365/411] iio: chemical: scd30: Use guard(mutex) to allow early returns
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 364/411] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 366/411] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
` (46 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Tomasz Duszynski,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 5feb5532870fbced5d6f450b8061a33f461b88ca ]
Auto cleanup based release of the lock allows for simpler code flow in a
few functions with large multiplexing style switch statements and no
common operations following the switch.
Suggested-by: David Lechner <dlechner@baylibre.com>
Cc: Tomasz Duszynski <tomasz.duszynski@octakon.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250209180624.701140-3-jic23@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 5aba4f94b225 ("iio: chemical: scd30: fix division by zero in write_raw")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 63 ++++++++++++++++----------------------
1 file changed, 28 insertions(+), 35 deletions(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -5,6 +5,7 @@
* Copyright (c) 2020 Tomasz Duszynski <tomasz.duszynski@octakon.com>
*/
#include <linux/bits.h>
+#include <linux/cleanup.h>
#include <linux/completion.h>
#include <linux/delay.h>
#include <linux/device.h>
@@ -198,112 +199,104 @@ static int scd30_read_raw(struct iio_dev
int *val, int *val2, long mask)
{
struct scd30_state *state = iio_priv(indio_dev);
- int ret = -EINVAL;
+ int ret;
u16 tmp;
- mutex_lock(&state->lock);
+ guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_RAW:
case IIO_CHAN_INFO_PROCESSED:
if (chan->output) {
*val = state->pressure_comp;
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
}
ret = iio_device_claim_direct_mode(indio_dev);
if (ret)
- break;
+ return ret;
ret = scd30_read(state);
if (ret) {
iio_device_release_direct_mode(indio_dev);
- break;
+ return ret;
}
*val = state->meas[chan->address];
iio_device_release_direct_mode(indio_dev);
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
case IIO_CHAN_INFO_SCALE:
*val = 0;
*val2 = 1;
- ret = IIO_VAL_INT_PLUS_MICRO;
- break;
+ return IIO_VAL_INT_PLUS_MICRO;
case IIO_CHAN_INFO_SAMP_FREQ:
ret = scd30_command_read(state, CMD_MEAS_INTERVAL, &tmp);
if (ret)
- break;
+ return ret;
*val = 0;
*val2 = 1000000000 / tmp;
- ret = IIO_VAL_INT_PLUS_NANO;
- break;
+ return IIO_VAL_INT_PLUS_NANO;
case IIO_CHAN_INFO_CALIBBIAS:
ret = scd30_command_read(state, CMD_TEMP_OFFSET, &tmp);
if (ret)
- break;
+ return ret;
*val = tmp;
- ret = IIO_VAL_INT;
- break;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
}
- mutex_unlock(&state->lock);
-
- return ret;
}
static int scd30_write_raw(struct iio_dev *indio_dev, struct iio_chan_spec const *chan,
int val, int val2, long mask)
{
struct scd30_state *state = iio_priv(indio_dev);
- int ret = -EINVAL;
+ int ret;
- mutex_lock(&state->lock);
+ guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_SAMP_FREQ:
if (val)
- break;
+ return -EINVAL;
val = 1000000000 / val2;
if (val < SCD30_MEAS_INTERVAL_MIN_S || val > SCD30_MEAS_INTERVAL_MAX_S)
- break;
+ return -EINVAL;
ret = scd30_command_write(state, CMD_MEAS_INTERVAL, val);
if (ret)
- break;
+ return ret;
state->meas_interval = val;
- break;
+ return 0;
case IIO_CHAN_INFO_RAW:
switch (chan->type) {
case IIO_PRESSURE:
if (val < SCD30_PRESSURE_COMP_MIN_MBAR ||
val > SCD30_PRESSURE_COMP_MAX_MBAR)
- break;
+ return -EINVAL;
ret = scd30_command_write(state, CMD_START_MEAS, val);
if (ret)
- break;
+ return ret;
state->pressure_comp = val;
- break;
+ return 0;
default:
- break;
+ return -EINVAL;
}
- break;
case IIO_CHAN_INFO_CALIBBIAS:
if (val < 0 || val > SCD30_TEMP_OFFSET_MAX)
- break;
+ return -EINVAL;
/*
* Manufacturer does not explicitly specify min/max sensible
* values hence check is omitted for simplicity.
*/
- ret = scd30_command_write(state, CMD_TEMP_OFFSET / 10, val);
+ return scd30_command_write(state, CMD_TEMP_OFFSET / 10, val);
+ default:
+ return -EINVAL;
}
- mutex_unlock(&state->lock);
-
- return ret;
}
static int scd30_write_raw_get_fmt(struct iio_dev *indio_dev, struct iio_chan_spec const *chan,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 366/411] iio: chemical: scd30: fix division by zero in write_raw
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 365/411] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 367/411] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
` (45 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antoniu Miclaus, Stable,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antoniu Miclaus <antoniu.miclaus@analog.com>
[ Upstream commit 5aba4f94b225617a55fed442a70329b2ee19c0a5 ]
Add a zero check for val2 before using it as a divisor when setting the
sampling frequency. A user writing a zero fractional part to the
sampling_frequency sysfs attribute triggers a division by zero in the
kernel.
Fixes: 64b3d8b1b0f5 ("iio: chemical: scd30: add core driver")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/chemical/scd30_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/chemical/scd30_core.c
+++ b/drivers/iio/chemical/scd30_core.c
@@ -257,7 +257,7 @@ static int scd30_write_raw(struct iio_de
guard(mutex)(&state->lock);
switch (mask) {
case IIO_CHAN_INFO_SAMP_FREQ:
- if (val)
+ if (val || !val2)
return -EINVAL;
val = 1000000000 / val2;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 367/411] iio: dac: ad5686: fix ref bit initialization for single-channel parts
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 366/411] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 368/411] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
` (44 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rodrigo Alencar,
Stable, Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Alencar <rodrigo.alencar@analog.com>
[ Upstream commit ecae2ae606d493cf11457946436335bd0e726663 ]
The reference bit position was ignored when writing the register at the
probe() function (!!val was used). When such bit is 1, internal voltage
reference is disabled so that an external one can be used. For
multi-channel devices, bit 0 of the Internal Reference Setup command
behaves the same way, so AD5686_REF_BIT_MSK is created. The issue exists
since support for single-channel devices were first introduced.
Fixes: be1b24d24541 ("iio:dac:ad5686: Add AD5691R/AD5692R/AD5693/AD5693R support")
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[ adapted `has_external_vref` to the in-tree equivalent `voltage_uv` variable in the `val =` computation ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5686.c | 6 +++---
drivers/iio/dac/ad5686.h | 1 +
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/iio/dac/ad5686.c
+++ b/drivers/iio/dac/ad5686.c
@@ -513,7 +513,7 @@ int ad5686_probe(struct device *dev,
break;
case AD5686_REGMAP:
cmd = AD5686_CMD_INTERNAL_REFER_SETUP;
- ref_bit_msk = 0;
+ ref_bit_msk = AD5686_REF_BIT_MSK;
break;
case AD5693_REGMAP:
cmd = AD5686_CMD_CONTROL_REG;
@@ -525,9 +525,9 @@ int ad5686_probe(struct device *dev,
goto error_disable_reg;
}
- val = (voltage_uv | ref_bit_msk);
+ val = voltage_uv ? ref_bit_msk : 0;
- ret = st->write(st, cmd, 0, !!val);
+ ret = st->write(st, cmd, 0, val);
if (ret)
goto error_disable_reg;
--- a/drivers/iio/dac/ad5686.h
+++ b/drivers/iio/dac/ad5686.h
@@ -44,6 +44,7 @@
#define AD5310_REF_BIT_MSK BIT(8)
#define AD5683_REF_BIT_MSK BIT(12)
+#define AD5686_REF_BIT_MSK BIT(0)
#define AD5693_REF_BIT_MSK BIT(12)
/**
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 368/411] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 367/411] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 369/411] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
` (43 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, sashiko-bot, Peter Chen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <peter.chen@cixtech.com>
[ Upstream commit e6970cda63fd4b4546aeed9d0e2f53a7c95cd09c ]
Move usb2_phy initialization after usb3_phy acquisition.
Fixes: f738957277ba ("usb: cdns3: Split core.c into cdns3-plat and core.c file")
Cc: stable <stable@kernel.org>
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/linux-devicetree/agKaEePSFknhDBg2@nchen-desktop/T/#m21e1d9c1574eb127ce03c0c2a1a49002ce435b52
Signed-off-by: Peter Chen <peter.chen@cixtech.com>
Link: https://patch.msgid.link/20260513085310.2217547-2-peter.chen@cixtech.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdns3-plat.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/usb/cdns3/cdns3-plat.c
+++ b/drivers/usb/cdns3/cdns3-plat.c
@@ -120,14 +120,14 @@ static int cdns3_plat_probe(struct platf
if (IS_ERR(cdns->usb2_phy))
return PTR_ERR(cdns->usb2_phy);
- ret = phy_init(cdns->usb2_phy);
- if (ret)
- return ret;
-
cdns->usb3_phy = devm_phy_optional_get(dev, "cdns3,usb3-phy");
if (IS_ERR(cdns->usb3_phy))
return PTR_ERR(cdns->usb3_phy);
+ ret = phy_init(cdns->usb2_phy);
+ if (ret)
+ return ret;
+
ret = phy_init(cdns->usb3_phy);
if (ret)
goto err_phy3_init;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 369/411] net: skbuff: fix missing zerocopy reference in pskb_carve helpers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 368/411] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 370/411] serial: samsung_tty: Use port lock wrappers Greg Kroah-Hartman
` (42 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minh Nguyen, Willem de Bruijn,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minh Nguyen <minhnguyen.080505@gmail.com>
[ Upstream commit 98d0912e9f841e5529a5b89a972805f34cb1c69d ]
pskb_carve_inside_header() and pskb_carve_inside_nonlinear() both copy
the old skb_shared_info header into a new buffer via memcpy(), which
includes the destructor_arg pointer (uarg) for MSG_ZEROCOPY skbs.
Neither function calls net_zcopy_get() for the new shinfo, creating an
unaccounted holder: every skb_shared_info with destructor_arg set will
call skb_zcopy_clear() once when freed, but the corresponding
net_zcopy_get() was never called for the new copy. Repeated calls
drive uarg->refcnt to zero prematurely, freeing ubuf_info_msgzc while
TX skbs still hold live destructor_arg pointers.
KASAN reports use-after-free on a freed ubuf_info_msgzc:
BUG: KASAN: slab-use-after-free in skb_release_data+0x77b/0x810
Read of size 8 at addr ffff88801574d3e8 by task poc/220
Call Trace:
skb_release_data+0x77b/0x810
kfree_skb_list_reason+0x13e/0x610
skb_release_data+0x4cd/0x810
sk_skb_reason_drop+0xf3/0x340
skb_queue_purge_reason+0x282/0x440
rds_tcp_inc_free+0x1e/0x30
rds_recvmsg+0x354/0x1780
__sys_recvmsg+0xdf/0x180
Allocated by task 219:
msg_zerocopy_realloc+0x157/0x7b0
tcp_sendmsg_locked+0x2892/0x3ba0
Freed by task 219:
ip_recv_error+0x74a/0xb10
tcp_recvmsg+0x475/0x530
The skb consuming the late access still referenced the same uarg via
shinfo->destructor_arg copied by pskb_carve_inside_nonlinear() without
a refcount bump. This has been verified to be reliably exploitable: a
working proof-of-concept achieves full root privilege escalation from
an unprivileged local user on a default kernel configuration.
The fix follows the pattern of pskb_expand_head() which has the same
memcpy/cloned structure. For pskb_carve_inside_header(), net_zcopy_get()
is placed after skb_orphan_frags() succeeds, so the orphan error path
needs no cleanup. For pskb_carve_inside_nonlinear(), net_zcopy_get() is
placed after all failure points and just before skb_release_data(), so
no error path needs cleanup at all -- matching pskb_expand_head() more
closely and avoiding the need for a balancing net_zcopy_put().
Fixes: 6fa01ccd8830 ("skbuff: Add pskb_extract() helper function")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260526041240.329462-1-minhnguyen.080505@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6256,6 +6256,8 @@ static int pskb_carve_inside_header(stru
kfree(data);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
skb_frag_ref(skb, i);
if (skb_has_frag_list(skb))
@@ -6404,6 +6406,8 @@ static int pskb_carve_inside_nonlinear(s
kfree(data);
return -ENOMEM;
}
+ if (skb_zcopy(skb))
+ net_zcopy_get(skb_zcopy(skb));
skb_release_data(skb);
skb->head = data;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 370/411] serial: samsung_tty: Use port lock wrappers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 369/411] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 371/411] tty: serial: samsung: use u32 for register interactions Greg Kroah-Hartman
` (41 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, John Ogness,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 97d7a9aeba1d424c2359f1686d02c75d798ad184 ]
When a serial port is used for kernel console output, then all
modifications to the UART registers which are done from other contexts,
e.g. getty, termios, are interference points for the kernel console.
So far this has been ignored and the printk output is based on the
principle of hope. The rework of the console infrastructure which aims to
support threaded and atomic consoles, requires to mark sections which
modify the UART registers as unsafe. This allows the atomic write function
to make informed decisions and eventually to restore operational state. It
also allows to prevent the regular UART code from modifying UART registers
while printk output is in progress.
All modifications of UART registers are guarded by the UART port lock,
which provides an obvious synchronization point with the console
infrastructure.
To avoid adding this functionality to all UART drivers, wrap the
spin_[un]lock*() invocations for uart_port::lock into helper functions
which just contain the spin_[un]lock*() invocations for now. In a
subsequent step these helpers will gain the console synchronization
mechanisms.
Converted with coccinelle. No functional change.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: John Ogness <john.ogness@linutronix.de>
Link: https://lore.kernel.org/r/20230914183831.587273-54-john.ogness@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: a3bb136bff5e ("tty: serial: samsung: Remove redundant port lock acquisition in rx helpers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 44 +++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 22 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -246,7 +246,7 @@ static void s3c24xx_serial_rx_enable(str
unsigned int ucon, ufcon;
int count = 10000;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
while (--count && !s3c24xx_serial_txempty_nofifo(port))
udelay(100);
@@ -260,7 +260,7 @@ static void s3c24xx_serial_rx_enable(str
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 1;
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_rx_disable(struct uart_port *port)
@@ -269,14 +269,14 @@ static void s3c24xx_serial_rx_disable(st
unsigned long flags;
unsigned int ucon;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~S3C2410_UCON_RXIRQMODE;
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 0;
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_stop_tx(struct uart_port *port)
@@ -344,7 +344,7 @@ static void s3c24xx_serial_tx_dma_comple
dma->tx_transfer_addr, dma->tx_size,
DMA_TO_DEVICE);
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
xmit->tail = (xmit->tail + count) & (UART_XMIT_SIZE - 1);
port->icount.tx += count;
@@ -354,7 +354,7 @@ static void s3c24xx_serial_tx_dma_comple
uart_write_wakeup(port);
s3c24xx_serial_start_next_tx(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void enable_tx_dma(struct s3c24xx_uart_port *ourport)
@@ -620,7 +620,7 @@ static void s3c24xx_serial_rx_dma_comple
received = dma->rx_bytes_requested - state.residue;
async_tx_ack(dma->rx_desc);
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
if (received)
s3c24xx_uart_copy_rx_to_tty(ourport, t, received);
@@ -632,7 +632,7 @@ static void s3c24xx_serial_rx_dma_comple
s3c64xx_start_rx_dma(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static void s3c64xx_start_rx_dma(struct s3c24xx_uart_port *ourport)
@@ -723,7 +723,7 @@ static irqreturn_t s3c24xx_serial_rx_cha
utrstat = rd_regl(port, S3C2410_UTRSTAT);
rd_regl(port, S3C2410_UFSTAT);
- spin_lock(&port->lock);
+ uart_port_lock(port);
if (!(utrstat & S3C2410_UTRSTAT_TIMEOUT)) {
s3c64xx_start_rx_dma(ourport);
@@ -752,7 +752,7 @@ static irqreturn_t s3c24xx_serial_rx_cha
wr_regl(port, S3C2410_UTRSTAT, S3C2410_UTRSTAT_TIMEOUT);
finish:
- spin_unlock(&port->lock);
+ uart_port_unlock(port);
return IRQ_HANDLED;
}
@@ -849,9 +849,9 @@ static irqreturn_t s3c24xx_serial_rx_cha
struct s3c24xx_uart_port *ourport = dev_id;
struct uart_port *port = &ourport->port;
- spin_lock(&port->lock);
+ uart_port_lock(port);
s3c24xx_serial_rx_drain_fifo(ourport);
- spin_unlock(&port->lock);
+ uart_port_unlock(port);
return IRQ_HANDLED;
}
@@ -933,11 +933,11 @@ static irqreturn_t s3c24xx_serial_tx_irq
struct s3c24xx_uart_port *ourport = id;
struct uart_port *port = &ourport->port;
- spin_lock(&port->lock);
+ uart_port_lock(port);
s3c24xx_serial_tx_chars(ourport);
- spin_unlock(&port->lock);
+ uart_port_unlock(port);
return IRQ_HANDLED;
}
@@ -1025,7 +1025,7 @@ static void s3c24xx_serial_break_ctl(str
unsigned long flags;
unsigned int ucon;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ucon = rd_regl(port, S3C2410_UCON);
@@ -1036,7 +1036,7 @@ static void s3c24xx_serial_break_ctl(str
wr_regl(port, S3C2410_UCON, ucon);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p)
@@ -1295,7 +1295,7 @@ static int s3c64xx_serial_startup(struct
ourport->rx_enabled = 1;
ourport->tx_enabled = 0;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ufcon = rd_regl(port, S3C2410_UFCON);
ufcon |= S3C2410_UFCON_RESETRX | S5PV210_UFCON_RXTRIG8;
@@ -1305,7 +1305,7 @@ static int s3c64xx_serial_startup(struct
enable_rx_pio(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
/* Enable Rx Interrupt */
s3c24xx_clear_bit(port, S3C64XX_UINTM_RXD, S3C64XX_UINTM);
@@ -1333,7 +1333,7 @@ static int apple_s5l_serial_startup(stru
ourport->rx_enabled = 1;
ourport->tx_enabled = 0;
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
ufcon = rd_regl(port, S3C2410_UFCON);
ufcon |= S3C2410_UFCON_RESETRX | S5PV210_UFCON_RXTRIG8;
@@ -1343,7 +1343,7 @@ static int apple_s5l_serial_startup(stru
enable_rx_pio(ourport);
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
/* Enable Rx Interrupt */
s3c24xx_set_bit(port, APPLE_S5L_UCON_RXTHRESH_ENA, S3C2410_UCON);
@@ -1644,7 +1644,7 @@ static void s3c24xx_serial_set_termios(s
ulcon |= S3C2410_LCON_PNONE;
}
- spin_lock_irqsave(&port->lock, flags);
+ uart_port_lock_irqsave(port, &flags);
dev_dbg(port->dev,
"setting ulcon to %08x, brddiv to %d, udivslot %08x\n",
@@ -1702,7 +1702,7 @@ static void s3c24xx_serial_set_termios(s
if ((termios->c_cflag & CREAD) == 0)
port->ignore_status_mask |= RXSTAT_DUMMY_READ;
- spin_unlock_irqrestore(&port->lock, flags);
+ uart_port_unlock_irqrestore(port, flags);
}
static const char *s3c24xx_serial_type(struct uart_port *port)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 371/411] tty: serial: samsung: use u32 for register interactions
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 370/411] serial: samsung_tty: Use port lock wrappers Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 372/411] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
` (40 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Protsenko, Tudor Ambarus,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit 032a725c16add79332d774348d7ad7d0d4b86479 ]
All registers of the IP have 32 bits. Use u32 variables when reading
or writing from/to the registers. The purpose of those variables becomes
clearer.
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://lore.kernel.org/r/20240119104526.1221243-9-tudor.ambarus@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: a3bb136bff5e ("tty: serial: samsung: Remove redundant port lock acquisition in rx helpers")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 44 ++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 23 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -243,8 +243,8 @@ static void s3c24xx_serial_rx_enable(str
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ucon, ufcon;
int count = 10000;
+ u32 ucon, ufcon;
uart_port_lock_irqsave(port, &flags);
@@ -267,7 +267,7 @@ static void s3c24xx_serial_rx_disable(st
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ucon;
+ u32 ucon;
uart_port_lock_irqsave(port, &flags);
@@ -664,7 +664,7 @@ static void s3c64xx_start_rx_dma(struct
static void enable_rx_dma(struct s3c24xx_uart_port *ourport)
{
struct uart_port *port = &ourport->port;
- unsigned int ucon;
+ u32 ucon;
/* set Rx mode to DMA mode */
ucon = rd_regl(port, S3C2410_UCON);
@@ -687,7 +687,7 @@ static void enable_rx_dma(struct s3c24xx
static void enable_rx_pio(struct s3c24xx_uart_port *ourport)
{
struct uart_port *port = &ourport->port;
- unsigned int ucon;
+ u32 ucon;
/* set Rx mode to DMA mode */
ucon = rd_regl(port, S3C2410_UCON);
@@ -712,13 +712,14 @@ static void s3c24xx_serial_rx_drain_fifo
static irqreturn_t s3c24xx_serial_rx_chars_dma(void *dev_id)
{
- unsigned int utrstat, received;
struct s3c24xx_uart_port *ourport = dev_id;
struct uart_port *port = &ourport->port;
struct s3c24xx_uart_dma *dma = ourport->dma;
struct tty_struct *tty = tty_port_tty_get(&ourport->port.state->port);
struct tty_port *t = &port->state->port;
struct dma_tx_state state;
+ unsigned int received;
+ u32 utrstat;
utrstat = rd_regl(port, S3C2410_UTRSTAT);
rd_regl(port, S3C2410_UFSTAT);
@@ -1000,7 +1001,7 @@ static unsigned int s3c24xx_serial_tx_em
/* no modem control lines */
static unsigned int s3c24xx_serial_get_mctrl(struct uart_port *port)
{
- unsigned int umstat = rd_reg(port, S3C2410_UMSTAT);
+ u32 umstat = rd_reg(port, S3C2410_UMSTAT);
if (umstat & S3C2410_UMSTAT_CTS)
return TIOCM_CAR | TIOCM_DSR | TIOCM_CTS;
@@ -1023,7 +1024,7 @@ static void s3c24xx_serial_set_mctrl(str
static void s3c24xx_serial_break_ctl(struct uart_port *port, int break_state)
{
unsigned long flags;
- unsigned int ucon;
+ u32 ucon;
uart_port_lock_irqsave(port, &flags);
@@ -1204,7 +1205,7 @@ static void apple_s5l_serial_shutdown(st
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned int ucon;
+ u32 ucon;
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~(APPLE_S5L_UCON_TXTHRESH_ENA_MSK |
@@ -1272,7 +1273,7 @@ static int s3c64xx_serial_startup(struct
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ufcon;
+ u32 ufcon;
int ret;
wr_regl(port, S3C64XX_UINTM, 0xf);
@@ -1317,7 +1318,7 @@ static int apple_s5l_serial_startup(stru
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
unsigned long flags;
- unsigned int ufcon;
+ u32 ufcon;
int ret;
wr_regl(port, S3C2410_UTRSTAT, APPLE_S5L_UTRSTAT_ALL_FLAGS);
@@ -1559,9 +1560,8 @@ static void s3c24xx_serial_set_termios(s
struct clk *clk = ERR_PTR(-EINVAL);
unsigned long flags;
unsigned int baud, quot, clk_sel = 0;
- unsigned int ulcon;
- unsigned int umcon;
unsigned int udivslot = 0;
+ u32 ulcon, umcon;
/*
* We don't support modem control lines.
@@ -2147,7 +2147,7 @@ static int s3c24xx_serial_init_port(stru
wr_regl(port, S3C64XX_UINTSP, 0xf);
break;
case TYPE_APPLE_S5L: {
- unsigned int ucon;
+ u32 ucon;
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~(APPLE_S5L_UCON_TXTHRESH_ENA_MSK |
@@ -2366,7 +2366,7 @@ static int s3c24xx_serial_resume_noirq(s
/* restore IRQ mask */
switch (ourport->info->type) {
case TYPE_S3C6400: {
- unsigned int uintm = 0xf;
+ u32 uintm = 0xf;
if (ourport->tx_enabled)
uintm &= ~S3C64XX_UINTM_TXD_MSK;
@@ -2382,7 +2382,7 @@ static int s3c24xx_serial_resume_noirq(s
break;
}
case TYPE_APPLE_S5L: {
- unsigned int ucon;
+ u32 ucon;
int ret;
ret = clk_prepare_enable(ourport->clk);
@@ -2445,7 +2445,7 @@ static const struct dev_pm_ops s3c24xx_s
static struct uart_port *cons_uart;
static int
-s3c24xx_serial_console_txrdy(struct uart_port *port, unsigned int ufcon)
+s3c24xx_serial_console_txrdy(struct uart_port *port, u32 ufcon)
{
struct s3c24xx_uart_info *info = s3c24xx_port_to_info(port);
unsigned long ufstat, utrstat;
@@ -2464,7 +2464,7 @@ s3c24xx_serial_console_txrdy(struct uart
}
static bool
-s3c24xx_port_configured(unsigned int ucon)
+s3c24xx_port_configured(u32 ucon)
{
/* consider the serial port configured if the tx/rx mode set */
return (ucon & 0xf) != 0;
@@ -2491,8 +2491,8 @@ static int s3c24xx_serial_get_poll_char(
static void s3c24xx_serial_put_poll_char(struct uart_port *port,
unsigned char c)
{
- unsigned int ufcon = rd_regl(port, S3C2410_UFCON);
- unsigned int ucon = rd_regl(port, S3C2410_UCON);
+ u32 ufcon = rd_regl(port, S3C2410_UFCON);
+ u32 ucon = rd_regl(port, S3C2410_UCON);
/* not possible to xmit on unconfigured port */
if (!s3c24xx_port_configured(ucon))
@@ -2508,7 +2508,7 @@ static void s3c24xx_serial_put_poll_char
static void
s3c24xx_serial_console_putchar(struct uart_port *port, int ch)
{
- unsigned int ufcon = rd_regl(port, S3C2410_UFCON);
+ u32 ufcon = rd_regl(port, S3C2410_UFCON);
while (!s3c24xx_serial_console_txrdy(port, ufcon))
cpu_relax();
@@ -2533,11 +2533,9 @@ s3c24xx_serial_get_options(struct uart_p
int *parity, int *bits)
{
struct clk *clk;
- unsigned int ulcon;
- unsigned int ucon;
- unsigned int ubrdiv;
unsigned long rate;
unsigned int clk_sel;
+ u32 ulcon, ucon, ubrdiv;
char clk_name[MAX_CLK_NAME_LENGTH];
ulcon = rd_regl(port, S3C2410_ULCON);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 372/411] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 371/411] tty: serial: samsung: use u32 for register interactions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 373/411] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
` (39 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, John Ogness, Tudor Ambarus,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tudor Ambarus <tudor.ambarus@linaro.org>
[ Upstream commit a3bb136bff5e6a5e48cdd813246c9c4686feaaa9 ]
Sashiko identified a deadlock when the console flow is engaged [1].
When console flow control is enabled (UPF_CONS_FLOW),
s3c24xx_serial_stop_tx() calls s3c24xx_serial_rx_enable() and
s3c24xx_serial_start_tx() calls s3c24xx_serial_rx_disable().
The serial core framework invokes the .stop_tx() and .start_tx()
callbacks with the port->lock spinlock already held. Furthermore, all
internal driver paths that invoke stop_tx (such as the DMA TX
completion handler s3c24xx_serial_tx_dma_complete() or the PIO TX IRQ
handler s3c24xx_serial_tx_irq()) also acquire port->lock prior to
calling it. (Note that s3c24xx_serial_start_tx() is only invoked by the
serial core).
However, s3c24xx_serial_rx_enable() and s3c24xx_serial_rx_disable()
unconditionally attempt to acquire port->lock again using
uart_port_lock_irqsave(). Since spinlocks are not recursive, this
causes a deadlock on the same CPU when console flow control is engaged.
Remove the redundant lock acquisition from both rx helper functions.
Cc: stable <stable@kernel.org>
Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers")
Reported-by: John Ogness <john.ogness@linutronix.de>
Closes: https://sashiko.dev/#/patchset/20260506121606.5805-1-john.ogness%40linutronix.de [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://patch.msgid.link/20260515-samsung-tty-flow-control-deadlock-v1-1-93255edbc9bc@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/samsung_tty.c | 8 --------
1 file changed, 8 deletions(-)
--- a/drivers/tty/serial/samsung_tty.c
+++ b/drivers/tty/serial/samsung_tty.c
@@ -242,12 +242,9 @@ static int s3c24xx_serial_txempty_nofifo
static void s3c24xx_serial_rx_enable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
int count = 10000;
u32 ucon, ufcon;
- uart_port_lock_irqsave(port, &flags);
-
while (--count && !s3c24xx_serial_txempty_nofifo(port))
udelay(100);
@@ -260,23 +257,18 @@ static void s3c24xx_serial_rx_enable(str
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 1;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_rx_disable(struct uart_port *port)
{
struct s3c24xx_uart_port *ourport = to_ourport(port);
- unsigned long flags;
u32 ucon;
- uart_port_lock_irqsave(port, &flags);
-
ucon = rd_regl(port, S3C2410_UCON);
ucon &= ~S3C2410_UCON_RXIRQMODE;
wr_regl(port, S3C2410_UCON, ucon);
ourport->rx_enabled = 0;
- uart_port_unlock_irqrestore(port, flags);
}
static void s3c24xx_serial_stop_tx(struct uart_port *port)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 373/411] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 372/411] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 374/411] usb: gadget: f_hid: tidy error handling in hidg_alloc Greg Kroah-Hartman
` (38 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Radhey Shyam Pandey,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
[ Upstream commit c1a0ecbf32c4b397353204e2ec94c5bb9f3300ed ]
Fix error handling and resource cleanup i.e remove invalid
phy_exit() after failed phy_init(), route failures through
proper cleanup paths and return 0 explicitly on success.
Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Link: https://patch.msgid.link/20260519115529.2980421-1-radhey.shyam.pandey@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-xilinx.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/usb/dwc3/dwc3-xilinx.c
+++ b/drivers/usb/dwc3/dwc3-xilinx.c
@@ -165,15 +165,13 @@ static int dwc3_xlnx_init_zynqmp(struct
}
ret = phy_init(usb3_phy);
- if (ret < 0) {
- phy_exit(usb3_phy);
+ if (ret < 0)
goto err;
- }
ret = reset_control_deassert(apbrst);
if (ret < 0) {
dev_err(dev, "Failed to release APB reset\n");
- goto err;
+ goto err_phy_exit;
}
/* Set PIPE Power Present signal in FPD Power Present Register*/
@@ -185,20 +183,18 @@ static int dwc3_xlnx_init_zynqmp(struct
ret = reset_control_deassert(crst);
if (ret < 0) {
dev_err(dev, "Failed to release core reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = reset_control_deassert(hibrst);
if (ret < 0) {
dev_err(dev, "Failed to release hibernation reset\n");
- goto err;
+ goto err_phy_exit;
}
ret = phy_power_on(usb3_phy);
- if (ret < 0) {
- phy_exit(usb3_phy);
- goto err;
- }
+ if (ret < 0)
+ goto err_phy_exit;
skip_usb3_phy:
/*
@@ -212,6 +208,10 @@ skip_usb3_phy:
writel(reg, priv_data->regs + XLNX_USB_TRAFFIC_ROUTE_CONFIG);
}
+ return 0;
+
+err_phy_exit:
+ phy_exit(usb3_phy);
err:
return ret;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 374/411] usb: gadget: f_hid: tidy error handling in hidg_alloc
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 373/411] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 375/411] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
` (37 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Andrzej Pietrasiewicz,
John Keeping, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Keeping <john@metanate.com>
[ Upstream commit 944fe915d00d3cb1bacb1e77cabfb6dc82e6f8b8 ]
Unify error handling at the end of the function, reducing the risk of
missing something on one of the error paths.
Moving the increment of opts->refcnt later means there is no need to
decrement it on the error path and is safe as this is guarded by
opts->lock which is held for this entire section.
Tested-by: Lee Jones <lee@kernel.org>
Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20221122123523.3068034-4-john@metanate.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 4f88d65def6f ("usb: gadget: f_hid: fix device reference leak in hidg_alloc()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_hid.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1265,7 +1265,6 @@ static struct usb_function *hidg_alloc(s
opts = container_of(fi, struct f_hid_opts, func_inst);
mutex_lock(&opts->lock);
- ++opts->refcnt;
spin_lock_init(&hidg->write_spinlock);
spin_lock_init(&hidg->read_spinlock);
@@ -1278,11 +1277,8 @@ static struct usb_function *hidg_alloc(s
hidg->dev.class = hidg_class;
hidg->dev.devt = MKDEV(major, opts->minor);
ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
- if (ret) {
- --opts->refcnt;
- mutex_unlock(&opts->lock);
- return ERR_PTR(ret);
- }
+ if (ret)
+ goto err_unlock;
hidg->bInterfaceSubClass = opts->subclass;
hidg->bInterfaceProtocol = opts->protocol;
@@ -1293,14 +1289,13 @@ static struct usb_function *hidg_alloc(s
opts->report_desc_length,
GFP_KERNEL);
if (!hidg->report_desc) {
- put_device(&hidg->dev);
- --opts->refcnt;
- mutex_unlock(&opts->lock);
- return ERR_PTR(-ENOMEM);
+ ret = -ENOMEM;
+ goto err_put_device;
}
}
hidg->use_out_ep = !opts->no_out_endpoint;
+ ++opts->refcnt;
mutex_unlock(&opts->lock);
hidg->func.name = "hid";
@@ -1315,6 +1310,12 @@ static struct usb_function *hidg_alloc(s
hidg->qlen = 4;
return &hidg->func;
+
+err_put_device:
+ put_device(&hidg->dev);
+err_unlock:
+ mutex_unlock(&opts->lock);
+ return ERR_PTR(ret);
}
DECLARE_USB_FUNCTION_INIT(hid, hidg_alloc_inst, hidg_alloc);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 375/411] usb: gadget: f_hid: fix device reference leak in hidg_alloc()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 374/411] usb: gadget: f_hid: tidy error handling in hidg_alloc Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 376/411] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
` (36 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Johan Hovold, Guangshuo Li,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
[ Upstream commit 4f88d65def6f3c90121601b4f62a4c967f3063a6 ]
hidg_alloc() initializes hidg->dev with device_initialize() before
calling dev_set_name(). If dev_set_name() fails, the function currently
jumps to err_unlock and returns without calling put_device().
This leaves the device reference unbalanced and prevents hidg_release()
from being called. Calling put_device() here is also safe, since
hidg_release() only frees resources owned by hidg.
The issue was identified by a static analysis tool I developed and
confirmed by manual review.
Route the dev_set_name() failure path through err_put_device so the
device reference is dropped properly.
Fixes: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev")
Cc: stable <stable@kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Johan Hovold johan@kernel.org
Link: https://patch.msgid.link/20260413142119.2977716-1-lgs201920130244@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_hid.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1278,7 +1278,7 @@ static struct usb_function *hidg_alloc(s
hidg->dev.devt = MKDEV(major, opts->minor);
ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
if (ret)
- goto err_unlock;
+ goto err_put_device;
hidg->bInterfaceSubClass = opts->subclass;
hidg->bInterfaceProtocol = opts->protocol;
@@ -1313,7 +1313,6 @@ static struct usb_function *hidg_alloc(s
err_put_device:
put_device(&hidg->dev);
-err_unlock:
mutex_unlock(&opts->lock);
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 376/411] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 375/411] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 377/411] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
` (35 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Mika Westerberg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 928abe19fbf0127003abcb1ea69cabc1c897d0ab ]
A DIRECTORY entry's value field is used as the dir_offset for a
recursive call into __tb_property_parse_dir() with no depth counter.
A crafted peer that chains DIRECTORY entries into a back-reference
loop drives the parser until the kernel stack is exhausted and the
guard page fires. Any untrusted XDomain peer (cable, dock, in-line
inspector, adjacent host) that reaches the PROPERTIES_REQUEST
control-plane exchange can trigger this without authentication.
Thread a depth counter through tb_property_parse() and
__tb_property_parse_dir(), and reject blocks that exceed
TB_PROPERTY_MAX_DEPTH = 8. That is comfortably larger than any
observed legitimate XDomain layout.
Operators who do not need XDomain host-to-host discovery can disable
the path entirely with thunderbolt.xdomain=0 on the kernel command
line.
Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-6
Assisted-by: Codex:gpt-5-4
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/property.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -35,10 +35,11 @@ struct tb_property_dir_entry {
};
#define TB_PROPERTY_ROOTDIR_MAGIC 0x55584401
+#define TB_PROPERTY_MAX_DEPTH 8
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
size_t block_len, unsigned int dir_offset, size_t dir_len,
- bool is_root);
+ bool is_root, unsigned int depth);
static inline void parse_dwdata(void *dst, const void *src, size_t dwords)
{
@@ -99,7 +100,8 @@ tb_property_alloc(const char *key, enum
}
static struct tb_property *tb_property_parse(const u32 *block, size_t block_len,
- const struct tb_property_entry *entry)
+ const struct tb_property_entry *entry,
+ unsigned int depth)
{
char key[TB_PROPERTY_KEY_SIZE + 1];
struct tb_property *property;
@@ -120,7 +122,7 @@ static struct tb_property *tb_property_p
switch (property->type) {
case TB_PROPERTY_TYPE_DIRECTORY:
dir = __tb_property_parse_dir(block, block_len, entry->value,
- entry->length, false);
+ entry->length, false, depth + 1);
if (!dir) {
kfree(property);
return NULL;
@@ -165,13 +167,17 @@ static struct tb_property *tb_property_p
}
static struct tb_property_dir *__tb_property_parse_dir(const u32 *block,
- size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root)
+ size_t block_len, unsigned int dir_offset, size_t dir_len, bool is_root,
+ unsigned int depth)
{
const struct tb_property_entry *entries;
size_t i, content_len, nentries;
unsigned int content_offset;
struct tb_property_dir *dir;
+ if (depth > TB_PROPERTY_MAX_DEPTH)
+ return NULL;
+
dir = kzalloc(sizeof(*dir), GFP_KERNEL);
if (!dir)
return NULL;
@@ -206,7 +212,7 @@ static struct tb_property_dir *__tb_prop
for (i = 0; i < nentries; i++) {
struct tb_property *property;
- property = tb_property_parse(block, block_len, &entries[i]);
+ property = tb_property_parse(block, block_len, &entries[i], depth);
if (!property) {
tb_property_free_dir(dir);
return NULL;
@@ -243,7 +249,7 @@ struct tb_property_dir *tb_property_pars
return NULL;
return __tb_property_parse_dir(block, block_len, 0, rootdir->length,
- true);
+ true, 0);
}
/**
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 377/411] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 376/411] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 378/411] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
` (34 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit bf33e01f88388c43e285492a63e539df6ffed64c ]
iscsi_encode_text_output() concatenates "key=value\0" records into
login->rsp_buf, an 8192-byte kzalloc(MAX_KEY_VALUE_PAIRS) buffer
allocated in iscsit_alloc_login_setup_buffer(). The three sprintf() call
sites in this function (lines 1398, 1411, 1424 in v7.1-rc2) never check
the remaining buffer capacity:
*length += sprintf(output_buf, "%s=%s", er->key, er->value);
*length += 1;
output_buf = textbuf + *length;
The 8192-byte ceiling at iscsi_target_check_login_request() bounds the
*input* Login PDU payload, but a single PDU can carry up to 2048 minimal
four-byte "a=b\0" pairs, each unknown key expanding to a 16-byte
"a=NotUnderstood\0" output record via iscsi_add_notunderstood_response().
2048 * 16 = 32 KiB of output into an 8 KiB buffer, producing a ~24 KiB
heap overrun in the kmalloc-8k slab.
The fix introduces a static iscsi_encode_text_record() helper that uses
snprintf() with a per-call bounds check against the remaining buffer,
and threads a u32 textbuf_size parameter through
iscsi_encode_text_output(). Both call sites in
iscsi_target_handle_csg_zero() (PHASE_SECURITY) and
iscsi_target_handle_csg_one() (PHASE_OPERATIONAL) pass
MAX_KEY_VALUE_PAIRS. On overflow the encoder logs the condition, calls
iscsi_release_extra_responses() to drop queued records, and returns -1;
both caller sites now emit ISCSI_STATUS_CLS_INITIATOR_ERR /
ISCSI_LOGIN_STATUS_INIT_ERR via iscsit_tx_login_rsp() before returning,
so the initiator sees an explicit failed-login response rather than a
silent connection drop. (Prior to this patch only the PHASE_OPERATIONAL
caller did that; the PHASE_SECURITY caller is converted to the same
shape.)
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_nego.c | 7 ++
drivers/target/iscsi/iscsi_target_parameters.c | 62 +++++++++++++++++++------
drivers/target/iscsi/iscsi_target_parameters.h | 2
3 files changed, 55 insertions(+), 16 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -870,10 +870,14 @@ static int iscsi_target_handle_csg_zero(
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
- if (ret < 0)
+ if (ret < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
+ ISCSI_LOGIN_STATUS_INIT_ERR);
return -1;
+ }
if (!iscsi_check_negotiated_keys(conn->param_list)) {
if (conn->tpg->tpg_attrib.authentication &&
@@ -941,6 +945,7 @@ static int iscsi_target_handle_csg_one(s
SENDER_TARGET,
login->rsp_buf,
&login->rsp_length,
+ MAX_KEY_VALUE_PAIRS,
conn->param_list,
conn->tpg->tpg_attrib.login_keys_workaround);
if (ret < 0) {
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -1419,19 +1419,42 @@ free_buffer:
return -1;
}
+/*
+ * Append "key=value" plus a trailing NUL into @textbuf at *@length.
+ * Returns 0 on success and advances *@length, or -EMSGSIZE if the
+ * record (including the NUL) would not fit in the remaining buffer.
+ */
+static int iscsi_encode_text_record(char *textbuf, u32 *length,
+ u32 textbuf_size,
+ const char *key, const char *value)
+{
+ int n;
+ u32 avail;
+
+ if (*length >= textbuf_size)
+ return -EMSGSIZE;
+
+ avail = textbuf_size - *length;
+ n = snprintf(textbuf + *length, avail, "%s=%s", key, value);
+ if (n < 0 || (u32)n + 1 > avail)
+ return -EMSGSIZE;
+
+ *length += n + 1;
+ return 0;
+}
+
int iscsi_encode_text_output(
u8 phase,
u8 sender,
char *textbuf,
u32 *length,
+ u32 textbuf_size,
struct iscsi_param_list *param_list,
bool keys_workaround)
{
- char *output_buf = NULL;
struct iscsi_extra_response *er;
struct iscsi_param *param;
-
- output_buf = textbuf + *length;
+ int ret;
if (iscsi_enforce_integrity_rules(phase, param_list) < 0)
return -1;
@@ -1443,10 +1466,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_RESPONSE_SENT(param) &&
!IS_PSTATE_REPLY_OPTIONAL(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_RESPONSE_SENT(param);
pr_debug("Sending key: %s=%s\n",
param->name, param->value);
@@ -1456,10 +1481,12 @@ int iscsi_encode_text_output(
!IS_PSTATE_ACCEPTOR(param) &&
!IS_PSTATE_PROPOSER(param) &&
(param->phase & phase)) {
- *length += sprintf(output_buf, "%s=%s",
- param->name, param->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length,
+ textbuf_size,
+ param->name,
+ param->value);
+ if (ret < 0)
+ goto err_overflow;
SET_PSTATE_PROPOSER(param);
iscsi_check_proposer_for_optional_reply(param,
keys_workaround);
@@ -1469,14 +1496,21 @@ int iscsi_encode_text_output(
}
list_for_each_entry(er, ¶m_list->extra_response_list, er_list) {
- *length += sprintf(output_buf, "%s=%s", er->key, er->value);
- *length += 1;
- output_buf = textbuf + *length;
+ ret = iscsi_encode_text_record(textbuf, length, textbuf_size,
+ er->key, er->value);
+ if (ret < 0)
+ goto err_overflow;
pr_debug("Sending key: %s=%s\n", er->key, er->value);
}
iscsi_release_extra_responses(param_list);
return 0;
+
+err_overflow:
+ pr_err("iSCSI login response buffer (%u bytes) exhausted, dropping login.\n",
+ textbuf_size);
+ iscsi_release_extra_responses(param_list);
+ return -1;
}
int iscsi_check_negotiated_keys(struct iscsi_param_list *param_list)
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -46,7 +46,7 @@ extern struct iscsi_param *iscsi_find_pa
extern int iscsi_extract_key_value(char *, char **, char **);
extern int iscsi_update_param_value(struct iscsi_param *, char *);
extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsi_conn *);
-extern int iscsi_encode_text_output(u8, u8, char *, u32 *,
+extern int iscsi_encode_text_output(u8, u8, char *, u32 *, u32,
struct iscsi_param_list *, bool);
extern int iscsi_check_negotiated_keys(struct iscsi_param_list *);
extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 378/411] usb: typec: ucsi: Check if power role change actually happened before handling
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 377/411] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 379/411] drm/hyperv: Remove support for Hyper-V 2008 and 2008R2/Win7 Greg Kroah-Hartman
` (33 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Heikki Krogerus, Sasha Levin, Sergey Senozhatsky
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
[ Upstream commit b80e7d34c7ea6a564525119d6138fbb577a23dba ]
The CrOS EC may send a connector status change event with the power
direction changed flag set even if the power direction hasn't actually
changed after initiating a SET_PDR command internally [1]. In practice
this happens on every system suspend due to other changes performed by
the EC [2][3][4], causing suspend to fail.
Fix this by checking if the power role change actually happened before
handling it.
[1]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=1689;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[2]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=3923;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[3]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=5094;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
[4]: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/ec/zephyr/subsys/pd_controller/pdc_power_mgmt.c;l=2229;drc=2d5a1cffce4e5ac8a39442cb3b764d2d5e1cf794
Cc: stable <stable@kernel.org>
Fixes: 7616f006db07 ("usb: typec: ucsi: Update power_supply on power role change")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reported-and-tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20260519-ucsi-fix-2-v1-1-6f1239535187@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -669,7 +669,7 @@ static void ucsi_handle_connector_change
struct ucsi *ucsi = con->ucsi;
struct ucsi_connector_status pre_ack_status;
struct ucsi_connector_status post_ack_status;
- enum typec_role role;
+ enum typec_role role, prev_role;
enum usb_role u_role = USB_ROLE_NONE;
u16 inferred_changes;
u16 changed_flags;
@@ -706,6 +706,8 @@ static void ucsi_handle_connector_change
* short transitional changes.
*/
+ prev_role = !!(con->status.flags & UCSI_CONSTAT_PWR_DIR);
+
/* 1. First UCSI_GET_CONNECTOR_STATUS */
command = UCSI_GET_CONNECTOR_STATUS | UCSI_CONNECTOR_NUMBER(con->num);
ret = ucsi_send_command(ucsi, command, &pre_ack_status,
@@ -783,7 +785,8 @@ static void ucsi_handle_connector_change
ucsi_port_psy_changed(con);
}
- if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
+ if ((con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) &&
+ role != prev_role) {
typec_set_pwr_role(con->port, role);
/* Complete pending power role swap */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 379/411] drm/hyperv: Remove support for Hyper-V 2008 and 2008R2/Win7
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 378/411] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 380/411] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
` (32 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Deepak Rawat,
Andrea Parri (Microsoft), Wei Liu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Kelley <mikelley@microsoft.com>
[ Upstream commit ac6811a9b36f3ceb549d8b84bd8aeedf6026df02 ]
The DRM Hyper-V driver has special case code for running on the first
released versions of Hyper-V: 2008 and 2008 R2/Windows 7. These versions
are now out of support (except for extended security updates) and lack
support for performance features that are needed for effective production
usage of Linux guests.
The negotiation of the VMbus protocol versions required by these old
Hyper-V versions has been removed from the VMbus driver. So now remove
the handling of these VMbus protocol versions from the DRM Hyper-V
driver.
Signed-off-by: Michael Kelley <mikelley@microsoft.com>
Reviewed-by: Deepak Rawat <drawat.floss@gmail.com>
Reviewed-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Link: https://lore.kernel.org/r/1651509391-2058-5-git-send-email-mikelley@microsoft.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Stable-dep-of: 13d33b9ef670 ("drm/hyperv: validate resolution_count and fix WIN8 fallback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 23 +++++++----------------
1 file changed, 7 insertions(+), 16 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -18,16 +18,16 @@
#define SYNTHVID_VERSION(major, minor) ((minor) << 16 | (major))
#define SYNTHVID_VER_GET_MAJOR(ver) (ver & 0x0000ffff)
#define SYNTHVID_VER_GET_MINOR(ver) ((ver & 0xffff0000) >> 16)
+
+/* Support for VERSION_WIN7 is removed. #define is retained for reference. */
#define SYNTHVID_VERSION_WIN7 SYNTHVID_VERSION(3, 0)
#define SYNTHVID_VERSION_WIN8 SYNTHVID_VERSION(3, 2)
#define SYNTHVID_VERSION_WIN10 SYNTHVID_VERSION(3, 5)
-#define SYNTHVID_DEPTH_WIN7 16
#define SYNTHVID_DEPTH_WIN8 32
-#define SYNTHVID_FB_SIZE_WIN7 (4 * 1024 * 1024)
+#define SYNTHVID_WIDTH_WIN8 1600
+#define SYNTHVID_HEIGHT_WIN8 1200
#define SYNTHVID_FB_SIZE_WIN8 (8 * 1024 * 1024)
-#define SYNTHVID_WIDTH_MAX_WIN7 1600
-#define SYNTHVID_HEIGHT_MAX_WIN7 1200
enum pipe_msg_type {
PIPE_MSG_INVALID,
@@ -570,12 +570,6 @@ int hyperv_connect_vsp(struct hv_device
case VERSION_WIN8:
case VERSION_WIN8_1:
ret = hyperv_negotiate_version(hdev, SYNTHVID_VERSION_WIN8);
- if (!ret)
- break;
- fallthrough;
- case VERSION_WS2008:
- case VERSION_WIN7:
- ret = hyperv_negotiate_version(hdev, SYNTHVID_VERSION_WIN7);
break;
default:
ret = hyperv_negotiate_version(hdev, SYNTHVID_VERSION_WIN10);
@@ -587,18 +581,15 @@ int hyperv_connect_vsp(struct hv_device
goto error;
}
- if (hv->synthvid_version == SYNTHVID_VERSION_WIN7)
- hv->screen_depth = SYNTHVID_DEPTH_WIN7;
- else
- hv->screen_depth = SYNTHVID_DEPTH_WIN8;
+ hv->screen_depth = SYNTHVID_DEPTH_WIN8;
if (hyperv_version_ge(hv->synthvid_version, SYNTHVID_VERSION_WIN10)) {
ret = hyperv_get_supported_resolution(hdev);
if (ret)
drm_err(dev, "Failed to get supported resolution from host, use default\n");
} else {
- hv->screen_width_max = SYNTHVID_WIDTH_MAX_WIN7;
- hv->screen_height_max = SYNTHVID_HEIGHT_MAX_WIN7;
+ hv->screen_width_max = SYNTHVID_WIDTH_WIN8;
+ hv->screen_height_max = SYNTHVID_HEIGHT_WIN8;
}
hv->mmio_megabytes = hdev->channel->offermsg.offer.mmio_megabytes;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 380/411] drm/hyperv: validate resolution_count and fix WIN8 fallback
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 379/411] drm/hyperv: Remove support for Hyper-V 2008 and 2008R2/Win7 Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 381/411] serial: altera_jtaguart: Use platform_get_irq_optional() to get the interrupt Greg Kroah-Hartman
` (31 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Berkant Koc, Michael Kelley,
Hamza Mahfooz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Berkant Koc <me@berkoc.com>
[ Upstream commit 13d33b9ef67066c77c84273fac5a1d3fde3533d1 ]
A SYNTHVID_RESOLUTION_RESPONSE with resolution_count > 64 walks past
the supported_resolution[SYNTHVID_MAX_RESOLUTION_COUNT] array in the
parse loop. Bound resolution_count against the array size, folded
into the existing zero-check.
When the WIN10 resolution probe fails, the caller in
hyperv_connect_vsp() left hv->screen_*_max / preferred_* unpopulated,
which sets mode_config.max_width / max_height to 0 and makes
drm_internal_framebuffer_create() reject every userspace framebuffer
with -EINVAL. The pre-WIN10 branch had the same gap for
preferred_width / preferred_height. Use a single post-probe fallback
guarded by screen_width_max == 0 so both paths converge on the WIN8
defaults.
Signed-off-by: Berkant Koc <me@berkoc.com>
Assisted-by: Claude:claude-opus-4-7 berkoc-pipeline
Fixes: 76c56a5affeb ("drm/hyperv: Add DRM driver for hyperv synthetic video device")
Cc: stable@vger.kernel.org # 5.14+
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Tested-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Link: https://patch.msgid.link/6945b22419c7d404b4954a113de2ac9c900dba93.1779542874.git.me@berkoc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/hyperv/hyperv_drm_proto.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
+++ b/drivers/gpu/drm/hyperv/hyperv_drm_proto.c
@@ -396,8 +396,11 @@ static int hyperv_get_supported_resoluti
return -ETIMEDOUT;
}
- if (msg->resolution_resp.resolution_count == 0) {
- drm_err(dev, "No supported resolutions\n");
+ if (msg->resolution_resp.resolution_count == 0 ||
+ msg->resolution_resp.resolution_count >
+ SYNTHVID_MAX_RESOLUTION_COUNT) {
+ drm_err(dev, "Invalid resolution count: %d\n",
+ msg->resolution_resp.resolution_count);
return -ENODEV;
}
@@ -587,9 +590,13 @@ int hyperv_connect_vsp(struct hv_device
ret = hyperv_get_supported_resolution(hdev);
if (ret)
drm_err(dev, "Failed to get supported resolution from host, use default\n");
- } else {
+ }
+
+ if (!hv->screen_width_max) {
hv->screen_width_max = SYNTHVID_WIDTH_WIN8;
hv->screen_height_max = SYNTHVID_HEIGHT_WIN8;
+ hv->preferred_width = SYNTHVID_WIDTH_WIN8;
+ hv->preferred_height = SYNTHVID_HEIGHT_WIN8;
}
hv->mmio_megabytes = hdev->channel->offermsg.offer.mmio_megabytes;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 381/411] serial: altera_jtaguart: Use platform_get_irq_optional() to get the interrupt
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 380/411] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 382/411] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
` (30 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lad Prabhakar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
[ Upstream commit 60302276caff50f907bc3391a364691ab4a21b43 ]
platform_get_resource(pdev, IORESOURCE_IRQ, ..) relies on static
allocation of IRQ resources in DT core code, this causes an issue
when using hierarchical interrupt domains using "interrupts" property
in the node as this bypasses the hierarchical setup and messes up the
irq chaining.
In preparation for removal of static setup of IRQ resource from DT core
code use platform_get_irq_optional().
Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
Link: https://lore.kernel.org/r/20211224142917.6966-7-prabhakar.mahadev-lad.rj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ea66be25f0e9 ("serial: altera_jtaguart: handle uart_add_one_port() failures")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/altera_jtaguart.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/altera_jtaguart.c
+++ b/drivers/tty/serial/altera_jtaguart.c
@@ -418,8 +418,9 @@ static int altera_jtaguart_probe(struct
struct altera_jtaguart_platform_uart *platp =
dev_get_platdata(&pdev->dev);
struct uart_port *port;
- struct resource *res_irq, *res_mem;
+ struct resource *res_mem;
int i = pdev->id;
+ int irq;
/* -1 emphasizes that the platform must have one port, no .N suffix */
if (i == -1)
@@ -438,9 +439,11 @@ static int altera_jtaguart_probe(struct
else
return -ENODEV;
- res_irq = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
- if (res_irq)
- port->irq = res_irq->start;
+ irq = platform_get_irq_optional(pdev, 0);
+ if (irq < 0 && irq != -ENXIO)
+ return irq;
+ if (irq > 0)
+ port->irq = irq;
else if (platp)
port->irq = platp->irq;
else
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 382/411] serial: altera_jtaguart: handle uart_add_one_port() failures
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 381/411] serial: altera_jtaguart: Use platform_get_irq_optional() to get the interrupt Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 383/411] tty: serial: qcom-geni-serial: remove unused symbols Greg Kroah-Hartman
` (29 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ijae Kim, Myeonghun Pak,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myeonghun Pak <mhun512@gmail.com>
[ Upstream commit ea66be25f0e934f49d24cd0c5845d13cdba3520b ]
altera_jtaguart_probe() maps the register window before registering the
UART port, but it ignores failures from uart_add_one_port(). If port
registration fails, probe still returns success and the mapping remains
live until a later remove path that is not part of probe failure cleanup.
Return the uart_add_one_port() error and unmap the register window on
that failure path.
This issue was identified during our ongoing static-analysis research while
reviewing kernel code.
Fixes: 5bcd601049c6 ("serial: Add driver for the Altera JTAG UART")
Cc: stable <stable@kernel.org>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Link: https://patch.msgid.link/20260512065837.79528-1-mhun512@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/altera_jtaguart.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/altera_jtaguart.c
+++ b/drivers/tty/serial/altera_jtaguart.c
@@ -421,6 +421,7 @@ static int altera_jtaguart_probe(struct
struct resource *res_mem;
int i = pdev->id;
int irq;
+ int ret;
/* -1 emphasizes that the platform must have one port, no .N suffix */
if (i == -1)
@@ -460,7 +461,11 @@ static int altera_jtaguart_probe(struct
port->flags = UPF_BOOT_AUTOCONF;
port->dev = &pdev->dev;
- uart_add_one_port(&altera_jtaguart_driver, port);
+ ret = uart_add_one_port(&altera_jtaguart_driver, port);
+ if (ret) {
+ iounmap(port->membase);
+ return ret;
+ }
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 383/411] tty: serial: qcom-geni-serial: remove unused symbols
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 382/411] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 384/411] tty: serial: qcom-geni-serial: align #define values Greg Kroah-Hartman
` (28 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Konrad Dybcio,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 68c6bd92c86cbc4937834c79963b27c77ee3bf51 ]
Drop all unused symbols from the driver.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20221229155030.418800-4-brgl@bgdev.pl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ca2584d841b6 ("serial: qcom-geni: fix UART_RX_PAR_EN bit position")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 15 ---------------
1 file changed, 15 deletions(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -38,20 +38,11 @@
#define UART_TX_PAR_EN BIT(0)
#define UART_CTS_MASK BIT(1)
-/* SE_UART_TX_WORD_LEN */
-#define TX_WORD_LEN_MSK GENMASK(9, 0)
-
/* SE_UART_TX_STOP_BIT_LEN */
-#define TX_STOP_BIT_LEN_MSK GENMASK(23, 0)
#define TX_STOP_BIT_LEN_1 0
-#define TX_STOP_BIT_LEN_1_5 1
#define TX_STOP_BIT_LEN_2 2
-/* SE_UART_TX_TRANS_LEN */
-#define TX_TRANS_LEN_MSK GENMASK(23, 0)
-
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_INS_STATUS_BIT BIT(2)
#define UART_RX_PAR_EN BIT(3)
/* SE_UART_RX_WORD_LEN */
@@ -62,12 +53,9 @@
/* SE_UART_TX_PARITY_CFG/RX_PARITY_CFG */
#define PAR_CALC_EN BIT(0)
-#define PAR_MODE_MSK GENMASK(2, 1)
-#define PAR_MODE_SHFT 1
#define PAR_EVEN 0x00
#define PAR_ODD 0x01
#define PAR_SPACE 0x10
-#define PAR_MARK 0x11
/* SE_UART_MANUAL_RFR register fields */
#define UART_MANUAL_RFR_EN BIT(31)
@@ -76,11 +64,8 @@
/* UART M_CMD OP codes */
#define UART_START_TX 0x1
-#define UART_START_BREAK 0x4
-#define UART_STOP_BREAK 0x5
/* UART S_CMD OP codes */
#define UART_START_READ 0x1
-#define UART_PARAM 0x1
#define UART_OVERSAMPLING 32
#define STALE_TIMEOUT 16
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 384/411] tty: serial: qcom-geni-serial: align #define values
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 383/411] tty: serial: qcom-geni-serial: remove unused symbols Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 385/411] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
` (27 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Konrad Dybcio,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 6cde11dbf4b65170eeefba48df730c93d75e01a3 ]
Keep the #define symbols aligned for better readability.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20221229155030.418800-5-brgl@bgdev.pl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: ca2584d841b6 ("serial: qcom-geni: fix UART_RX_PAR_EN bit position")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 60 +++++++++++++++++-----------------
1 file changed, 30 insertions(+), 30 deletions(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -35,57 +35,57 @@
#define SE_UART_MANUAL_RFR 0x2ac
/* SE_UART_TRANS_CFG */
-#define UART_TX_PAR_EN BIT(0)
-#define UART_CTS_MASK BIT(1)
+#define UART_TX_PAR_EN BIT(0)
+#define UART_CTS_MASK BIT(1)
/* SE_UART_TX_STOP_BIT_LEN */
-#define TX_STOP_BIT_LEN_1 0
-#define TX_STOP_BIT_LEN_2 2
+#define TX_STOP_BIT_LEN_1 0
+#define TX_STOP_BIT_LEN_2 2
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_PAR_EN BIT(3)
+#define UART_RX_PAR_EN BIT(3)
/* SE_UART_RX_WORD_LEN */
-#define RX_WORD_LEN_MASK GENMASK(9, 0)
+#define RX_WORD_LEN_MASK GENMASK(9, 0)
/* SE_UART_RX_STALE_CNT */
-#define RX_STALE_CNT GENMASK(23, 0)
+#define RX_STALE_CNT GENMASK(23, 0)
/* SE_UART_TX_PARITY_CFG/RX_PARITY_CFG */
-#define PAR_CALC_EN BIT(0)
-#define PAR_EVEN 0x00
-#define PAR_ODD 0x01
-#define PAR_SPACE 0x10
+#define PAR_CALC_EN BIT(0)
+#define PAR_EVEN 0x00
+#define PAR_ODD 0x01
+#define PAR_SPACE 0x10
/* SE_UART_MANUAL_RFR register fields */
-#define UART_MANUAL_RFR_EN BIT(31)
-#define UART_RFR_NOT_READY BIT(1)
-#define UART_RFR_READY BIT(0)
+#define UART_MANUAL_RFR_EN BIT(31)
+#define UART_RFR_NOT_READY BIT(1)
+#define UART_RFR_READY BIT(0)
/* UART M_CMD OP codes */
-#define UART_START_TX 0x1
+#define UART_START_TX 0x1
/* UART S_CMD OP codes */
-#define UART_START_READ 0x1
+#define UART_START_READ 0x1
-#define UART_OVERSAMPLING 32
-#define STALE_TIMEOUT 16
-#define DEFAULT_BITS_PER_CHAR 10
-#define GENI_UART_CONS_PORTS 1
-#define GENI_UART_PORTS 3
-#define DEF_FIFO_DEPTH_WORDS 16
-#define DEF_TX_WM 2
-#define DEF_FIFO_WIDTH_BITS 32
-#define UART_RX_WM 2
+#define UART_OVERSAMPLING 32
+#define STALE_TIMEOUT 16
+#define DEFAULT_BITS_PER_CHAR 10
+#define GENI_UART_CONS_PORTS 1
+#define GENI_UART_PORTS 3
+#define DEF_FIFO_DEPTH_WORDS 16
+#define DEF_TX_WM 2
+#define DEF_FIFO_WIDTH_BITS 32
+#define UART_RX_WM 2
/* SE_UART_LOOPBACK_CFG */
-#define RX_TX_SORTED BIT(0)
-#define CTS_RTS_SORTED BIT(1)
-#define RX_TX_CTS_RTS_SORTED (RX_TX_SORTED | CTS_RTS_SORTED)
+#define RX_TX_SORTED BIT(0)
+#define CTS_RTS_SORTED BIT(1)
+#define RX_TX_CTS_RTS_SORTED (RX_TX_SORTED | CTS_RTS_SORTED)
/* UART pin swap value */
-#define DEFAULT_IO_MACRO_IO0_IO1_MASK GENMASK(3, 0)
+#define DEFAULT_IO_MACRO_IO0_IO1_MASK GENMASK(3, 0)
#define IO_MACRO_IO0_SEL 0x3
-#define DEFAULT_IO_MACRO_IO2_IO3_MASK GENMASK(15, 4)
+#define DEFAULT_IO_MACRO_IO2_IO3_MASK GENMASK(15, 4)
#define IO_MACRO_IO2_IO3_SWAP 0x4640
/* We always configure 4 bytes per FIFO word */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 385/411] serial: qcom-geni: fix UART_RX_PAR_EN bit position
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 384/411] tty: serial: qcom-geni-serial: align #define values Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 386/411] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
` (26 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Prasanna S, Konrad Dybcio,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prasanna S <prasanna.s@oss.qualcomm.com>
[ Upstream commit ca2584d841b69391ffc4144840563d2e1a0018df ]
UART_RX_PAR_EN is incorrectly defined as bit 3, which triggers false
framing errors (S_GP_IRQ_1_EN) and causes received data to be dropped
when parity is enabled and the parity bit is 0.
Define UART_RX_PAR_EN as bit 4 of the SE_UART_RX_TRANS_CFG register, as
specified in the reference manual.
Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP")
Cc: stable <stable@kernel.org>
Signed-off-by: Prasanna S <prasanna.s@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://patch.msgid.link/20260428-serial-bit-correct-v1-1-9131ad5b97d8@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/qcom_geni_serial.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -43,7 +43,7 @@
#define TX_STOP_BIT_LEN_2 2
/* SE_UART_RX_TRANS_CFG */
-#define UART_RX_PAR_EN BIT(3)
+#define UART_RX_PAR_EN BIT(4)
/* SE_UART_RX_WORD_LEN */
#define RX_WORD_LEN_MASK GENMASK(9, 0)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 386/411] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 385/411] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 387/411] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
` (25 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Bommarito, John Garry,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
[ Upstream commit 778c2ab142c625a8a8afa570e0f9b7873f445d99 ]
Two latent bugs in the Text-phase handler, both present since the
original LIO integration in commit e48354ce078c ("iscsi-target: Add
iSCSI fabric support for target v4.1"):
1) DataDigest CRC buffer overread (4 bytes past text_in).
text_in is kzalloc()'d at ALIGN(payload_length, 4). rx_size is then
incremented by ISCSI_CRC_LEN to make room for the received DataDigest
in the iovec, but the same (now-bumped) rx_size is passed as the
buffer length to iscsit_crc_buf():
if (conn->conn_ops->DataDigest) {
...
rx_size += ISCSI_CRC_LEN;
}
...
if (conn->conn_ops->DataDigest) {
data_crc = iscsit_crc_buf(text_in, rx_size, 0, NULL);
iscsit_crc_buf() walks rx_size bytes of text_in with crc32c(), so
when DataDigest is negotiated it reads 4 bytes past the end of the
text_in allocation. KASAN reproduces this directly on the unpatched
mainline tree as slab-out-of-bounds in crc32c() called from the Text
PDU path. The OOB bytes feed crc32c() and are then compared against
the initiator-supplied checksum, so the value does not flow back to
the attacker, but the kernel does read past the buffer on every Text
PDU with DataDigest=CRC32C.
Fix by passing the actual padded payload length
(ALIGN(payload_length, 4)) that was used for the kzalloc().
2) Stale cmd->text_in_ptr re-free (double-free) on ERL>0 bad DataDigest
drop.
On DataDigest mismatch with ErrorRecoveryLevel > 0 the handler
silently drops the PDU and lets the initiator plug the CmdSN gap:
kfree(text_in);
return 0;
cmd->text_in_ptr still points at the freed buffer. The next Text
Request on the same ITT re-enters iscsit_setup_text_cmd(), which
unconditionally does
kfree(cmd->text_in_ptr);
cmd->text_in_ptr = NULL;
freeing the same pointer a second time. Session teardown via
iscsit_release_cmd() has the same shape and hits the same double-free
if the connection is dropped before a second Text Request arrives.
On an unmodified mainline tree the bug-1 CRC overread fires first on
the initial valid Text Request and perturbs the subsequent state, so
#4 was isolated by building a kernel with only the bug-1 hunk of this
patch applied plus temporary printk() observability around the three
relevant kfree() sites. The observability prints are not part of
this patch. On that build, a three-PDU Text Request sequence after
login produces two back-to-back splats:
BUG: KASAN: double-free in iscsit_setup_text_cmd+0x??
BUG: KASAN: double-free in iscsit_release_cmd+0x??
showing the same pointer freed in the ERL>0 drop path and again in
iscsit_setup_text_cmd() (next Text Request on the same ITT) and once
more in iscsit_release_cmd() (session teardown). On distro kernels
with CONFIG_SLAB_FREELIST_HARDENED=y (default) the double-free
becomes a remote kernel BUG(); on non-hardened kernels it corrupts
the slab freelist.
Fix by clearing cmd->text_in_ptr after the kfree() in the ERL>0 drop
path. With both hunks applied #4 is directly observable on the stock
tree without observability printks; fixing bug-1 alone would mask #4
less, not more, so the hunks are submitted together.
Both fixes are one-liners. The Text PDU state machine is unchanged and
the wire protocol is unaffected.
Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Tested-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2296,8 +2296,9 @@ iscsit_handle_text_cmd(struct iscsi_conn
if (conn->conn_ops->DataDigest) {
iscsit_do_crypto_hash_buf(conn->conn_rx_hash,
- text_in, rx_size, 0, NULL,
- &data_crc);
+ text_in,
+ ALIGN(payload_length, 4),
+ 0, NULL, &data_crc);
if (checksum != data_crc) {
pr_err("Text data CRC32C DataDigest"
@@ -2317,6 +2318,7 @@ iscsit_handle_text_cmd(struct iscsi_conn
" Command CmdSN: 0x%08x due to"
" DataCRC error.\n", hdr->cmdsn);
kfree(text_in);
+ cmd->text_in_ptr = NULL;
return 0;
}
} else {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 387/411] netfilter: nft_fib: fix stale stack leak via the OIFNAME register
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 386/411] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 388/411] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
` (24 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Davide Ornaghi,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Ornaghi <d.ornaghi97@gmail.com>
[ Upstream commit ab185e0c4fb82dfba6fb86f8271e06f931d9c64c ]
For NFT_FIB_RESULT_OIFNAME the destination register is declared with
len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one
register via "*dest = 0". The remaining three registers are left as
whatever was on the stack in nft_do_chain()'s struct nft_regs, and a
downstream expression that loads the register span can leak that
uninitialised kernel stack to userspace.
The NFTA_FIB_F_PRESENT existence check has the same shape: it is only
meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type
while the eval stores a single byte via nft_reg_store8(), leaving the rest
of the declared span stale.
Fix both:
- replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already
used on the other early-return path), and
- restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
destination as a single u8, so the marked span matches the one byte
the eval writes.
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Suggested-by: Florian Westphal <fw@strlen.de>
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[ kept the tree's existing `ip6_route_lookup`/`rt6_info` machinery (missing `fib6_lookup` refactor) and changed only `*dest = 0;` to `nft_fib_store_result(dest, priv, NULL)` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
net/netfilter/nft_fib.c | 6 ++++++
3 files changed, 8 insertions(+), 2 deletions(-)
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -118,7 +118,7 @@ void nft_fib4_eval(const struct nft_expr
fl4.saddr = get_saddr(iph->daddr);
}
- *dest = 0;
+ nft_fib_store_result(dest, priv, NULL);
if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
return;
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -189,7 +189,7 @@ void nft_fib6_eval(const struct nft_expr
}
}
- *dest = 0;
+ nft_fib_store_result(dest, priv, NULL);
rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,
lookup_flags);
if (rt->dst.error)
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -105,6 +105,12 @@ int nft_fib_init(const struct nft_ctx *c
return -EINVAL;
}
+ if (priv->flags & NFTA_FIB_F_PRESENT) {
+ if (priv->result != NFT_FIB_RESULT_OIF)
+ return -EINVAL;
+ len = sizeof(u8);
+ }
+
err = nft_parse_register_store(ctx, tb[NFTA_FIB_DREG], &priv->dreg,
NULL, NFT_DATA_VALUE, len);
if (err < 0)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 388/411] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 387/411] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 389/411] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
` (23 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Anton Leontev, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Leontev <leontyevantony@gmail.com>
[ Upstream commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af ]
netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
send buffer using phys_to_virt() on the entry PFN. Entries for the
RNDIS header and the skb linear data come from kmalloc'd memory and
are always in the kernel direct map, but entries for skb fragments
reference page cache or user pages, which on 32-bit x86 with
CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
phys_to_virt() returns an address outside the direct map and the
subsequent memcpy() faults on the transmit softirq path, which is
fatal.
Map the pages with kmap_local_page() instead, handling two properties
of the page buffer entries:
- pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
not a native PFN. Reconstruct the physical address first and derive
the native page from it, so the mapping stays correct where
PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).
- Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
grouping in the page buffer array"), an entry describes a full
physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
while kmap_local_page() maps a single page. Copy page by page,
splitting at native page boundaries.
The copy path only handles packets smaller than the send section size
(6144 bytes by default); larger packets take the cp_partial path where
only the RNDIS header is copied. So entries here are bounded by the
section size and a copy is split at most once on 4K-page systems. On
!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
no mapping work is added.
Fixes: c25aaf814a63 ("hyperv: Enable sendbuf mechanism on the send path")
Cc: stable@vger.kernel.org
Signed-off-by: Anton Leontev <leontyevantony@gmail.com>
Link: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ adapted `phys_to_page(paddr)` to `pfn_to_page(PHYS_PFN(paddr))` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/netvsc.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -12,6 +12,7 @@
#include <linux/sched.h>
#include <linux/wait.h>
#include <linux/mm.h>
+#include <linux/highmem.h>
#include <linux/delay.h>
#include <linux/io.h>
#include <linux/slab.h>
@@ -956,12 +957,22 @@ static void netvsc_copy_to_send_buf(stru
}
for (i = 0; i < page_count; i++) {
- char *src = phys_to_virt(pb[i].pfn << HV_HYP_PAGE_SHIFT);
- u32 offset = pb[i].offset;
+ phys_addr_t paddr = (pb[i].pfn << HV_HYP_PAGE_SHIFT) +
+ pb[i].offset;
u32 len = pb[i].len;
- memcpy(dest, (src + offset), len);
- dest += len;
+ while (len) {
+ struct page *page = pfn_to_page(PHYS_PFN(paddr));
+ u32 off = offset_in_page(paddr);
+ u32 chunk = min_t(u32, len, PAGE_SIZE - off);
+ char *src = kmap_local_page(page);
+
+ memcpy(dest, src + off, chunk);
+ kunmap_local(src);
+ dest += chunk;
+ paddr += chunk;
+ len -= chunk;
+ }
}
if (padding)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 389/411] RDMA/umem: fix kernel-doc warnings
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 388/411] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 390/411] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
` (22 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit ff46d1392750444fab5ae5a0194764ffdc4ac0d2 ]
Add or correct kernel-doc comments to eliminate warnings:
Warning: include/rdma/ib_umem.h:104 function parameter 'biter' not
described in 'rdma_umem_for_each_dma_block'
Warning: include/rdma/ib_umem.h:140 function parameter 'pgsz_bitmap' not
described in 'ib_umem_find_best_pgoff'
Warning: include/rdma/ib_umem.h:141 No description found for return
value of 'ib_umem_find_best_pgoff'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260224003120.3173892-1-rdunlap@infradead.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: 15fe76e23615 ("RDMA/umem: Fix truncation for block sizes >= 4G")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/rdma/ib_umem.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -89,6 +89,7 @@ static inline bool __rdma_umem_block_ite
/**
* rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
* @umem: umem to iterate over
+ * @biter: block iterator variable
* @pgsz: Page size to split the list into
*
* pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
@@ -116,7 +117,7 @@ unsigned long ib_umem_find_best_pgsz(str
* ib_umem_find_best_pgoff - Find best HW page size
*
* @umem: umem struct
- * @pgsz_bitmap bitmap of HW supported page sizes
+ * @pgsz_bitmap: bitmap of HW supported page sizes
* @pgoff_bitmask: Mask of bits that can be represented with an offset
*
* This is very similar to ib_umem_find_best_pgsz() except instead of accepting
@@ -129,6 +130,9 @@ unsigned long ib_umem_find_best_pgsz(str
*
* If the pgoff_bitmask requires either alignment in the low bit or an
* unavailable page size for the high bits, this function returns 0.
+ *
+ * Returns: best HW page size for the parameters or 0 if none available
+ * for the given parameters.
*/
static inline unsigned long ib_umem_find_best_pgoff(struct ib_umem *umem,
unsigned long pgsz_bitmap,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 390/411] RDMA: Move DMA block iterator logic into dedicated files
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 389/411] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 391/411] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
` (21 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@nvidia.com>
[ Upstream commit 6094ea64c69520ed1e770e7c79c43412de202bfa ]
The DMA iterator logic was mixed into verbs and umem-specific code,
forcing all users to include rdma/ib_umem.h. Move the block iterator
logic into iter.c and rdma/iter.h so that rdma/ib_umem.h and
rdma/ib_verbs.h can be separated in a follow-up patch.
Link: https://patch.msgid.link/20260213-refactor-umem-v1-1-f3be85847922@nvidia.com
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Stable-dep-of: 15fe76e23615 ("RDMA/umem: Fix truncation for block sizes >= 4G")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/Makefile | 2
drivers/infiniband/core/iter.c | 43 +++++++++++++
drivers/infiniband/core/verbs.c | 38 -----------
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2
drivers/infiniband/hw/cxgb4/mem.c | 2
drivers/infiniband/hw/efa/efa_verbs.c | 2
drivers/infiniband/hw/hns/hns_roce_alloc.c | 2
drivers/infiniband/hw/irdma/main.h | 2
drivers/infiniband/hw/mlx4/mr.c | 1
drivers/infiniband/hw/mlx5/mem.c | 1
drivers/infiniband/hw/mlx5/mr.c | 1
drivers/infiniband/hw/mthca/mthca_provider.c | 2
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 2
drivers/infiniband/hw/qedr/verbs.c | 2
drivers/infiniband/hw/vmw_pvrdma/pvrdma.h | 2
include/rdma/ib_umem.h | 32 ---------
include/rdma/ib_verbs.h | 48 --------------
include/rdma/iter.h | 88 +++++++++++++++++++++++++++
18 files changed, 144 insertions(+), 128 deletions(-)
create mode 100644 drivers/infiniband/core/iter.c
create mode 100644 include/rdma/iter.h
--- a/drivers/infiniband/core/Makefile
+++ b/drivers/infiniband/core/Makefile
@@ -12,7 +12,7 @@ ib_core-y := packer.o ud_header.o verb
roce_gid_mgmt.o mr_pool.o addr.o sa_query.o \
multicast.o mad.o smi.o agent.o mad_rmpp.o \
nldev.o restrack.o counters.o ib_core_uverbs.o \
- trace.o lag.o
+ trace.o lag.o iter.o
ib_core-$(CONFIG_SECURITY_INFINIBAND) += security.o
ib_core-$(CONFIG_CGROUP_RDMA) += cgroup.o
--- /dev/null
+++ b/drivers/infiniband/core/iter.c
@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
+/* Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. */
+
+#include <linux/export.h>
+#include <rdma/iter.h>
+
+void __rdma_block_iter_start(struct ib_block_iter *biter,
+ struct scatterlist *sglist, unsigned int nents,
+ unsigned long pgsz)
+{
+ memset(biter, 0, sizeof(struct ib_block_iter));
+ biter->__sg = sglist;
+ biter->__sg_nents = nents;
+
+ /* Driver provides best block size to use */
+ biter->__pg_bit = __fls(pgsz);
+}
+EXPORT_SYMBOL(__rdma_block_iter_start);
+
+bool __rdma_block_iter_next(struct ib_block_iter *biter)
+{
+ unsigned int block_offset;
+ unsigned int delta;
+
+ if (!biter->__sg_nents || !biter->__sg)
+ return false;
+
+ biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance;
+ block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1);
+ delta = BIT_ULL(biter->__pg_bit) - block_offset;
+
+ while (biter->__sg_nents && biter->__sg &&
+ sg_dma_len(biter->__sg) - biter->__sg_advance <= delta) {
+ delta -= sg_dma_len(biter->__sg) - biter->__sg_advance;
+ biter->__sg_advance = 0;
+ biter->__sg = sg_next(biter->__sg);
+ biter->__sg_nents--;
+ }
+ biter->__sg_advance += delta;
+
+ return true;
+}
+EXPORT_SYMBOL(__rdma_block_iter_next);
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -2950,41 +2950,3 @@ int rdma_init_netdev(struct ib_device *d
netdev, params.param);
}
EXPORT_SYMBOL(rdma_init_netdev);
-
-void __rdma_block_iter_start(struct ib_block_iter *biter,
- struct scatterlist *sglist, unsigned int nents,
- unsigned long pgsz)
-{
- memset(biter, 0, sizeof(struct ib_block_iter));
- biter->__sg = sglist;
- biter->__sg_nents = nents;
-
- /* Driver provides best block size to use */
- biter->__pg_bit = __fls(pgsz);
-}
-EXPORT_SYMBOL(__rdma_block_iter_start);
-
-bool __rdma_block_iter_next(struct ib_block_iter *biter)
-{
- unsigned int block_offset;
- unsigned int delta;
-
- if (!biter->__sg_nents || !biter->__sg)
- return false;
-
- biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance;
- block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1);
- delta = BIT_ULL(biter->__pg_bit) - block_offset;
-
- while (biter->__sg_nents && biter->__sg &&
- sg_dma_len(biter->__sg) - biter->__sg_advance <= delta) {
- delta -= sg_dma_len(biter->__sg) - biter->__sg_advance;
- biter->__sg_advance = 0;
- biter->__sg = sg_next(biter->__sg);
- biter->__sg_nents--;
- }
- biter->__sg_advance += delta;
-
- return true;
-}
-EXPORT_SYMBOL(__rdma_block_iter_next);
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -46,7 +46,7 @@
#include <linux/if_vlan.h>
#include <linux/vmalloc.h>
#include <rdma/ib_verbs.h>
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
#include "roce_hsi.h"
#include "qplib_res.h"
--- a/drivers/infiniband/hw/cxgb4/mem.c
+++ b/drivers/infiniband/hw/cxgb4/mem.c
@@ -32,9 +32,9 @@
#include <linux/module.h>
#include <linux/moduleparam.h>
-#include <rdma/ib_umem.h>
#include <linux/atomic.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include "iw_cxgb4.h"
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -7,9 +7,9 @@
#include <linux/log2.h>
#include <rdma/ib_addr.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/ib_verbs.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "efa.h"
--- a/drivers/infiniband/hw/hns/hns_roce_alloc.c
+++ b/drivers/infiniband/hw/hns/hns_roce_alloc.c
@@ -34,7 +34,7 @@
#include <linux/platform_device.h>
#include <linux/vmalloc.h>
#include "hns_roce_device.h"
-#include <rdma/ib_umem.h>
+#include <rdma/iter.h>
void hns_roce_buf_free(struct hns_roce_dev *hr_dev, struct hns_roce_buf *buf)
{
--- a/drivers/infiniband/hw/irdma/main.h
+++ b/drivers/infiniband/hw/irdma/main.h
@@ -37,8 +37,8 @@
#include <rdma/rdma_cm.h>
#include <rdma/iw_cm.h>
#include <rdma/ib_user_verbs.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "status.h"
#include "osdep.h"
--- a/drivers/infiniband/hw/mlx4/mr.c
+++ b/drivers/infiniband/hw/mlx4/mr.c
@@ -33,6 +33,7 @@
#include <linux/slab.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include "mlx4_ib.h"
--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -33,6 +33,7 @@
#include <linux/module.h>
#include <rdma/ib_umem.h>
#include <rdma/ib_umem_odp.h>
+#include <rdma/iter.h>
#include "mlx5_ib.h"
#include <linux/jiffies.h>
--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -42,6 +42,7 @@
#include <rdma/ib_umem.h>
#include <rdma/ib_umem_odp.h>
#include <rdma/ib_verbs.h>
+#include <rdma/iter.h>
#include "dm.h"
#include "mlx5_ib.h"
--- a/drivers/infiniband/hw/mthca/mthca_provider.c
+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
@@ -35,8 +35,8 @@
*/
#include <rdma/ib_smi.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_user_verbs.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include <linux/sched.h>
--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
@@ -44,9 +44,9 @@
#include <rdma/ib_verbs.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/iw_cm.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include "ocrdma.h"
--- a/drivers/infiniband/hw/qedr/verbs.c
+++ b/drivers/infiniband/hw/qedr/verbs.c
@@ -39,9 +39,9 @@
#include <rdma/ib_verbs.h>
#include <rdma/ib_user_verbs.h>
#include <rdma/iw_cm.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_addr.h>
#include <rdma/ib_cache.h>
+#include <rdma/iter.h>
#include <rdma/uverbs_ioctl.h>
#include <linux/qed/common_hsi.h>
--- a/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
+++ b/drivers/infiniband/hw/vmw_pvrdma/pvrdma.h
@@ -53,8 +53,8 @@
#include <linux/pci.h>
#include <linux/semaphore.h>
#include <linux/workqueue.h>
-#include <rdma/ib_umem.h>
#include <rdma/ib_verbs.h>
+#include <rdma/iter.h>
#include <rdma/vmw_pvrdma-abi.h>
#include "pvrdma_ring.h"
--- a/include/rdma/ib_umem.h
+++ b/include/rdma/ib_umem.h
@@ -70,38 +70,6 @@ static inline size_t ib_umem_num_pages(s
{
return ib_umem_num_dma_blocks(umem, PAGE_SIZE);
}
-
-static inline void __rdma_umem_block_iter_start(struct ib_block_iter *biter,
- struct ib_umem *umem,
- unsigned long pgsz)
-{
- __rdma_block_iter_start(biter, umem->sgt_append.sgt.sgl,
- umem->sgt_append.sgt.nents, pgsz);
- biter->__sg_advance = ib_umem_offset(umem) & ~(pgsz - 1);
- biter->__sg_numblocks = ib_umem_num_dma_blocks(umem, pgsz);
-}
-
-static inline bool __rdma_umem_block_iter_next(struct ib_block_iter *biter)
-{
- return __rdma_block_iter_next(biter) && biter->__sg_numblocks--;
-}
-
-/**
- * rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
- * @umem: umem to iterate over
- * @biter: block iterator variable
- * @pgsz: Page size to split the list into
- *
- * pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
- * returned DMA blocks will be aligned to pgsz and span the range:
- * ALIGN_DOWN(umem->address, pgsz) to ALIGN(umem->address + umem->length, pgsz)
- *
- * Performs exactly ib_umem_num_dma_blocks() iterations.
- */
-#define rdma_umem_for_each_dma_block(umem, biter, pgsz) \
- for (__rdma_umem_block_iter_start(biter, umem, pgsz); \
- __rdma_umem_block_iter_next(biter);)
-
#ifdef CONFIG_INFINIBAND_USER_MEM
struct ib_umem *ib_umem_get(struct ib_device *device, unsigned long addr,
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -2808,22 +2808,6 @@ struct ib_client {
u8 no_kverbs_req:1;
};
-/*
- * IB block DMA iterator
- *
- * Iterates the DMA-mapped SGL in contiguous memory blocks aligned
- * to a HW supported page size.
- */
-struct ib_block_iter {
- /* internal states */
- struct scatterlist *__sg; /* sg holding the current aligned block */
- dma_addr_t __dma_addr; /* unaligned DMA address of this block */
- size_t __sg_numblocks; /* ib_umem_num_dma_blocks() */
- unsigned int __sg_nents; /* number of SG entries */
- unsigned int __sg_advance; /* number of bytes to advance in sg in next step */
- unsigned int __pg_bit; /* alignment of current block */
-};
-
struct ib_device *_ib_alloc_device(size_t size);
#define ib_alloc_device(drv_struct, member) \
container_of(_ib_alloc_device(sizeof(struct drv_struct) + \
@@ -2845,38 +2829,6 @@ void ib_unregister_device_queued(struct
int ib_register_client (struct ib_client *client);
void ib_unregister_client(struct ib_client *client);
-void __rdma_block_iter_start(struct ib_block_iter *biter,
- struct scatterlist *sglist,
- unsigned int nents,
- unsigned long pgsz);
-bool __rdma_block_iter_next(struct ib_block_iter *biter);
-
-/**
- * rdma_block_iter_dma_address - get the aligned dma address of the current
- * block held by the block iterator.
- * @biter: block iterator holding the memory block
- */
-static inline dma_addr_t
-rdma_block_iter_dma_address(struct ib_block_iter *biter)
-{
- return biter->__dma_addr & ~(BIT_ULL(biter->__pg_bit) - 1);
-}
-
-/**
- * rdma_for_each_block - iterate over contiguous memory blocks of the sg list
- * @sglist: sglist to iterate over
- * @biter: block iterator holding the memory block
- * @nents: maximum number of sg entries to iterate over
- * @pgsz: best HW supported page size to use
- *
- * Callers may use rdma_block_iter_dma_address() to get each
- * blocks aligned DMA address.
- */
-#define rdma_for_each_block(sglist, biter, nents, pgsz) \
- for (__rdma_block_iter_start(biter, sglist, nents, \
- pgsz); \
- __rdma_block_iter_next(biter);)
-
/**
* ib_get_client_data - Get IB client context
* @device:Device to get context for
--- /dev/null
+++ b/include/rdma/iter.h
@@ -0,0 +1,88 @@
+/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB */
+/* Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. */
+
+#ifndef _RDMA_ITER_H_
+#define _RDMA_ITER_H_
+
+#include <linux/scatterlist.h>
+#include <rdma/ib_umem.h>
+
+/**
+ * IB block DMA iterator
+ *
+ * Iterates the DMA-mapped SGL in contiguous memory blocks aligned
+ * to a HW supported page size.
+ */
+struct ib_block_iter {
+ /* internal states */
+ struct scatterlist *__sg; /* sg holding the current aligned block */
+ dma_addr_t __dma_addr; /* unaligned DMA address of this block */
+ size_t __sg_numblocks; /* ib_umem_num_dma_blocks() */
+ unsigned int __sg_nents; /* number of SG entries */
+ unsigned int __sg_advance; /* number of bytes to advance in sg in next step */
+ unsigned int __pg_bit; /* alignment of current block */
+};
+
+void __rdma_block_iter_start(struct ib_block_iter *biter,
+ struct scatterlist *sglist,
+ unsigned int nents,
+ unsigned long pgsz);
+bool __rdma_block_iter_next(struct ib_block_iter *biter);
+
+/**
+ * rdma_block_iter_dma_address - get the aligned dma address of the current
+ * block held by the block iterator.
+ * @biter: block iterator holding the memory block
+ */
+static inline dma_addr_t
+rdma_block_iter_dma_address(struct ib_block_iter *biter)
+{
+ return biter->__dma_addr & ~(BIT_ULL(biter->__pg_bit) - 1);
+}
+
+/**
+ * rdma_for_each_block - iterate over contiguous memory blocks of the sg list
+ * @sglist: sglist to iterate over
+ * @biter: block iterator holding the memory block
+ * @nents: maximum number of sg entries to iterate over
+ * @pgsz: best HW supported page size to use
+ *
+ * Callers may use rdma_block_iter_dma_address() to get each
+ * blocks aligned DMA address.
+ */
+#define rdma_for_each_block(sglist, biter, nents, pgsz) \
+ for (__rdma_block_iter_start(biter, sglist, nents, \
+ pgsz); \
+ __rdma_block_iter_next(biter);)
+
+static inline void __rdma_umem_block_iter_start(struct ib_block_iter *biter,
+ struct ib_umem *umem,
+ unsigned long pgsz)
+{
+ __rdma_block_iter_start(biter, umem->sgt_append.sgt.sgl,
+ umem->sgt_append.sgt.nents, pgsz);
+ biter->__sg_advance = ib_umem_offset(umem) & ~(pgsz - 1);
+ biter->__sg_numblocks = ib_umem_num_dma_blocks(umem, pgsz);
+}
+
+static inline bool __rdma_umem_block_iter_next(struct ib_block_iter *biter)
+{
+ return __rdma_block_iter_next(biter) && biter->__sg_numblocks--;
+}
+
+/**
+ * rdma_umem_for_each_dma_block - iterate over contiguous DMA blocks of the umem
+ * @umem: umem to iterate over
+ * @pgsz: Page size to split the list into
+ *
+ * pgsz must be <= PAGE_SIZE or computed by ib_umem_find_best_pgsz(). The
+ * returned DMA blocks will be aligned to pgsz and span the range:
+ * ALIGN_DOWN(umem->address, pgsz) to ALIGN(umem->address + umem->length, pgsz)
+ *
+ * Performs exactly ib_umem_num_dma_blocks() iterations.
+ */
+#define rdma_umem_for_each_dma_block(umem, biter, pgsz) \
+ for (__rdma_umem_block_iter_start(biter, umem, pgsz); \
+ __rdma_umem_block_iter_next(biter);)
+
+#endif /* _RDMA_ITER_H_ */
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 391/411] RDMA/umem: Fix truncation for block sizes >= 4G
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 390/411] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 392/411] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
` (20 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 15fe76e23615f502d051ef0768f86babaf08746c ]
When the iommu is used the linearization of the mapping can give a single
block that is very large split across multiple SG entries.
When __rdma_block_iter_next() reassembles the split SG entries it is
overflowing the 32 bit stack values and computed the wrong DMA addresses
for blocks after the truncation.
Use the right types to hold DMA addresses.
Link: https://patch.msgid.link/r/1-v1-88303e9e509f+f7-ib_umem_types_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/iter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/iter.c
+++ b/drivers/infiniband/core/iter.c
@@ -19,8 +19,8 @@ EXPORT_SYMBOL(__rdma_block_iter_start);
bool __rdma_block_iter_next(struct ib_block_iter *biter)
{
- unsigned int block_offset;
- unsigned int delta;
+ dma_addr_t block_offset;
+ dma_addr_t delta;
if (!biter->__sg_nents || !biter->__sg)
return false;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 392/411] mm/huge_memory: update file PMD counter before folio_put()
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 391/411] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 393/411] ipvs: skip ipv6 extension headers for csum checks Greg Kroah-Hartman
` (19 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yin Tirui, Lorenzo Stoakes,
David Hildenbrand (arm), Lance Yang, Dev Jain, Baolin Wang,
Barry Song, Chen Jun, Kefeng Wang, Liam R. Howlett, Nico Pache,
Ryan Roberts, Vlastimil Babka, Yang Shi, Zi Yan, Andrew Morton,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yin Tirui <yintirui@huawei.com>
[ Upstream commit 8d878059924f12c1bc24556a92ec56add74de3c8 ]
__split_huge_pmd_locked() updates the file/shmem RSS counter after
dropping the PMD mapping's folio reference. If folio_put() drops the last
reference, mm_counter_file() can later read freed folio state via
folio_test_swapbacked().
Move the counter update before folio_put().
Link: https://lore.kernel.org/20260526101337.1984081-1-yintirui@huawei.com
Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
Signed-off-by: Yin Tirui <yintirui@huawei.com>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (arm) <david@kernel.org>
Reviewed-by: Lance Yang <lance.yang@linux.dev>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Chen Jun <chenjun102@huawei.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Liam R. Howlett <liam@infradead.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Yang Shi <yang.shi@linux.alibaba.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/huge_memory.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1994,7 +1994,9 @@ static void __split_huge_pmd_locked(stru
if (!PageReferenced(page) && pmd_young(old_pmd))
SetPageReferenced(page);
page_remove_rmap(page, true);
+ add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
put_page(page);
+ return;
}
add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
return;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 393/411] ipvs: skip ipv6 extension headers for csum checks
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 392/411] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 394/411] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init Greg Kroah-Hartman
` (18 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Anastasov, Florian Westphal,
Nazar Kalashnikov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Anastasov <ja@ssi.bg>
commit 05cfe9863ef049d98141dc2969eefde72fb07625 upstream.
Protocol checksum validation fails for IPv6 if there are extension
headers before the protocol header. iph->len already contains its
offset, so use it to fix the problem.
Fixes: 2906f66a5682 ("ipvs: SCTP Trasport Loadbalancing Support")
Fixes: 0bbdd42b7efa ("IPVS: Extend protocol DNAT/SNAT and state handlers")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Nazar Kalashnikov <nazarkalashnikov0@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/ipvs/ip_vs_proto_sctp.c | 18 ++++++------------
net/netfilter/ipvs/ip_vs_proto_tcp.c | 21 +++++++--------------
net/netfilter/ipvs/ip_vs_proto_udp.c | 20 +++++++-------------
3 files changed, 20 insertions(+), 39 deletions(-)
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -10,7 +10,8 @@
#include <net/ip_vs.h>
static int
-sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
+sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int sctphoff);
static int
sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
@@ -108,7 +109,7 @@ sctp_snat_handler(struct sk_buff *skb, s
int ret;
/* Some checks before mangling */
- if (!sctp_csum_check(cp->af, skb, pp))
+ if (!sctp_csum_check(cp->af, skb, pp, sctphoff))
return 0;
/* Call application helper if needed */
@@ -156,7 +157,7 @@ sctp_dnat_handler(struct sk_buff *skb, s
int ret;
/* Some checks before mangling */
- if (!sctp_csum_check(cp->af, skb, pp))
+ if (!sctp_csum_check(cp->af, skb, pp, sctphoff))
return 0;
/* Call application helper if needed */
@@ -185,19 +186,12 @@ sctp_dnat_handler(struct sk_buff *skb, s
}
static int
-sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
+sctp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int sctphoff)
{
- unsigned int sctphoff;
struct sctphdr *sh;
__le32 cmp, val;
-#ifdef CONFIG_IP_VS_IPV6
- if (af == AF_INET6)
- sctphoff = sizeof(struct ipv6hdr);
- else
-#endif
- sctphoff = ip_hdrlen(skb);
-
sh = (struct sctphdr *)(skb->data + sctphoff);
cmp = sh->checksum;
val = sctp_compute_cksum(skb, sctphoff);
--- a/net/netfilter/ipvs/ip_vs_proto_tcp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c
@@ -29,7 +29,8 @@
#include <net/ip_vs.h>
static int
-tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
+tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int tcphoff);
static int
tcp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
@@ -166,7 +167,7 @@ tcp_snat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!tcp_csum_check(cp->af, skb, pp))
+ if (!tcp_csum_check(cp->af, skb, pp, tcphoff))
return 0;
/* Call application helper if needed */
@@ -244,7 +245,7 @@ tcp_dnat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!tcp_csum_check(cp->af, skb, pp))
+ if (!tcp_csum_check(cp->af, skb, pp, tcphoff))
return 0;
/*
@@ -301,17 +302,9 @@ tcp_dnat_handler(struct sk_buff *skb, st
static int
-tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
+tcp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int tcphoff)
{
- unsigned int tcphoff;
-
-#ifdef CONFIG_IP_VS_IPV6
- if (af == AF_INET6)
- tcphoff = sizeof(struct ipv6hdr);
- else
-#endif
- tcphoff = ip_hdrlen(skb);
-
switch (skb->ip_summed) {
case CHECKSUM_NONE:
skb->csum = skb_checksum(skb, tcphoff, skb->len - tcphoff, 0);
@@ -322,7 +315,7 @@ tcp_csum_check(int af, struct sk_buff *s
if (csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
&ipv6_hdr(skb)->daddr,
skb->len - tcphoff,
- ipv6_hdr(skb)->nexthdr,
+ IPPROTO_TCP,
skb->csum)) {
IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
"Failed checksum for");
--- a/net/netfilter/ipvs/ip_vs_proto_udp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_udp.c
@@ -25,7 +25,8 @@
#include <net/ip6_checksum.h>
static int
-udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp);
+udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int udphoff);
static int
udp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
@@ -155,7 +156,7 @@ udp_snat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!udp_csum_check(cp->af, skb, pp))
+ if (!udp_csum_check(cp->af, skb, pp, udphoff))
return 0;
/*
@@ -238,7 +239,7 @@ udp_dnat_handler(struct sk_buff *skb, st
int ret;
/* Some checks before mangling */
- if (!udp_csum_check(cp->af, skb, pp))
+ if (!udp_csum_check(cp->af, skb, pp, udphoff))
return 0;
/*
@@ -297,17 +298,10 @@ udp_dnat_handler(struct sk_buff *skb, st
static int
-udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
+udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ unsigned int udphoff)
{
struct udphdr _udph, *uh;
- unsigned int udphoff;
-
-#ifdef CONFIG_IP_VS_IPV6
- if (af == AF_INET6)
- udphoff = sizeof(struct ipv6hdr);
- else
-#endif
- udphoff = ip_hdrlen(skb);
uh = skb_header_pointer(skb, udphoff, sizeof(_udph), &_udph);
if (uh == NULL)
@@ -325,7 +319,7 @@ udp_csum_check(int af, struct sk_buff *s
if (csum_ipv6_magic(&ipv6_hdr(skb)->saddr,
&ipv6_hdr(skb)->daddr,
skb->len - udphoff,
- ipv6_hdr(skb)->nexthdr,
+ IPPROTO_UDP,
skb->csum)) {
IP_VS_DBG_RL_PKT(0, af, pp, skb, 0,
"Failed checksum for");
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 394/411] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 393/411] ipvs: skip ipv6 extension headers for csum checks Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 395/411] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
` (17 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tejun Heo, Breno Leitao, Jens Axboe,
Robert Garcia
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit ec14a87ee1999b19d8b7ed0fa95fea80644624ae upstream.
blk-iocost sometimes causes the following crash:
BUG: kernel NULL pointer dereference, address: 00000000000000e0
...
RIP: 0010:_raw_spin_lock+0x17/0x30
Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00
RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001
RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0
RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003
R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000
R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600
FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0
Call Trace:
<TASK>
ioc_weight_write+0x13d/0x410
cgroup_file_write+0x7a/0x130
kernfs_fop_write_iter+0xf5/0x170
vfs_write+0x298/0x370
ksys_write+0x5f/0xb0
__x64_sys_write+0x1b/0x20
do_syscall_64+0x3d/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
This happens because iocg->ioc is NULL. The field is initialized by
ioc_pd_init() and never cleared. The NULL deref is caused by
blkcg_activate_policy() installing blkg_policy_data before initializing it.
blkcg_activate_policy() was doing the following:
1. Allocate pd's for all existing blkg's and install them in blkg->pd[].
2. Initialize all pd's.
3. Online all pd's.
blkcg_activate_policy() only grabs the queue_lock and may release and
re-acquire the lock as allocation may need to sleep. ioc_weight_write()
grabs blkcg->lock and iterates all its blkg's. The two can race and if
ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a
pd which is not initialized yet, leading to crash.
The crash can be reproduced with the following script:
#!/bin/bash
echo +io > /sys/fs/cgroup/cgroup.subtree_control
systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct
echo 100 > /sys/fs/cgroup/system.slice/io.weight
bash -c "echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos" &
sleep .2
echo 100 > /sys/fs/cgroup/system.slice/io.weight
with the following patch applied:
> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
> index fc49be622e05..38d671d5e10c 100644
> --- a/block/blk-cgroup.c
> +++ b/block/blk-cgroup.c
> @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)
> pd->online = false;
> }
>
> + if (system_state == SYSTEM_RUNNING) {
> + spin_unlock_irq(&q->queue_lock);
> + ssleep(1);
> + spin_lock_irq(&q->queue_lock);
> + }
> +
> /* all allocated, init in the same order */
> if (pol->pd_init_fn)
> list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
I don't see a reason why all pd's should be allocated, initialized and
onlined together. The only ordering requirement is that parent blkgs to be
initialized and onlined before children, which is guaranteed from the
walking order. Let's fix the bug by allocating, initializing and onlining pd
for each blkg and holding blkcg->lock over initialization and onlining. This
ensures that an installed blkg is always fully initialized and onlined
removing the the race window.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Breno Leitao <leitao@debian.org>
Fixes: 9d179b865449 ("blkcg: Fix multiple bugs in blkcg_activate_policy()")
Link: https://lore.kernel.org/r/ZN0p5_W-Q9mAHBVY@slm.duckdns.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Robert Garcia <rob_garcia@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-cgroup.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -1337,7 +1337,7 @@ int blkcg_activate_policy(struct request
retry:
spin_lock_irq(&q->queue_lock);
- /* blkg_list is pushed at the head, reverse walk to allocate parents first */
+ /* blkg_list is pushed at the head, reverse walk to initialize parents first */
list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) {
struct blkg_policy_data *pd;
@@ -1375,21 +1375,20 @@ retry:
goto enomem;
}
- blkg->pd[pol->plid] = pd;
+ spin_lock(&blkg->blkcg->lock);
+
pd->blkg = blkg;
pd->plid = pol->plid;
- pd->online = false;
- }
+ blkg->pd[pol->plid] = pd;
- /* all allocated, init in the same order */
- if (pol->pd_init_fn)
- list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
- pol->pd_init_fn(blkg->pd[pol->plid]);
+ if (pol->pd_init_fn)
+ pol->pd_init_fn(pd);
- list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) {
if (pol->pd_online_fn)
- pol->pd_online_fn(blkg->pd[pol->plid]);
- blkg->pd[pol->plid]->online = true;
+ pol->pd_online_fn(pd);
+ pd->online = true;
+
+ spin_unlock(&blkg->blkcg->lock);
}
__set_bit(pol->plid, q->blkcg_pols);
@@ -1406,14 +1405,19 @@ out:
return ret;
enomem:
- /* alloc failed, nothing's initialized yet, free everything */
+ /* alloc failed, take down everything */
spin_lock_irq(&q->queue_lock);
list_for_each_entry(blkg, &q->blkg_list, q_node) {
struct blkcg *blkcg = blkg->blkcg;
+ struct blkg_policy_data *pd;
spin_lock(&blkcg->lock);
- if (blkg->pd[pol->plid]) {
- pol->pd_free_fn(blkg->pd[pol->plid]);
+ pd = blkg->pd[pol->plid];
+ if (pd) {
+ if (pd->online && pol->pd_offline_fn)
+ pol->pd_offline_fn(pd);
+ pd->online = false;
+ pol->pd_free_fn(pd);
blkg->pd[pol->plid] = NULL;
}
spin_unlock(&blkcg->lock);
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 395/411] batman-adv: stop tp_meter sessions during mesh teardown
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 394/411] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 396/411] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
` (16 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Yuan Tan, Yifan Wu,
Juefei Pu, Xin Liu, Luxing Yin, Jiexun Wang, Ren Wei,
Sven Eckelmann
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiexun Wang <wangjiexun2025@gmail.com>
commit 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 upstream.
TP meter sessions remain linked on bat_priv->tp_list after the netlink
request has already finished. When the mesh interface is removed,
batadv_mesh_free() currently tears down the mesh without first draining
these sessions.
A running sender thread or a late incoming tp_meter packet can then keep
processing against a mesh instance which is already shutting down.
Synchronize tp_meter with the mesh lifetime by stopping all active
sessions from batadv_mesh_free() and waiting for sender threads to exit
before teardown continues.
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/main.c | 1
net/batman-adv/tp_meter.c | 94 +++++++++++++++++++++++++++++++++++++---------
net/batman-adv/tp_meter.h | 1
net/batman-adv/types.h | 4 +
4 files changed, 82 insertions(+), 18 deletions(-)
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -262,6 +262,7 @@ void batadv_mesh_free(struct net_device
atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
batadv_purge_outstanding_packets(bat_priv, NULL);
+ batadv_tp_stop_all(bat_priv);
batadv_gw_node_free(bat_priv);
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -12,6 +12,7 @@
#include <linux/byteorder/generic.h>
#include <linux/cache.h>
#include <linux/compiler.h>
+#include <linux/completion.h>
#include <linux/err.h>
#include <linux/etherdevice.h>
#include <linux/gfp.h>
@@ -365,23 +366,38 @@ static void batadv_tp_vars_put(struct ba
}
/**
- * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
- * @bat_priv: the bat priv with all the soft interface information
- * @tp_vars: the private data of the current TP meter session to cleanup
+ * batadv_tp_list_detach() - remove tp session from mesh session list once
+ * @tp_vars: the private data of the current TP meter session
*/
-static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv,
- struct batadv_tp_vars *tp_vars)
+static void batadv_tp_list_detach(struct batadv_tp_vars *tp_vars)
{
- cancel_delayed_work(&tp_vars->finish_work);
+ bool detached = false;
spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
- hlist_del_rcu(&tp_vars->list);
+ if (!hlist_unhashed(&tp_vars->list)) {
+ hlist_del_init_rcu(&tp_vars->list);
+ detached = true;
+ }
spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
+ if (!detached)
+ return;
+
+ atomic_dec(&tp_vars->bat_priv->tp_num);
+
/* drop list reference */
batadv_tp_vars_put(tp_vars);
+}
- atomic_dec(&tp_vars->bat_priv->tp_num);
+/**
+ * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
+ * @tp_vars: the private data of the current TP meter session to cleanup
+ */
+static void batadv_tp_sender_cleanup(struct batadv_tp_vars *tp_vars)
+{
+ cancel_delayed_work_sync(&tp_vars->finish_work);
+
+ batadv_tp_list_detach(tp_vars);
/* kill the timer and remove its reference */
timer_shutdown_sync(&tp_vars->timer);
@@ -883,7 +899,8 @@ out:
batadv_orig_node_put(orig_node);
batadv_tp_sender_end(bat_priv, tp_vars);
- batadv_tp_sender_cleanup(bat_priv, tp_vars);
+ batadv_tp_sender_cleanup(tp_vars);
+ complete(&tp_vars->finished);
batadv_tp_vars_put(tp_vars);
@@ -915,7 +932,8 @@ static void batadv_tp_start_kthread(stru
batadv_tp_vars_put(tp_vars);
/* cleanup of failed tp meter variables */
- batadv_tp_sender_cleanup(bat_priv, tp_vars);
+ batadv_tp_sender_cleanup(tp_vars);
+ complete(&tp_vars->finished);
return;
}
@@ -1021,6 +1039,7 @@ void batadv_tp_start(struct batadv_priv
tp_vars->start_time = jiffies;
init_waitqueue_head(&tp_vars->more_bytes);
+ init_completion(&tp_vars->finished);
spin_lock_init(&tp_vars->unacked_lock);
INIT_LIST_HEAD(&tp_vars->unacked_list);
@@ -1127,14 +1146,7 @@ static void batadv_tp_receiver_shutdown(
"Shutting down for inactivity (more than %dms) from %pM\n",
BATADV_TP_RECV_TIMEOUT, tp_vars->other_end);
- spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
- hlist_del_rcu(&tp_vars->list);
- spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
-
- /* drop list reference */
- batadv_tp_vars_put(tp_vars);
-
- atomic_dec(&bat_priv->tp_num);
+ batadv_tp_list_detach(tp_vars);
spin_lock_bh(&tp_vars->unacked_lock);
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
@@ -1498,6 +1510,52 @@ out:
}
/**
+ * batadv_tp_stop_all() - stop all currently running tp meter sessions
+ * @bat_priv: the bat priv with all the mesh interface information
+ */
+void batadv_tp_stop_all(struct batadv_priv *bat_priv)
+{
+ struct batadv_tp_vars *tp_vars[BATADV_TP_MAX_NUM];
+ struct batadv_tp_vars *tp_var;
+ size_t count = 0;
+ size_t i;
+
+ spin_lock_bh(&bat_priv->tp_list_lock);
+ hlist_for_each_entry(tp_var, &bat_priv->tp_list, list) {
+ if (WARN_ON_ONCE(count >= BATADV_TP_MAX_NUM))
+ break;
+
+ if (!kref_get_unless_zero(&tp_var->refcount))
+ continue;
+
+ tp_vars[count++] = tp_var;
+ }
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+
+ for (i = 0; i < count; i++) {
+ tp_var = tp_vars[i];
+
+ switch (tp_var->role) {
+ case BATADV_TP_SENDER:
+ batadv_tp_sender_shutdown(tp_var,
+ BATADV_TP_REASON_CANCEL);
+ wake_up(&tp_var->more_bytes);
+ wait_for_completion(&tp_var->finished);
+ break;
+ case BATADV_TP_RECEIVER:
+ batadv_tp_list_detach(tp_var);
+ if (timer_shutdown_sync(&tp_var->timer))
+ batadv_tp_vars_put(tp_var);
+ break;
+ }
+
+ batadv_tp_vars_put(tp_var);
+ }
+
+ synchronize_net();
+}
+
+/**
* batadv_tp_meter_init() - initialize global tp_meter structures
*/
void __init batadv_tp_meter_init(void)
--- a/net/batman-adv/tp_meter.h
+++ b/net/batman-adv/tp_meter.h
@@ -17,6 +17,7 @@ void batadv_tp_start(struct batadv_priv
u32 test_length, u32 *cookie);
void batadv_tp_stop(struct batadv_priv *bat_priv, const u8 *dst,
u8 return_value);
+void batadv_tp_stop_all(struct batadv_priv *bat_priv);
void batadv_tp_meter_recv(struct batadv_priv *bat_priv, struct sk_buff *skb);
#endif /* _NET_BATMAN_ADV_TP_METER_H_ */
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -14,6 +14,7 @@
#include <linux/average.h>
#include <linux/bitops.h>
#include <linux/compiler.h>
+#include <linux/completion.h>
#include <linux/if.h>
#include <linux/if_ether.h>
#include <linux/kref.h>
@@ -1405,6 +1406,9 @@ struct batadv_tp_vars {
/** @finish_work: work item for the finishing procedure */
struct delayed_work finish_work;
+ /** @finished: completion signaled when a sender thread exits */
+ struct completion finished;
+
/** @test_length: test length in milliseconds */
u32 test_length;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 396/411] batman-adv: tp_meter: fix tp_num leak on kmalloc failure
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 395/411] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 397/411] net/ipv6: ioam6: prevent schema length wraparound in trace fill Greg Kroah-Hartman
` (15 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit ce425dd05d0fe7594930a0fb103634f35ac47bb6 upstream.
When batadv_tp_start() or batadv_tp_init_recv() fail to allocate a new
tp_vars object, the previously incremented bat_priv->tp_num counter is
never decremented. This causes tp_num to drift upward on each allocation
failure. Since only BATADV_TP_MAX_NUM sessions can be started and the count
is never reduced for these failed allocations, it causes to an exhaustion
of throughput meter sessions. In worst case, no new throughput meter
session can be started until the mesh interface is removed.
The error handling must decrement tp_num releasing the lock and aborting
the creation of an throughput meter session
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/tp_meter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -991,6 +991,7 @@ void batadv_tp_start(struct batadv_priv
tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
if (!tp_vars) {
+ atomic_dec(&bat_priv->tp_num);
spin_unlock_bh(&bat_priv->tp_list_lock);
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: %s cannot allocate list elements\n",
@@ -1367,8 +1368,10 @@ batadv_tp_init_recv(struct batadv_priv *
}
tp_vars = kmalloc(sizeof(*tp_vars), GFP_ATOMIC);
- if (!tp_vars)
+ if (!tp_vars) {
+ atomic_dec(&bat_priv->tp_num);
goto out_unlock;
+ }
ether_addr_copy(tp_vars->other_end, icmp->orig);
tp_vars->role = BATADV_TP_RECEIVER;
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 397/411] net/ipv6: ioam6: prevent schema length wraparound in trace fill
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 396/411] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 398/411] ksmbd: Compare MACs in constant time Greg Kroah-Hartman
` (14 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengpeng Hou, Justin Iurman,
David S. Miller, Li hongliang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
[ Upstream commit 5e67ba9bb531e1ec6599a82a065dea9040b9ce50 ]
ioam6_fill_trace_data() stores the schema contribution to the trace
length in a u8. With bit 22 enabled and the largest schema payload,
sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the
remaining-space check. __ioam6_fill_trace_data() then positions the
write cursor without reserving the schema area but still copies the
4-byte schema header and the full schema payload, overrunning the trace
buffer.
Keep sclen in an unsigned int so the remaining-space check and the write
cursor calculation both see the full schema length.
Fixes: 8c6f6fa67726 ("ipv6: ioam: IOAM Generic Netlink API")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Reviewed-by: Justin Iurman <justin.iurman@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Li hongliang <1468888505@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ioam6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/ioam6.c
+++ b/net/ipv6/ioam6.c
@@ -645,7 +645,7 @@ static void __ioam6_fill_trace_data(stru
struct ioam6_namespace *ns,
struct ioam6_trace_hdr *trace,
struct ioam6_schema *sc,
- u8 sclen)
+ unsigned int sclen)
{
struct __kernel_sock_timeval ts;
u64 raw64;
@@ -863,7 +863,7 @@ void ioam6_fill_trace_data(struct sk_buf
struct ioam6_trace_hdr *trace)
{
struct ioam6_schema *sc;
- u8 sclen = 0;
+ unsigned int sclen = 0;
/* Skip if Overflow flag is set
*/
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 398/411] ksmbd: Compare MACs in constant time
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 397/411] net/ipv6: ioam6: prevent schema length wraparound in trace fill Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 399/411] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache Greg Kroah-Hartman
` (13 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Namjae Jeon,
Steve French
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit c5794709bc9105935dbedef8b9cf9c06f2b559fa upstream.
To prevent timing attacks, MAC comparisons need to be constant-time.
Replace the memcmp() with the correct function, crypto_memneq().
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/auth.c | 4 +++-
fs/ksmbd/smb2pdu.c | 5 +++--
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/fs/ksmbd/auth.c
+++ b/fs/ksmbd/auth.c
@@ -13,6 +13,7 @@
#include <linux/xattr.h>
#include <crypto/hash.h>
#include <crypto/aead.h>
+#include <crypto/algapi.h>
#include <linux/random.h>
#include <linux/scatterlist.h>
@@ -281,7 +282,8 @@ int ksmbd_auth_ntlmv2(struct ksmbd_conn
goto out;
}
- if (memcmp(ntlmv2->ntlmv2_hash, ntlmv2_rsp, CIFS_HMAC_MD5_HASH_SIZE) != 0)
+ if (crypto_memneq(ntlmv2->ntlmv2_hash, ntlmv2_rsp,
+ CIFS_HMAC_MD5_HASH_SIZE))
rc = -EINVAL;
out:
if (ctx)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -4,6 +4,7 @@
* Copyright (C) 2018 Samsung Electronics Co., Ltd.
*/
+#include <crypto/algapi.h>
#include <linux/inetdevice.h>
#include <net/addrconf.h>
#include <linux/syscalls.h>
@@ -8440,7 +8441,7 @@ int smb2_check_sign_req(struct ksmbd_wor
signature))
return 0;
- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
+ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
pr_err("bad smb2 signature\n");
return 0;
}
@@ -8528,7 +8529,7 @@ int smb3_check_sign_req(struct ksmbd_wor
if (ksmbd_sign_smb3_pdu(conn, signing_key, iov, 1, signature))
return 0;
- if (memcmp(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
+ if (crypto_memneq(signature, signature_req, SMB2_SIGNATURE_SIZE)) {
pr_err("bad smb2 signature\n");
return 0;
}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 399/411] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 398/411] ksmbd: Compare MACs in constant time Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 400/411] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 Greg Kroah-Hartman
` (12 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Nicholas Carlini,
Jeff Layton, Chuck Lever, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2 upstream.
The NFSv4.0 replay cache uses a fixed 112-byte inline buffer
(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.
This size was calculated based on OPEN responses and does not account
for LOCK denied responses, which include the conflicting lock owner as
a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).
When a LOCK operation is denied due to a conflict with an existing lock
that has a large owner, nfsd4_encode_operation() copies the full encoded
response into the undersized replay buffer via read_bytes_from_xdr_buf()
with no bounds check. This results in a slab-out-of-bounds write of up
to 944 bytes past the end of the buffer, corrupting adjacent heap memory.
This can be triggered remotely by an unauthenticated attacker with two
cooperating NFSv4.0 clients: one sets a lock with a large owner string,
then the other requests a conflicting lock to provoke the denial.
We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full
opaque, but that would increase the size of every stateowner, when most
lockowners are not that large.
Instead, fix this by checking the encoded response length against
NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the
response is too large, set rp_buflen to 0 to skip caching the replay
payload. The status is still cached, and the client already received the
correct response on the original request.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Reported-by: Nicholas Carlini <npc@anthropic.com>
Tested-by: Nicholas Carlini <npc@anthropic.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ replaced `op_status_offset + XDR_UNIT` with existing `post_err_offset` variable ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 9 +++++++--
fs/nfsd/state.h | 17 ++++++++++++-----
2 files changed, 19 insertions(+), 7 deletions(-)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -5439,9 +5439,14 @@ nfsd4_encode_operation(struct nfsd4_comp
int len = xdr->buf->len - post_err_offset;
so->so_replay.rp_status = op->status;
- so->so_replay.rp_buflen = len;
- read_bytes_from_xdr_buf(xdr->buf, post_err_offset,
+ if (len <= NFSD4_REPLAY_ISIZE) {
+ so->so_replay.rp_buflen = len;
+ read_bytes_from_xdr_buf(xdr->buf,
+ post_err_offset,
so->so_replay.rp_buf, len);
+ } else {
+ so->so_replay.rp_buflen = 0;
+ }
}
status:
*p = op->status;
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -430,11 +430,18 @@ struct nfs4_client_reclaim {
struct xdr_netobj cr_princhash;
};
-/* A reasonable value for REPLAY_ISIZE was estimated as follows:
- * The OPEN response, typically the largest, requires
- * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) + 8(verifier) +
- * 4(deleg. type) + 8(deleg. stateid) + 4(deleg. recall flag) +
- * 20(deleg. space limit) + ~32(deleg. ace) = 112 bytes
+/*
+ * REPLAY_ISIZE is sized for an OPEN response with delegation:
+ * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) +
+ * 8(verifier) + 4(deleg. type) + 8(deleg. stateid) +
+ * 4(deleg. recall flag) + 20(deleg. space limit) +
+ * ~32(deleg. ace) = 112 bytes
+ *
+ * Some responses can exceed this. A LOCK denial includes the conflicting
+ * lock owner, which can be up to 1024 bytes (NFS4_OPAQUE_LIMIT). Responses
+ * larger than REPLAY_ISIZE are not cached in rp_ibuf; only rp_status is
+ * saved. Enlarging this constant increases the size of every
+ * nfs4_stateowner.
*/
#define NFSD4_REPLAY_ISIZE 112
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 400/411] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 399/411] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 401/411] selinux: enable genfscon labeling for securityfs Greg Kroah-Hartman
` (11 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Erhardt, Werner Sembach,
Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Erhardt <aer@tuxedocomputers.com>
commit d649c58bcad8fb9b749e3837136a201632fa109d upstream.
Depending on the timing during boot, the BIOS might report wrong pin
capabilities, which can lead to HDMI audio being disabled. Therefore,
force HDMI audio connection on TUXEDO InfinityBook S 14 Gen6.
Signed-off-by: Aaron Erhardt <aer@tuxedocomputers.com>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Link: https://patch.msgid.link/20260218213234.429686-1-wse@tuxedocomputers.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1970,6 +1970,7 @@ static const struct snd_pci_quirk force_
SND_PCI_QUIRK(0x1043, 0x86ae, "ASUS", 1), /* Z170 PRO */
SND_PCI_QUIRK(0x1043, 0x86c7, "ASUS", 1), /* Z170M PLUS */
SND_PCI_QUIRK(0x1462, 0xec94, "MS-7C94", 1),
+ SND_PCI_QUIRK(0x1558, 0x14a1, "TUXEDO InfinityBook S 14 Gen6", 1),
SND_PCI_QUIRK(0x8086, 0x2060, "Intel NUC5CPYB", 1),
SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", 1),
{}
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 401/411] selinux: enable genfscon labeling for securityfs
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 400/411] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 402/411] arm64: cputype: Add NVIDIA Olympus definitions Greg Kroah-Hartman
` (10 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Göttsche, Paul Moore,
Liem
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Göttsche <cgzones@googlemail.com>
commit 8a764ef1bd43fb2bb4ff3290746e5c820a3a9716 upstream.
Add support for genfscon per-file labeling of securityfs files.
This allows for separate labels and thereby access control for
different files. For example a genfscon statement
genfscon securityfs /integrity/ima/policy \
system_u:object_r:ima_policy_t:s0
will set a private label to the IMA policy file and thus allow to
control the ability to set the IMA policy. Setting labels directly
with setxattr(2), e.g. by chcon(1) or setfiles(8), is still not
supported.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: line width fixes in the commit description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Liem <liem16213@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -741,7 +741,8 @@ static int selinux_set_mnt_opts(struct s
!strcmp(sb->s_type->name, "tracefs") ||
!strcmp(sb->s_type->name, "binder") ||
!strcmp(sb->s_type->name, "bpf") ||
- !strcmp(sb->s_type->name, "pstore"))
+ !strcmp(sb->s_type->name, "pstore") ||
+ !strcmp(sb->s_type->name, "securityfs"))
sbsec->flags |= SE_SBGENFS;
if (!strcmp(sb->s_type->name, "sysfs") ||
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 402/411] arm64: cputype: Add NVIDIA Olympus definitions
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 401/411] selinux: enable genfscon labeling for securityfs Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 403/411] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
` (9 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shanker Donthineni, Will Deacon,
Mark Rutland
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shanker Donthineni <sdonthineni@nvidia.com>
commit e185c8a0d84236d14af61faff8147c953a878a77 upstream.
Add cpu part and model macro definitions for NVIDIA Olympus core.
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v5.15.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -121,6 +121,7 @@
#define NVIDIA_CPU_PART_DENVER 0x003
#define NVIDIA_CPU_PART_CARMEL 0x004
+#define NVIDIA_CPU_PART_OLYMPUS 0x010
#define FUJITSU_CPU_PART_A64FX 0x001
@@ -183,6 +184,7 @@
#define MIDR_QCOM_KRYO_4XX_SILVER MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO_4XX_SILVER)
#define MIDR_NVIDIA_DENVER MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_DENVER)
#define MIDR_NVIDIA_CARMEL MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_CARMEL)
+#define MIDR_NVIDIA_OLYMPUS MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_OLYMPUS)
#define MIDR_FUJITSU_A64FX MIDR_CPU_MODEL(ARM_CPU_IMP_FUJITSU, FUJITSU_CPU_PART_A64FX)
#define MIDR_HISI_TSV110 MIDR_CPU_MODEL(ARM_CPU_IMP_HISI, HISI_CPU_PART_TSV110)
#define MIDR_APPLE_M1_ICESTORM MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M1_ICESTORM)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 403/411] arm64: cputype: Add C1-Ultra definitions
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 402/411] arm64: cputype: Add NVIDIA Olympus definitions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 404/411] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
` (8 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit 60349e64a6c65f9f0aa118af711b3c7e137f07ff upstream.
Add cputype definitions for C1-Ultra. These will be used for errata
detection in subsequent patches.
These values can be found in the C1-Ultra TRM:
https://developer.arm.com/documentation/108014/0100/
... in section A.5.1 ("MIDR_EL1, Main ID Register").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v5.15.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -97,6 +97,7 @@
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
#define ARM_CPU_PART_CORTEX_X925 0xD85
#define ARM_CPU_PART_CORTEX_A725 0xD87
+#define ARM_CPU_PART_C1_ULTRA 0xD8C
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
#define APM_CPU_PART_POTENZA 0x000
@@ -166,6 +167,7 @@
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
+#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA)
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 404/411] arm64: cputype: Add C1-Premium definitions
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 403/411] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 405/411] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
` (7 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit d28413bfc5a255957241f1df5d7fd0c2cd74fe18 upstream.
Add cputype definitions for C1-Premium. These will be used for errata
detection in subsequent patches.
These values can be found in the C1-Premium TRM:
https://developer.arm.com/documentation/109416/0100/
... in section A.5.1 ("MIDR_EL1, Main ID Register").
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v5.15.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -99,6 +99,7 @@
#define ARM_CPU_PART_CORTEX_A725 0xD87
#define ARM_CPU_PART_C1_ULTRA 0xD8C
#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
+#define ARM_CPU_PART_C1_PREMIUM 0xD90
#define APM_CPU_PART_POTENZA 0x000
@@ -169,6 +170,7 @@
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
#define MIDR_C1_ULTRA MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_ULTRA)
#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
+#define MIDR_C1_PREMIUM MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_C1_PREMIUM)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 405/411] arm64: errata: Mitigate TLBI errata on various Arm CPUs
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 404/411] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 406/411] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
` (6 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit cfd391e74134db664feb499d43af286380b10ba8 upstream.
A number of CPUs developed by Arm suffer from errata whereby a broadcast
TLBI;DSB sequence may complete before the global observation of writes
which are translated by an affected TLB entry.
These errata ONLY affect the completion of memory accesses which have
been translated by an invalidated TLB entry, and these errata DO NOT
affect the actual invalidation of TLB entries. TLB entries are removed
correctly.
This issue has been assigned CVE ID CVE-2025-10263.
To mitigate this issue, Arm recommends that software follows any
affected TLBI;DSB sequence with an additional TLBI;DSB, which will
ensure that all memory write effects affected by the first TLBI have
been globally observed. The additional TLBI can use any operation that
is broadcast to affected CPUs, and the additional DSB can use any option
that is sufficient to complete the additional TLBI.
The ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate
the issue. Enable this workaround for affected CPUs, and update the
silicon errata documentation accordingly.
Note that due to the manner in which Arm develops IP and tracks errata,
some CPUs share a common erratum number.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v5.15.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 42 ++++++++++++++++++++++++++++
arch/arm64/Kconfig | 48 +++++++++++++++++++++++++++++++++
arch/arm64/kernel/cpu_errata.c | 32 ++++++++++++++++++++--
3 files changed, 120 insertions(+), 2 deletions(-)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -98,14 +98,26 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A76 | #3324349 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A76 | #4193800 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A76AE | #4193801 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #1508412 | ARM64_ERRATUM_1508412 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A77 | #3324348 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A77 | #4193798 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A78 | #3324344 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78 | #4193791 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78AE | #4193793 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A78C | #3324346,3324347| ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A78C | #4193794 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A510 | #2441009 | ARM64_ERRATUM_2441009 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A510 | #2457168 | ARM64_ERRATUM_2457168 |
@@ -118,6 +130,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A710 | #3324338 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A710 | #4193788 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 |
@@ -126,16 +140,28 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X1 | #3324344 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1 | #4193791 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X1C | #3324346 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X1C | #4193792 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X2 | #3324338 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X2 | #4193788 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X3 | #3324335 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X3 | #4193786 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X4 | #3194386 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X4 | #4118414 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-X925 | #3324334 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-X925 | #4193781 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1188873,1418040| ARM64_ERRATUM_1418040 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #1349291 | N/A |
@@ -144,6 +170,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N1 | #3324349 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N1 | #4193800 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2139208 | ARM64_ERRATUM_2139208 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #2067961 | ARM64_ERRATUM_2067961 |
@@ -152,16 +180,30 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N2 | #4193789 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V1 | #4193790 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V2 | #4193787 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3 | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3 | #4193784 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V3AE | #3312417 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-V3AE | #4193784 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | C1-Premium | #4193780 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+| ARM | C1-Ultra | #4193780 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-500 | #841119,826419 | N/A |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | MMU-600 | #1076982,1209401| N/A |
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -889,6 +889,54 @@ config ARM64_ERRATUM_3194386
If unsure, say Y.
+config ARM64_ERRATUM_4193714
+ bool "C1-Pro: 4193714: SME DVMSync early acknowledgement"
+ depends on ARM64_SME
+ default y
+ help
+ Enable workaround for C1-Pro acknowledging the DVMSync before
+ the SME memory accesses are complete. This will cause TLB
+ maintenance for processes using SME to also issue an IPI to
+ the affected CPUs.
+
+ If unsure, say Y.
+
+config ARM64_ERRATUM_4118414
+ bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+ default y
+ select ARM64_WORKAROUND_REPEAT_TLBI
+ help
+ This option adds a workaround for the following errata:
+
+ * ARM C1-Premium erratum 4193780
+ * ARM C1-Ultra erratum 4193780
+ * ARM Cortex-A76 erratum 4193800
+ * ARM Cortex-A76AE erratum 4193801
+ * ARM Cortex-A77 erratum 4193798
+ * ARM Cortex-A78 erratum 4193791
+ * ARM Cortex-A78AE erratum 4193793
+ * ARM Cortex-A78C erratum 4193794
+ * ARM Cortex-A710 erratum 4193788
+ * ARM Cortex-X1 erratum 4193791
+ * ARM Cortex-X1C erratum 4193792
+ * ARM Cortex-X2 erratum 4193788
+ * ARM Cortex-X3 erratum 4193786
+ * ARM Cortex-X4 erratum 4118414
+ * ARM Cortex-X925 erratum 4193781
+ * ARM Neoverse-N1 erratum 4193800
+ * ARM Neoverse-N2 erratum 4193789
+ * ARM Neoverse-V1 erratum 4193790
+ * ARM Neoverse-V2 erratum 4193787
+ * ARM Neoverse-V3 erratum 4193784
+ * ARM Neoverse-V3AE erratum 4193784
+
+ On affected cores, some memory accesses might not be completed by
+ broadcast TLB invalidation.
+
+ This issue is also known as CVE-2025-10263.
+
+ If unsure, say Y.
+
config CAVIUM_ERRATUM_22375
bool "Cavium erratum 22375, 24313"
default y
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -225,7 +225,35 @@ static const struct arm64_cpu_capabiliti
ERRATA_MIDR_RANGE(MIDR_CORTEX_A510, 0, 0, 1, 1),
},
#endif
- {},
+#ifdef CONFIG_ARM64_ERRATUM_4118414
+ {
+ ERRATA_MIDR_RANGE_LIST(((const struct midr_range[]) {
+ MIDR_ALL_VERSIONS(MIDR_C1_PREMIUM),
+ MIDR_ALL_VERSIONS(MIDR_C1_ULTRA),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1C),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ {}
+ })),
+ },
+#endif
+ {}
};
#endif
@@ -514,7 +542,7 @@ const struct arm64_cpu_capabilities arm6
#endif
#ifdef CONFIG_ARM64_WORKAROUND_REPEAT_TLBI
{
- .desc = "Qualcomm erratum 1009, or ARM erratum 1286807, 2441009",
+ .desc = "Broken broadcast TLBI completion",
.capability = ARM64_WORKAROUND_REPEAT_TLBI,
.type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM,
.matches = cpucap_multi_entry_cap_matches,
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 406/411] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 405/411] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 407/411] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
` (5 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shanker Donthineni, Catalin Marinas,
Will Deacon, Mark Rutland
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shanker Donthineni <sdonthineni@nvidia.com>
commit ec7216f92e4ebd485b1c6dc6aa3f6064b71a5768 upstream.
NVIDIA Olympus cores are affected by the TLBI completion issue tracked as
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
ARM64_WORKAROUND_REPEAT_TLBI to issue an additional broadcast TLBI;DSB
sequence and ensure affected memory write effects are globally observed.
Add MIDR_NVIDIA_OLYMPUS to the repeat-TLBI match list so the same
mitigation is enabled on affected Olympus systems. Also document the
NVIDIA Olympus erratum in the arm64 silicon errata table and list it in
the Kconfig help text.
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v5.15.y]
Signed-off-by: Shanker Donthineni <sdonthineni@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 3 ++-
arch/arm64/kernel/cpu_errata.c | 1 +
3 files changed, 5 insertions(+), 1 deletion(-)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -242,6 +242,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| NVIDIA | Carmel Core | N/A | NVIDIA_CARMEL_CNP_ERRATUM |
+----------------+-----------------+-----------------+-----------------------------+
+| NVIDIA | Olympus core | T410-OLY-1029 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
+----------------+-----------------+-----------------+-----------------------------+
| Freescale/NXP | LS2080A/LS1043A | A-008585 | FSL_ERRATUM_A008585 |
+----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -902,7 +902,7 @@ config ARM64_ERRATUM_4193714
If unsure, say Y.
config ARM64_ERRATUM_4118414
- bool "Cortex-*/Neoverse-*/C1-*: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+ bool "Various: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
default y
select ARM64_WORKAROUND_REPEAT_TLBI
help
@@ -929,6 +929,7 @@ config ARM64_ERRATUM_4118414
* ARM Neoverse-V2 erratum 4193787
* ARM Neoverse-V3 erratum 4193784
* ARM Neoverse-V3AE erratum 4193784
+ * NVIDIA Olympus erratum T410-OLY-1029
On affected cores, some memory accesses might not be completed by
broadcast TLB invalidation.
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -249,6 +249,7 @@ static const struct arm64_cpu_capabiliti
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
+ MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
{}
})),
},
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 407/411] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 406/411] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 408/411] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
` (4 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Will Deacon, Mark Rutland
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
commit 1940e70a8144bf75e6df26bf6f600862ea7f7ea1 upstream.
Commit fb091ff39479 ("arm64: Subscribe Microsoft Azure Cobalt 100 to ARM
Neoverse N2 errata") states that Microsoft Azure Cobalt 100 CPU "is a
Microsoft implemented CPU based on r0p0 of the ARM Neoverse N2 CPU, and
therefore suffers from all the same errata.".
So enable the workaround for the latest broadcast TLB invalidation bug
on these parts.
Signed-off-by: Will Deacon <will@kernel.org>
[Mark: backport to v5.15.y]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/cpu_errata.c | 1 +
3 files changed, 4 insertions(+)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -291,3 +291,5 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 |
+----------------+-----------------+-----------------+-----------------------------+
+| Microsoft | Azure Cobalt 100| #4193789 | ARM64_ERRATUM_4118414 |
++----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -929,6 +929,7 @@ config ARM64_ERRATUM_4118414
* ARM Neoverse-V2 erratum 4193787
* ARM Neoverse-V3 erratum 4193784
* ARM Neoverse-V3AE erratum 4193784
+ * Microsoft Azure Cobalt 100 4193789
* NVIDIA Olympus erratum T410-OLY-1029
On affected cores, some memory accesses might not be completed by
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -250,6 +250,7 @@ static const struct arm64_cpu_capabiliti
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3AE),
MIDR_ALL_VERSIONS(MIDR_NVIDIA_OLYMPUS),
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
{}
})),
},
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 408/411] mptcp: close TOCTOU race while computing rcv_wnd
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 407/411] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 409/411] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter Greg Kroah-Hartman
` (3 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 ]
The MPTCP output path access locklessly the MPTCP-level ack_seq
in multiple times, using possibly different values for the data_ack
in the DSS option and to compute the announced rcv wnd for the same
packet.
Refactor the cote to avoid inconsistencies which may confuse the
peer. Also ensure that the MPTCP level rcv wnd is updated only when
the egress packet actually contains a DSS ack.
Fixes: fa3fe2b15031 ("mptcp: track window announced to peer")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -555,7 +555,6 @@ static bool mptcp_established_options_ds
struct mptcp_ext *mpext;
unsigned int ack_size;
bool ret = false;
- u64 ack_seq;
opts->csum_reqd = READ_ONCE(msk->csum_enabled);
mpext = skb ? mptcp_get_ext(skb) : NULL;
@@ -587,14 +586,11 @@ static bool mptcp_established_options_ds
return ret;
}
- ack_seq = READ_ONCE(msk->ack_seq);
if (READ_ONCE(msk->use_64bit_ack)) {
ack_size = TCPOLEN_MPTCP_DSS_ACK64;
- opts->ext_copy.data_ack = ack_seq;
opts->ext_copy.ack64 = 1;
} else {
ack_size = TCPOLEN_MPTCP_DSS_ACK32;
- opts->ext_copy.data_ack32 = (uint32_t)ack_seq;
opts->ext_copy.ack64 = 0;
}
opts->ext_copy.use_ack = 1;
@@ -1235,17 +1231,16 @@ bool mptcp_incoming_options(struct sock
return true;
}
-static void mptcp_set_rwin(const struct tcp_sock *tp)
+static void mptcp_set_rwin(const struct tcp_sock *tp, u64 ack_seq)
{
const struct sock *ssk = (const struct sock *)tp;
struct mptcp_subflow_context *subflow;
struct mptcp_sock *msk;
- u64 ack_seq;
subflow = mptcp_subflow_ctx(ssk);
msk = mptcp_sk(subflow->conn);
- ack_seq = READ_ONCE(msk->ack_seq) + tp->rcv_wnd;
+ ack_seq += tp->rcv_wnd;
if (after64(ack_seq, READ_ONCE(msk->rcv_wnd_sent))) {
WRITE_ONCE(msk->rcv_wnd_sent, ack_seq);
@@ -1369,13 +1364,26 @@ void mptcp_write_options(__be32 *ptr, co
*ptr++ = mptcp_option(MPTCPOPT_DSS, len, 0, flags);
if (mpext->use_ack) {
+ const struct sock *ssk = (const struct sock *)tp;
+ struct mptcp_subflow_context *subflow;
+ struct mptcp_sock *msk;
+ u64 ack_seq;
+
+ /* DSS option is set only by mptcp_established_options,
+ * the caller is __tcp_transmit_skb() and ssk is always
+ * not NULL.
+ */
+ subflow = mptcp_subflow_ctx(ssk);
+ msk = mptcp_sk(subflow->conn);
+ ack_seq = READ_ONCE(msk->ack_seq);
if (mpext->ack64) {
- put_unaligned_be64(mpext->data_ack, ptr);
+ put_unaligned_be64(ack_seq, ptr);
ptr += 2;
} else {
- put_unaligned_be32(mpext->data_ack32, ptr);
+ put_unaligned_be32(ack_seq, ptr);
ptr += 1;
}
+ mptcp_set_rwin(tp, ack_seq);
}
if (mpext->use_map) {
@@ -1559,9 +1567,6 @@ mp_capable_done:
i += 4;
}
}
-
- if (tp)
- mptcp_set_rwin(tp);
}
__be32 mptcp_get_reset_option(const struct sk_buff *skb)
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 409/411] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 408/411] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 410/411] apparmor: validate default DFA states are in bounds Greg Kroah-Hartman
` (2 subsequent siblings)
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Hutchings
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
Before commit 63a11adaceb8 "fbdev/vt8500lcdfb: Initialize fb_ops with
fbdev macros", the virtual address of the screen buffer was stored in
the fb_info::screen_base field and not fb_info::screen_buffer. The
backport of commit 88b3b9924337 ("fbdev: vt8500lcdfb: fix missing
dma_free_coherent()") did not take that into account.
Change the cpu_addr parameter to dma_free_coherent() accordingly.
Fixes: 9c3873cccb3f ("fbdev: vt8500lcdfb: fix missing dma_free_coherent()")
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/vt8500lcdfb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/vt8500lcdfb.c
+++ b/drivers/video/fbdev/vt8500lcdfb.c
@@ -434,7 +434,7 @@ failed_free_palette:
fbi->palette_cpu, fbi->palette_phys);
failed_free_mem_virt:
dma_free_coherent(&pdev->dev, fbi->fb.fix.smem_len,
- fbi->fb.screen_buffer, fbi->fb.fix.smem_start);
+ fbi->fb.screen_base, fbi->fb.fix.smem_start);
failed_free_io:
iounmap(fbi->regbase);
failed_free_res:
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 410/411] apparmor: validate default DFA states are in bounds
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 409/411] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 411/411] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function Greg Kroah-Hartman
2026-06-16 16:55 ` [PATCH 5.15 000/411] 5.15.210-rc1 review Brett A C Sheffield
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Hutchings
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
Some backports of commit 9063d7e2615f ("apparmor: validate DFA start
states are in bounds in unpack_pdb") limited the bounds checks on DFA
start states to the case where the start state was explicit in the
policy. However, the default DFA start state (DFA_START = 1) could
also be out-of-bounds.
Move these checks out of the else-branches so that they are applied
regardless of how the start state was initialised.
Fixes: 5487871b2b56 ("apparmor: validate DFA start states are in bounds in unpack_pdb")
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/policy_unpack.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -846,6 +846,8 @@ static struct aa_profile *unpack_profile
}
if (unpack_nameX(e, AA_STRUCT, "policydb")) {
+ size_t state_count;
+
/* generic policy dfa - optional and may be NULL */
info = "failed to unpack policydb";
profile->policy.dfa = unpack_dfa(e);
@@ -860,13 +862,12 @@ static struct aa_profile *unpack_profile
if (!unpack_u32(e, &profile->policy.start[0], "start")) {
/* default start state */
profile->policy.start[0] = DFA_START;
- } else {
- size_t state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ }
- if (profile->policy.start[0] >= state_count) {
- info = "invalid dfa start state";
- goto fail;
- }
+ state_count = profile->policy.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ if (profile->policy.start[0] >= state_count) {
+ info = "invalid dfa start state";
+ goto fail;
}
/* setup class index */
@@ -889,16 +890,18 @@ static struct aa_profile *unpack_profile
info = "failed to unpack profile file rules";
goto fail;
} else if (profile->file.dfa) {
+ size_t state_count;
+
if (!unpack_u32(e, &profile->file.start, "dfa_start")) {
/* default start state */
profile->file.start = DFA_START;
- } else {
- size_t state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
+ }
+
+ state_count = profile->file.dfa->tables[YYTD_ID_BASE]->td_lolen;
- if (profile->file.start >= state_count) {
- info = "invalid dfa start state";
- goto fail;
- }
+ if (profile->file.start >= state_count) {
+ info = "invalid dfa start state";
+ goto fail;
}
} else if (profile->policy.dfa &&
profile->policy.start[AA_CLASS_FILE]) {
^ permalink raw reply [flat|nested] 413+ messages in thread
* [PATCH 5.15 411/411] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 410/411] apparmor: validate default DFA states are in bounds Greg Kroah-Hartman
@ 2026-06-16 15:00 ` Greg Kroah-Hartman
2026-06-16 16:55 ` [PATCH 5.15 000/411] 5.15.210-rc1 review Brett A C Sheffield
411 siblings, 0 replies; 413+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-16 15:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov (AMD),
Nikolay Borisov, Ben Hutchings
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov (AMD) <bp@alien8.de>
commit affc66cb96f865b3763a8e18add52e133d864f04 upstream.
No functional changes.
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Link: http://lore.kernel.org/r/20231120104152.13740-4-bp@alien8.de
Stable-dep-of: 7c81ad8e8bc2 ("x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()")
[bwh: Adjusted to apply after backports of the above commit which actually
depended on this]
Signed-off-by: Ben Hutchings <benh@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/amd.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -1111,14 +1111,6 @@ static void init_amd_zen1(struct cpuinfo
/* Erratum 1076: CPB feature bit not being set in CPUID. */
if (!cpu_has(c, X86_FEATURE_CPB))
set_cpu_cap(c, X86_FEATURE_CPB);
-
- /*
- * Zen3 (Fam19 model < 0x10) parts are not susceptible to
- * Branch Type Confusion, but predate the allocation of the
- * BTC_NO bit.
- */
- if (c->x86 == 0x19 && !cpu_has(c, X86_FEATURE_BTC_NO))
- set_cpu_cap(c, X86_FEATURE_BTC_NO);
}
pr_notice_once("AMD Zen1 FPDSS bug detected, enabling mitigation.\n");
@@ -1178,6 +1170,16 @@ static void init_amd_zen2(struct cpuinfo
static void init_amd_zen3(struct cpuinfo_x86 *c)
{
init_amd_zen_common();
+
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+ /*
+ * Zen3 (Fam19 model < 0x10) parts are not susceptible to
+ * Branch Type Confusion, but predate the allocation of the
+ * BTC_NO bit.
+ */
+ if (!cpu_has(c, X86_FEATURE_BTC_NO))
+ set_cpu_cap(c, X86_FEATURE_BTC_NO);
+ }
}
static void init_amd_zen4(struct cpuinfo_x86 *c)
^ permalink raw reply [flat|nested] 413+ messages in thread
* Re: [PATCH 5.15 000/411] 5.15.210-rc1 review
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-06-16 15:00 ` [PATCH 5.15 411/411] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function Greg Kroah-Hartman
@ 2026-06-16 16:55 ` Brett A C Sheffield
411 siblings, 0 replies; 413+ messages in thread
From: Brett A C Sheffield @ 2026-06-16 16:55 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 5.15.210-rc1-01182-g1447d275e58b #1 SMP Tue Jun 16 15:49:14 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 413+ messages in thread
end of thread, other threads:[~2026-06-16 18:40 UTC | newest]
Thread overview: 413+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-16 14:53 [PATCH 5.15 000/411] 5.15.210-rc1 review Greg Kroah-Hartman
2026-06-16 14:53 ` [PATCH 5.15 001/411] Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 002/411] net/sched: cls_fw: fix NULL dereference of "old" filters before change() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 003/411] net: mctp: ensure our nlmsg responses are initialised Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 004/411] net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 005/411] drm: Remove plane hsub/vsub alignment requirement for core helpers Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 006/411] dmaengine: idxd: Fix not releasing workqueue on .release() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 007/411] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 008/411] nfc: llcp: Fix use-after-free in llcp_sock_release() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 009/411] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 010/411] xfrm: Check for underflow in xfrm_state_mtu Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 011/411] nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 012/411] netfilter: synproxy: refresh tcphdr after skb_ensure_writable Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 013/411] netfilter: xt_cpu: prefer raw_smp_processor_id Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 014/411] netfilter: ebtables: fix OOB read in compat_mtw_from_user Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 015/411] tun: free page on short-frame rejection in tun_xdp_one() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 016/411] net: netlink: fix sending unassigned nsid after assigned one Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 017/411] net: netlink: dont set nsid on local notifications Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 018/411] net/smc: Do not re-initialize smc hashtables Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 019/411] net/iucv: fix locking in .getsockopt Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 020/411] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 021/411] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 022/411] tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 023/411] vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 024/411] tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 025/411] ASoC: codecs: simple-mux: Fix enum control bounds check Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 026/411] Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 027/411] bonding: refuse to enslave CAN devices Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 028/411] ethtool: eeprom: add more safeties to EEPROM Netlink fallback Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 029/411] ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 030/411] net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 031/411] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 032/411] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 033/411] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 034/411] sctp: fix race between sctp_wait_for_connect and peeloff Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 035/411] batman-adv: v: stop OGMv2 on disabled interface Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 036/411] batman-adv: tvlv: abort OGM send on tvlv append failure Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 037/411] batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 038/411] batman-adv: tvlv: reject oversized TVLV packets Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 039/411] batman-adv: iv: recover OGM scheduling after forward packet error Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 040/411] selftests: forwarding: lib: Add helpers for checksum handling Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 041/411] batman-adv: tp_meter: directly shut down timer on cleanup Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 042/411] batman-adv: tt: fix TOCTOU race for reported vlans Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 043/411] batman-adv: tt: avoid empty VLAN responses Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 044/411] batman-adv: bla: avoid double decrement of bla.num_requests Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 045/411] wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 046/411] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 047/411] drm/i915/psr: Read Intel DPCD workaround register Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 048/411] drm/dp: Add eDP 1.5 bit definition Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 049/411] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 050/411] Revert "RDMA/rxe: Fix double free in rxe_srq_from_init" Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 051/411] RDMA/rxe: Fix double free in rxe_srq_from_init Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 052/411] phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 053/411] phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 054/411] smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 055/411] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 056/411] usb: typec: ucsi: ccg: reject firmware images without a : record header Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 057/411] usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 058/411] usb: typec: altmodes/displayport: validate count before reading Status Update VDO Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 059/411] usb: typec: wcove: dont write past struct pd_message in wcove_read_rx_buffer() Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 060/411] USB: serial: safe_serial: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:54 ` [PATCH 5.15 061/411] Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 062/411] Bluetooth: btusb: Allow firmware re-download when version matches Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 063/411] hpfs: fix a crash if hpfs_map_dnode_bitmap fails Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 064/411] ipc: limit next_id allocation to the valid ID range Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 065/411] Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 066/411] Bluetooth: HIDP: fix missing length checks in hidp_input_report() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 067/411] parport: Fix race between port and client registration Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 068/411] iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 069/411] iio: dac: max5821: fix return value check in powerdown sync Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 070/411] iio: dac: ad5686: fix input raw value check Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 071/411] wireguard: send: append trailer after expanding head Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 072/411] iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 073/411] iio: gyro: itg3200: fix i2c read into the wrong stack location Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 074/411] iio: ssp_sensors: cancel delayed work_refresh on remove Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 075/411] iio: temperature: tsys01: fix broken PROM checksum validation Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 076/411] iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 077/411] iio: light: cm3323: fix reg_conf not being initialized correctly Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 078/411] iio: buffer: hw-consumer: fix use-after-free in error path Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 079/411] USB: serial: omninet: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 080/411] usb: cdns3: gadget: fix request skipping after clearing halt Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 081/411] usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 082/411] usb: dwc2: Fix use after free in debug code Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 083/411] Input: elan_i2c - validate firmware size before use Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 084/411] bpf: sockmap: fix tail fragment offset in bpf_msg_push_data Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 085/411] macsec: fix replay protection at XPN lower-PN wrap Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 086/411] ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 087/411] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 088/411] ipv6: exthdrs: refresh nh after handling HAO option Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 089/411] ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 090/411] ipv6: validate extension header length before copying to cmsg Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 091/411] xfrm: input: hold netns during deferred transport reinjection Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 092/411] ip6: vti: Use ip6_tnl.net in vti6_changelink() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 093/411] HID: wacom: Fix OOB write in wacom_hid_set_device_mode() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 094/411] iommu, debugobjects: avoid gcc-16.1 section mismatch warnings Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 095/411] nfc: hci: fix out-of-bounds read in HCP header parsing Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 096/411] xfrm: route MIGRATE notifications to callers netns Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 097/411] xfrm: ah: use skb_to_full_sk in async output callbacks Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 098/411] netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 099/411] ASoC: qcom: q6asm-dai: close stream only when running Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 100/411] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 101/411] xfrm: esp: restore combined single-frag length gate Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 102/411] Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 103/411] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 104/411] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 105/411] comedi: comedi_test: Fix limiting of convert_arg " Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 106/411] tty: serial: pch_uart: add check for dma_alloc_coherent() Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 107/411] usb: chipidea: core: convert ci_role_switch to local variable Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 108/411] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 109/411] USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 110/411] usb: storage: Add quirks for PNY Elite Portable SSD Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 111/411] usbip: vudc: Fix use after free bug in vudc_remove due to race condition Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 112/411] usb: usbtmc: check URB actual_length for interrupt-IN notifications Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 113/411] usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 114/411] USB: serial: option: add MeiG SRM813Q Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 115/411] USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 116/411] USB: serial: belkin_sa: validate interrupt status length Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 117/411] USB: serial: cypress_m8: validate interrupt packet headers Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 118/411] USB: serial: keyspan: fix missing indat transfer sanity check Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 119/411] USB: serial: mxuport: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 120/411] USB: serial: mct_u232: fix missing interrupt-in transfer sanity check Greg Kroah-Hartman
2026-06-16 14:55 ` [PATCH 5.15 121/411] usb: gadget: net2280: Fix double free in probe error path Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 122/411] usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 123/411] usb: gadget: f_fs: copy only received bytes on short ep0 read Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 124/411] thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 125/411] thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 126/411] scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 127/411] scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 128/411] drm/hyperv: validate VMBus packet size in receive callback Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 129/411] serial: sh-sci: fix memory region release in error path Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 130/411] serial: zs: Fix swapped RI/DSR modem line transition counting Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 131/411] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 132/411] serial: dz: Fix bootconsole message clobbering at chip reset Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 133/411] serial: zs: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 134/411] serial: zs: Switch to using channel reset Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 135/411] USB: serial: cypress_m8: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 136/411] HID: core: Add printk_ratelimited variants to hid_warn() etc Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 137/411] HID: pass the buffer size to hid_report_raw_event Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 138/411] HID: core: Fix size_t specifier in hid_report_raw_event() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 139/411] USB: serial: digi_acceleport: fix memory corruption with small endpoints Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 140/411] xhci: tegra: Fix ghost USB device on dual-role port unplug Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 141/411] serial: dz: Fix bootconsole handover lockup Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 142/411] usb: core: Fix SuperSpeed root hub wMaxPacketSize Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 143/411] bpf: Free reuseport cBPF prog after RCU grace period Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 144/411] USB: serial: mct_u232: fix memory corruption with small endpoint Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 145/411] compiler-clang.h: Add __diag infrastructure for clang Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 146/411] Disable -Wattribute-alias for clang-23 and newer Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 147/411] i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 148/411] ipv6: mcast: Fix use-after-free when processing MLD queries Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 149/411] tee: optee: prevent use-after-free when the client exits before the supplicant Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 150/411] netfilter: xt_NFQUEUE: prefer raw_smp_processor_id Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 151/411] ipvs: clear the svc scheduler ptr early on edit Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 152/411] netfilter: synproxy: add mutex to guard hook reference counting Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 153/411] netfilter: conntrack_irc: fix possible out-of-bounds read Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 154/411] netfilter: bridge: make ebt_snat ARP rewrite writable Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 155/411] dm cache policy smq: check allocation under invalidate lock Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 156/411] net/sched: act_api: use RCU with deferred freeing for action lifecycle Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 157/411] 6lowpan: fix off-by-one in multicast context address compression Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 158/411] drm/imx: Fix three kernel-doc warnings in dcss-scaler.c Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 159/411] pcnet32: stop holding device spin lock during napi_complete_done Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 160/411] net: garp: fix unsigned integer underflow in garp_pdu_parse_attr Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 161/411] net: lan743x: permit VLAN-tagged packets up to configured MTU Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 162/411] Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 163/411] Bluetooth: MGMT: validate advertising TLV before type checks Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 164/411] Bluetooth: RFCOMM: validate skb length in MCC handlers Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 165/411] Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 166/411] Bluetooth: bnep: reject short frames before parsing Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 167/411] Bluetooth: fix memory leak in error path of hci_alloc_dev() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 168/411] ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 169/411] ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 170/411] net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 171/411] sctp: purge outqueue on stale COOKIE-ECHO handling Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 172/411] signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 173/411] time: Fix off-by-one in settimeofday() usec validation Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 174/411] ext4: validate p_idx bounds in ext4_ext_correct_indexes Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 175/411] fs/ntfs3: Return error for inconsistent extended attributes Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 176/411] nfsd: dont ignore the return code of svc_proc_register() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 177/411] tap: free page on error paths in tap_get_user_xdp() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 178/411] tun: free page on build_skb failure in tun_xdp_one() Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 179/411] KVM: arm64: Remove VPIPT I-cache handling Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 180/411] arm64: tlb: Allow XZR argument to TLBI ops Greg Kroah-Hartman
2026-06-16 14:56 ` [PATCH 5.15 181/411] arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 182/411] xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 183/411] netlabel: validate unlabeled address and mask attribute lengths Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 184/411] net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 185/411] ipv6: sit: reload inner IPv6 header after GSO offloads Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 186/411] net: openvswitch: fix possible kfree_skb of ERR_PTR Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 187/411] sctp: fix uninit-value in __sctp_rcv_asconf_lookup() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 188/411] net: guard timestamp cmsgs to real error queue skbs Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 189/411] net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 190/411] ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 191/411] rds: mark snapshot pages dirty in rds_info_getsockopt() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 192/411] netfilter: x_tables: avoid leaking percpu counter pointers Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 193/411] netfilter: nf_log: validate MAC header was set before dumping it Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 194/411] netfilter: nft_exthdr: fix register tracking for F_PRESENT flag Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 195/411] net: mvpp2: sync RX data at the hardware packet offset Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 196/411] net: mvpp2: limit XDP frame size to the RX buffer Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 197/411] net: mvpp2: Add metadata support for xdp mode Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 198/411] net: mvpp2: refill RX buffers before XDP or skb use Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 199/411] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 200/411] drm/vc4: fix krealloc() memory leak Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 201/411] netfilter: nft_tunnel: fix use-after-free on object destroy Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 202/411] Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 203/411] drm/i915/gem: Fix phys BO pread/pwrite with offset Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 204/411] xfrm: espintcp: do not reuse an in-progress partial send Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 205/411] USB: serial: io_ti: fix heap overflow in get_manuf_info() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 206/411] USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 207/411] USB: serial: option: add usb-id for Dell Wireless DW5826e-m Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 208/411] USB: serial: kl5kusb105: fix bulk-out buffer overflow Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 209/411] ALSA: timer: Fix UAF at snd_timer_user_params() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 210/411] drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 211/411] RDMA/srp: bound SRP_RSP sense copy by the received length Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 212/411] ARM: socfpga: Fix OF node refcount leak in SMP setup Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 213/411] ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 214/411] mptcp: fix retransmission loop when csum is enabled Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 215/411] mptcp: sockopt: check timestamping ret value Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 216/411] vsock/vmci: fix sk_ack_backlog leak on failed handshake Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 217/411] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 218/411] IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 219/411] pidfd: refuse access to tasks that have started exiting harder Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 220/411] fuse: reject fuse_notify() pagecache ops on directories Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 221/411] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 222/411] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 223/411] i2c: tegra: Fix NOIRQ suspend/resume Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 224/411] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 225/411] Input: atkbd - skip deactivate for HONOR BCC-Ns internal keyboard Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 226/411] ipc/shm: serialize orphan cleanup with shm_nattch updates Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 227/411] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 228/411] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 229/411] net: bonding: fix NULL pointer dereference in bond_do_ioctl() Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 230/411] net: mv643xx: fix OF node refcount Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 231/411] net: rds: clear i_sends on setup unwind Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 232/411] mmc: core: Fix host controller programming for fixed driver type Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 233/411] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 234/411] mmc: sdhci: add signal voltage switch in sdhci_resume_host Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 235/411] sctp: diag: reject stale associations in dump_one path Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 236/411] sctp: stream: fully roll back denied add-stream state Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 237/411] thunderbolt: Reject zero-length property entries in validator Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 238/411] thunderbolt: Bound root directory content to block size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 239/411] thunderbolt: Clamp XDomain response data copy to allocation size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 240/411] thunderbolt: Limit XDomain response copy to actual frame size Greg Kroah-Hartman
2026-06-16 14:57 ` [PATCH 5.15 241/411] slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 242/411] drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 243/411] drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 244/411] drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 245/411] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 246/411] fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 247/411] mm/damon/ops-common: call folio_test_lru() after folio_get() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 248/411] io_uring/poll: fix signed comparison in io_poll_get_ownership() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 249/411] net/tcp-md5: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 250/411] lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 251/411] f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 252/411] f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 253/411] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 254/411] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 255/411] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 256/411] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 257/411] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 258/411] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 259/411] arm64/mm: Enable batched TLB flush in unmap_hotplug_range() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 260/411] rtw88: 8821ce: Disable PCIe ASPM L1 for 8821CE using chip ID Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 261/411] wifi: rtw88: check for PCI upstream bridge existence Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 262/411] thermal: core: Fix thermal zone governor cleanup issues Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 263/411] wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 264/411] ALSA: aoa: Use guard() for mutex locks Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 265/411] ALSA: aoa: i2sbus: clear stale prepared state Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 266/411] media: rc: ttusbir: respect DMA coherency rules Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 267/411] ALSA: aoa: Skip devices with no codecs in i2sbus_resume() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 268/411] erofs: fix the out-of-bounds nameoff handling for trailing dirents Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 269/411] nvme: fix interpretation of DMRSL Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 270/411] nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 271/411] media: rc: igorplugusb: heed coherency rules Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 272/411] sched: Use u64 for bandwidth ratio calculations Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 273/411] ALSA: core: Fix potential data race at fasync handling Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 274/411] net: qrtr: ns: Limit the maximum number of lookups Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 275/411] net: qrtr: ns: Change servers radix tree to xarray Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 276/411] net: qrtr: ns: Free the node during ctrl_cmd_bye() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 277/411] net: mctp: fix dont require received header reserved bits to be zero Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 278/411] net: qrtr: ns: Limit the total number of nodes Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 279/411] net: bridge: use a stable FDB dst snapshot in RCU readers Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 280/411] fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 281/411] randomize_kstack: Maintain kstack_offset per task Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 282/411] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 283/411] mtd: spi-nor: sst: Fix write enable before AAI sequence Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 284/411] udf: fix partition descriptor append bookkeeping Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 285/411] hfsplus: fix uninit-value by validating catalog record size Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 286/411] hfsplus: fix held lock freed on hfsplus_fill_super() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 287/411] Bluetooth: hci_event: fix potential UAF in SSP passkey handlers Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 288/411] can: ucan: fix typos in comments Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 289/411] can: ucan: fix devres lifetime Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 290/411] crypto: nx - Avoid -Wflex-array-member-not-at-end warning Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 291/411] crypto: nx - Migrate to scomp API Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 292/411] crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 293/411] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 294/411] ceph: only d_add() negative dentries when they are unhashed Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 295/411] scsi: core: pm: Rely on the device driver core for async power management Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 296/411] scsi: sd: Add error handling support for add_disk() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 297/411] sd: rename the scsi_disk.dev field Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 298/411] scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 299/411] ALSA: aloop: Fix peer runtime UAF during format-change stop Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 300/411] printk: add print_hex_dump_devel() Greg Kroah-Hartman
2026-06-16 14:58 ` [PATCH 5.15 301/411] crypto: caam - guard HMAC key hex dumps in hash_digest_key Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 302/411] tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 303/411] smb: client: validate the whole DACL before rewriting it in cifsacl Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 304/411] usb: typec: tcpm: reset internal port states on soft reset AMS Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 305/411] wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 306/411] usb: dwc3: Move GUID programming after PHY initialization Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 307/411] net: ipv4: stop checking crypto_ahash_alignmask Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 308/411] net: ipv6: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 309/411] xfrm: ah: account for ESN high bits in async callbacks Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 310/411] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 311/411] spi: syncuacer: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 312/411] spi: sun4i: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 313/411] spi: spi-ti-qspi: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 314/411] spi: ti-qspi: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 315/411] spi: zynq-qspi: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 316/411] spi: sun6i: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 317/411] spi: tegra114: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 318/411] spi: tegra20-sflash: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 319/411] spi: uniphier: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 320/411] mm/hugetlb_cma: round up per_node before logging it Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 321/411] fbcon: Avoid OOB font access if console rotation fails Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 322/411] spi: topcliff-pch: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 323/411] spi: topcliff-pch: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 324/411] btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 325/411] tracing/probes: Limit size of event probe to 3K Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 326/411] pmdomain: core: Fix detach procedure for virtual devices in genpd Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 327/411] smb: client: validate dacloffset before building DACL pointers Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 328/411] btrfs: fix missing last_unlink_trans update when removing a directory Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 329/411] smb: client: Use FullSessionKey for AES-256 encryption key derivation Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 330/411] mptcp: pm: prio: skip closed subflows Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 331/411] mptcp: pm: ADD_ADDR rtx: fix potential data-race Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 332/411] mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 333/411] f2fs: fix incorrect file address mapping when inline inode is unwritten Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 334/411] f2fs: fix false alarm of lockdep on cp_global_sem lock Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 335/411] spi: st-ssc4: fix controller deregistration Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 336/411] spi: lantiq-ssc: " Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 337/411] genetlink: Use internal flags for multicast groups Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 338/411] smb: client: require net admin for CIFS SWN netlink Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 339/411] Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 340/411] Bluetooth: hci_qca: Convert timeout from jiffies to ms Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 341/411] Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2 Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 342/411] Bluetooth: MGMT: validate Add Extended Advertising Data length Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 343/411] qed: Use the bitmap API to simplify some functions Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 344/411] qed: fix double free in qed_cxt_tables_alloc() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 345/411] Bluetooth: Consolidate code around sk_alloc into a helper function Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 346/411] Bluetooth: Init sk_peer_* on bt_sock_alloc Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 347/411] Bluetooth: serialize accept_q access Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 348/411] net: hsr: defer node table free until after RCU readers Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 349/411] ice: fix VF queue configuration with low MTU values Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 350/411] ipv6/addrconf: annotate data-races around devconf fields (II) Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 351/411] ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 352/411] use less confusing names for iov_iter direction initializers Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 353/411] mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 354/411] selftests: mptcp: drop nanoseconds width specifier Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 355/411] mptcp: do not drop partial packets Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 356/411] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 357/411] octeontx2-pf: avoid double free of pool->stack on AQ init failure Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 358/411] spi: qup: switch to use modern name Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 359/411] spi: qup: fix error pointer deref after DMA setup failure Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 360/411] arm64: tlb: Flush walk cache when unsharing PMD tables Greg Kroah-Hartman
2026-06-16 14:59 ` [PATCH 5.15 361/411] phy: tegra: xusb: Disable trk clk when not in use Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 362/411] phy: tegra: xusb: Fix per-pad high-speed termination calibration Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 363/411] Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 364/411] iio: gyro: adis16260: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 365/411] iio: chemical: scd30: Use guard(mutex) to allow early returns Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 366/411] iio: chemical: scd30: fix division by zero in write_raw Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 367/411] iio: dac: ad5686: fix ref bit initialization for single-channel parts Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 368/411] usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 369/411] net: skbuff: fix missing zerocopy reference in pskb_carve helpers Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 370/411] serial: samsung_tty: Use port lock wrappers Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 371/411] tty: serial: samsung: use u32 for register interactions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 372/411] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 373/411] usb: dwc3: xilinx: fix error handling in zynqmp init error paths Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 374/411] usb: gadget: f_hid: tidy error handling in hidg_alloc Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 375/411] usb: gadget: f_hid: fix device reference leak in hidg_alloc() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 376/411] thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 377/411] scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 378/411] usb: typec: ucsi: Check if power role change actually happened before handling Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 379/411] drm/hyperv: Remove support for Hyper-V 2008 and 2008R2/Win7 Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 380/411] drm/hyperv: validate resolution_count and fix WIN8 fallback Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 381/411] serial: altera_jtaguart: Use platform_get_irq_optional() to get the interrupt Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 382/411] serial: altera_jtaguart: handle uart_add_one_port() failures Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 383/411] tty: serial: qcom-geni-serial: remove unused symbols Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 384/411] tty: serial: qcom-geni-serial: align #define values Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 385/411] serial: qcom-geni: fix UART_RX_PAR_EN bit position Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 386/411] scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 387/411] netfilter: nft_fib: fix stale stack leak via the OIFNAME register Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 388/411] hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 389/411] RDMA/umem: fix kernel-doc warnings Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 390/411] RDMA: Move DMA block iterator logic into dedicated files Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 391/411] RDMA/umem: Fix truncation for block sizes >= 4G Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 392/411] mm/huge_memory: update file PMD counter before folio_put() Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 393/411] ipvs: skip ipv6 extension headers for csum checks Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 394/411] blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 395/411] batman-adv: stop tp_meter sessions during mesh teardown Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 396/411] batman-adv: tp_meter: fix tp_num leak on kmalloc failure Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 397/411] net/ipv6: ioam6: prevent schema length wraparound in trace fill Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 398/411] ksmbd: Compare MACs in constant time Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 399/411] nfsd: fix heap overflow in NFSv4.0 LOCK replay cache Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 400/411] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 401/411] selinux: enable genfscon labeling for securityfs Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 402/411] arm64: cputype: Add NVIDIA Olympus definitions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 403/411] arm64: cputype: Add C1-Ultra definitions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 404/411] arm64: cputype: Add C1-Premium definitions Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 405/411] arm64: errata: Mitigate TLBI errata on various Arm CPUs Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 406/411] arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 407/411] arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 408/411] mptcp: close TOCTOU race while computing rcv_wnd Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 409/411] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 410/411] apparmor: validate default DFA states are in bounds Greg Kroah-Hartman
2026-06-16 15:00 ` [PATCH 5.15 411/411] x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function Greg Kroah-Hartman
2026-06-16 16:55 ` [PATCH 5.15 000/411] 5.15.210-rc1 review Brett A C Sheffield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.